cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Home
%3CLINGO-SUB%20id%3D%22lingo-sub-370919%22%20slang%3D%22en-US%22%3EFind%20users%20under%20a%20specific%20database%20role%20for%20all%20the%20servers%20in%20my%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-370919%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EFirst%20published%20on%20MSDN%20on%20Aug%2011%2C%202016%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3ERecently%20I%20was%20working%20with%20a%20customer%20who%20wanted%20to%20know%20all%20the%20users%20in%20their%20environment%20who%20had%20ssis_admin%20permissions%20within%20their%20Integration%20Services%20environment.%20In%20SQL%20Server%202008%20R2%2C%20a%20new%20catalog%20view%20was%20introduced%20that%20allows%20us%20to%20bridge%20between%20database_roles%20and%20their%20associated%20members%2C%20under%20sys.database_role_members.%20With%20this%20simple%20bridge%20table%2C%20we%20can%20do%20some%20quick%20joins%20to%20the%20sys.database_principals%20catalog%20view%20and%20get%20a%20nice%20report%20of%20who%20has%20permissions%20under%20a%20specific%20database%20role.%20Here%20is%20a%20very%20straight%20forward%20SQL%20query%20that%20allows%20us%20to%20see%20all%20the%20users%20who%20have%20ssis_admin%20on%20our%20server%3A%3CPRE%3E%0ASELECT%20dr.name%20%5BDatabaseRoleName%5D%0A%20%2CISNULL(pr.Name%2C%20'No%20Members%20Found!')%20%5BDatabaseUserName%5D%0AFROM%20sys.database_role_members%20drm%0ARIGHT%20JOIN%20sys.database_principals%20dr%20ON%20drm.role_principal_id%20%3D%20dr.principal_id%0ALEFT%20JOIN%20sys.database_principals%20pr%20ON%20drm.member_principal_id%20%3D%20pr.principal_id%0AWHERE%20dr.name%20%3D%20'ssis_admin'%0A%3C%2FPRE%3E%0A%3CBR%20%2F%3EYou%20could%20easily%20change%20this%20to%20pull%20for%20any%20database%20role%20on%20any%20database.%20In%20this%20example%20I'm%20using%20it%20for%20ssis_admin%20under%20the%20SSISDB%20database.%20We%20can%20extend%20this%20in%20order%20to%20loop%20over%20a%20list%20of%20all%20servers%20in%20the%20environment%20by%20using%20PowerShell.%20In%20my%20environment%2C%20I%20have%20a%20centralized%20admin%20database%20that%20contains%20a%20list%20of%20all%20the%20servers%20that%20I%20want%20to%20track%20in%20my%20lab.%20I%20can%20query%20this%20from%20PowerShell%20by%20using%20Invoke-sqlcmd%3A%20%0A%3CBR%20%2F%3E%0A%3CPRE%3E%0A%23list%20of%20servers%20to%20be%20check%20%0A%24servers%20%3D%20Invoke-Sqlcmd%20-ServerInstance%20sql2016a%20-Database%20PerformanceMonitor%20-Query%20%22SELECT%20DISTINCT%20%5BServerName%5D%20FROM%20Server%20WHERE%20HasIsCatalog%20%3D%201%22%20%0A%3C%2FPRE%3E%0A%3CBR%20%2F%3ENext%2C%20we%20are%20going%20to%20wrap%20the%20actual%20sql%20statement%20we%20want%20to%20run%20inside%20of%20a%20function%3A%20%0A%3CPRE%3E%0A%23function%20to%20retrieve%20database%20users%20and%20roles%26lt%3B%2Fpre%26gt%3B%20%0AFunction%20Get-DatabaseUsers%20(%5Bstring%5D%24Servername)%20%0A%7B%20%0A%20%24query%20%3D%20Invoke-Sqlcmd%20-ServerInstance%20%24Servername%20-Database%20SSISDB%20-Query%20%22SELECT%20%40%40SERVERNAME%20%5BServerName%5D%0A%20%2Cdr.name%20%5BDatabaseRoleName%5D%20%0A%20%2CISNULL(pr.Name%2C%20'No%20Members%20Found!')