 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
SQL Server Forum / General / Security / August 2008How to verify whether a user has been added to a database role?
I want to validate whether a user has been added to a particular database role. I cannot use the is_member function since it only works with the current user. Try: EXEC sp_helprolemember 'role_name_here' In SQL 2005, you can also query from sys.database_role_members catalog view.  SignatureHope this helps. Dan Guzman SQL Server MVP http://weblogs.sqlteam.com/dang/ >I want to validate whether a user has been added to a particular database > role. I cannot use the is_member function since it only works with the > current user. Hi Dan, I actually have already tried them. The sp_helprolemember will require me to insert the result into a temporary table and then verify. The sys.database_role_members view will need to join with sys.database_principals view. I wonder why there is no built-in security function for such basic operation. > Try: > [quoted text clipped - 5 lines] > > role. I cannot use the is_member function since it only works with the > > current user. > I actually have already tried them. The sp_helprolemember will require > me [quoted text clipped - 3 lines] > security > function for such basic operation. If you are going to use a query rather than SSMS GUI, I don't see why the join is a big deal. In any case, you can avoid the JOIN by using other security functions: SELECT USER_NAME(rm.member_principal_id) AS UserName, USER_NAME(rm.role_principal_id) AS RoleName FROM sys.database_role_members rm WHERE rm.member_principal_id = USER_ID('some_user') AND rm.role_principal_id = USER_ID('some_role') SignatureHope this helps. Dan Guzman SQL Server MVP http://weblogs.sqlteam.com/dang/ Hi Dan, I just realize that using those views are more complicated since the user and the desired role may be related thru a hierarchy not a direct relationship. > Try: > [quoted text clipped - 5 lines] > > role. I cannot use the is_member function since it only works with the > > current user. Hi, Peter. > I just realize that using those views are more complicated since the user > and the desired role may be related thru a hierarchy not a direct > relationship. The CTE below ought to identify indirect membership: WITH role_hierarchy AS ( SELECT rm.member_principal_id, rm.role_principal_id FROM sys.database_role_members rm WHERE rm.role_principal_id = USER_ID('role_name') UNION ALL SELECT rm.member_principal_id, rm.role_principal_id FROM sys.database_role_members rm JOIN role_hierarchy rh ON rh.member_principal_id = rm.role_principal_id ) SELECT 'is a member' FROM role_hierarchy rh WHERE USER_NAME(rh.member_principal_id) = 'user_name'; SignatureHope this helps. Dan Guzman SQL Server MVP http://weblogs.sqlteam.com/dang/ Thanks Dan. Will try it. > Hi, Peter. > [quoted text clipped - 23 lines] > SELECT 'is a member' FROM role_hierarchy rh > WHERE USER_NAME(rh.member_principal_id) = 'user_name'; Hi Dan, The CTE works. I have never used CTE before. I create the following user function temporarily to see how I can use the CTE in a function. I just have the parameter for the user but will add the parameter for the role later. Does it look like the correct way to implement the function with the CTE? Thanks. CREATE function [dbo].[check_role](@user varchar(100)) returns bit as begin declare @bexist bit select @bexist = 0; WITH role_hierarchy AS ( SELECT rm.member_principal_id, rm.role_principal_id FROM sys.database_role_members rm WHERE rm.role_principal_id = USER_ID('SQLAgentUserRole') UNION ALL SELECT rm.member_principal_id, rm.role_principal_id FROM sys.database_role_members rm JOIN role_hierarchy rh ON rh.member_principal_id = rm.role_principal_id ) SELECT @bexist = 1 FROM role_hierarchy rh WHERE USER_NAME(rh.member_principal_id) = @user return @bexist end > Hi, Peter. > [quoted text clipped - 23 lines] > SELECT 'is a member' FROM role_hierarchy rh > WHERE USER_NAME(rh.member_principal_id) = 'user_name'; > Does it look like the correct way to implement the function with the CTE? Yes, I think your function will return the desired result. SignatureHope this helps. Dan Guzman SQL Server MVP http://weblogs.sqlteam.com/dang/ > Hi Dan, > [quoted text clipped - 61 lines] >> SELECT 'is a member' FROM role_hierarchy rh >> WHERE USER_NAME(rh.member_principal_id) = 'user_name'; > I want to validate whether a user has been added to a particular database > role. I cannot use the is_member function since it only works with the > current user. In additions to Dan's suggestion, you can: EXECUTE AS LOGIN = 'thatuser' go SELECT is_member('somerole') go REVERT I think this is better than running queries as Dan suggested, particularly in the case that user may be have role membership through a Windows domain. If you think that there should be a function to retrieve permissions or role membership with going through impersonation - which is impractical if you want to check a suite of users - submit a suggestion on http://connect.microsoft.com/SqlServer/Feedback. (I wouldn't be surprised if there is such a suggestion already.) SignatureErland Sommarskog, SQL Server MVP, esquel@sommarskog.se Links for SQL Server Books Online: SQL 2008: http://msdn.microsoft.com/en-us/sqlserver/cc514207.aspx SQL 2005: http://msdn.microsoft.com/en-us/sqlserver/bb895970.aspx SQL 2000: http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.