SQL server login get unwanted high privileges on a db when created
-
07-02-2021 - |
Pergunta
We have a demand to create a new user with the ability to SELECT only 4 specific tables. In order to do that we create the login and map it to the requiered db :
USE [master]
GO
CREATE LOGIN [pos] WITH PASSWORD=N'XXXX', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
USE [TARGETED_DB_NAME]
GO
CREATE USER [pos] FOR LOGIN [pos]
GO
After that, the user is able to do Any DML statement, whereas he has no privileges except the public role. We checked the public role permissions, server permissions etc but we don't find why the user can see all the tables of the database.
The problem is not present when we create the user on another database on the same instance.
Any idea why the login pos get such privileges ?
Solução
Following query would help to get insight of permissions that particular user got Directly or Indirectly, based on result you can analyse/identity what is the cause of problem.
USE [TARGETED_DB_NAME]
GO
Declare @UserName varchar (100) = 'username';
-- Permission applied to user (directly) -------------------------------------------------------------
select d.name, dp.*
from sys.database_permissions as dp
join sys.database_principals as d on dp.grantee_principal_id = d.principal_id
where d.name = (@UserName) --and dp.state = 'D'
order by d.principal_id
-- Permission applied to user (indirectly) -------------------------------------------------------------
select dm.name as DB_UserName,
sp.name as LoginName,
dr.name as DB_RoleName,
dp.[permission_name],
dp.type,
dp.state_desc
from sys.database_principals as dm
join sys.database_role_members as drm on dm.principal_id = drm.member_principal_id
join sys.database_principals as dr on drm.role_principal_id = dr.principal_id
left join sys.server_principals as sp on dm.sid = sp.sid
left join sys.database_permissions as dp on dr.principal_id = dp.grantee_principal_id
Where (dm.name = @UserName or sp.name = @UserName) --and dr.name like 'db_deny%'
go