SQL server login get unwanted high privileges on a db when created

dba.stackexchange https://dba.stackexchange.com/questions/246874

Question

We have a demand to create a new user with the ability to SELECT only 4 specific tables. In order to do that we create the login and map it to the requiered db :

USE [master]
GO
CREATE LOGIN [pos] WITH PASSWORD=N'XXXX', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO

USE [TARGETED_DB_NAME]
GO
CREATE USER [pos] FOR LOGIN [pos]
GO

After that, the user is able to do Any DML statement, whereas he has no privileges except the public role. We checked the public role permissions, server permissions etc but we don't find why the user can see all the tables of the database.

The problem is not present when we create the user on another database on the same instance.

Any idea why the login pos get such privileges ?

Was it helpful?

Solution

Following query would help to get insight of permissions that particular user got Directly or Indirectly, based on result you can analyse/identity what is the cause of problem.

USE [TARGETED_DB_NAME]
GO

Declare @UserName varchar (100) = 'username';

-- Permission applied to user (directly) -------------------------------------------------------------

select d.name, dp.* 
from sys.database_permissions as dp
        join sys.database_principals as d on dp.grantee_principal_id = d.principal_id
where d.name = (@UserName) --and dp.state = 'D'
order by d.principal_id

-- Permission applied to user (indirectly) -------------------------------------------------------------
select  dm.name as DB_UserName,
        sp.name as LoginName,
        dr.name as DB_RoleName,
        dp.[permission_name],
        dp.type,
        dp.state_desc
from sys.database_principals as dm  
        join sys.database_role_members as drm on dm.principal_id = drm.member_principal_id
        join sys.database_principals as dr on drm.role_principal_id = dr.principal_id
        left join sys.server_principals as sp on dm.sid = sp.sid
        left join sys.database_permissions as dp on dr.principal_id = dp.grantee_principal_id
Where (dm.name = @UserName or sp.name = @UserName) --and dr.name like 'db_deny%'
go
Licensed under: CC-BY-SA with attribution
Not affiliated with dba.stackexchange
scroll top