%20%5BDatabaseUserName%5D%20%0A%20FROM%20sys.database_role_members%20drm%20%0A%20RIGHT%20JOIN%20sys.database_principals%20dr%20%0A%20ON%20drm.role_principal_id%3Ddr.principal_id%20%0A%20LEFT%20JOIN%20sys.database_principals%20pr%20%0A%20ON%20drm.member_principal_id%3Dpr.principal_id%20%0A%20WHERE%20dr.name%20%3D%20'ssis_admin'%22%20%0A%0A%20%23the%20below%20outputs%20the%20result%20of%20the%20above%20when%20the%20function%20is%20called%20%0A%20%24query%20%0A%7D%0A%3C%2FPRE%3E%0A%3CBR%20%2F%3EThe%20function%20itself%20is%20relatively%20straight-forward.%20It%20takes%20the%20query%20we%20wrote%20earlier%20in%20this%20blog%2C%20calls%20it%20from%20invoke-sqlcmd%2C%20and%20uses%20a%20parameter%20called%20%24Servername%20as%20an%20input%20to%20know%20which%20server%20to%20run%20against.%20The%20bottom%20%24query%20statement%20outputs%20the%20result%20of%20the%20invoke-sqlcmd%20from%20calling%20the%20function.%20%0A%3CBR%20%2F%3E%0A%3CBR%20%2F%3ENext%20on%20our%20list%20is%20to%20write%20the%20result%20into%20our%20centralized%20admin%20server.%20One%20of%20the%20easiest%20ways%20to%20do%20this%20in%20PowerShell%20is%20to%20use%20a%20datatable%20and%20then%20bulk%20copy%20the%20data%20into%20the%20table.%20We%20need%20to%20set%20the%20stage%20by%20creating%20a%20function%3A%20%0A%3CPRE%3E%0AFunction%20out-DataTable%20%0A%7B%20%0A%0A%20%24dt%20%3D%20new-object%20Data.datatable%20%0A%0A%20%24First%20%3D%20%24true%20%0A%20foreach%20(%24item%20in%20%24input)%7B%20%0A%20%20%24DR%20%3D%20%24DT.NewRow()%20%0A%0A%20%20%24Item.PsObject.get_properties()%20%7C%20foreach%20%7B%20%0A%20%20%20if%20(%24first)%20%7B%0A%20%20%20%20%24Col%20%3D%20new-object%20Data.DataColumn%20%0A%20%20%20%20%24Col.ColumnName%20%3D%20%24_.Name.ToString()%20%0A%20%20%20%20%24DT.Columns.Add(%24Col)%0A%20%20%20%7D%20%0A%0A%20%20%20if%20(%24_.value%20-eq%20%24null)%20%7B%20%0A%20%20%20%20%24DR.Item(%24_.Name)%20%3D%20%22%5Bempty%5D%22%20%0A%20%20%20%7D%20%0A%20%20%20elseif%20(%24_.IsArray)%20%7B%20%0A%20%20%20%20%24DR.Item(%24_.Name)%20%3D%5Bstring%5D%3A%3AJoin(%24_.value%20%2C%22%3B%22)%20%0A%20%20%20%7D%20%0A%20%20%20else%20%7B%20%0A%20%20%20%20%24DR.Item(%24_.Name)%20%3D%20%24_.value%20%0A%20%20%20%7D%20%0A%20%20%7D%20%0A%0A%20%20%24DT.Rows.Add(%24DR)%20%0A%0A%20%20%24First%20%3D%20%24false%20%0A%20%7D%20%0A%20return%20%40(%2C(%24dt))%0A%7D%0A%3C%2FPRE%3E%0A%0A%3CBR%20%2F%3EAnd%20then%20we%20can%20loop%20over%20the%20list%20of%20servers%20in%20our%20environment%20that%20we%20want%20to%20manage%20and%20write%20the%20result%20to%20our%20data%20table.%20%0A%3CPRE%3E%0A%23execute%20the%20functions%20%0Aforeach%20(%24ServerName%20in%20%24servers)%20%0A%7B%20%0A%20%24dataTable%20%3D%20Get-DatabaseUsers%20%24ServerName.ServerName%20%7C%20out-DataTable%20%0A%20%23%24dataTable%20%23you%20can%20use%20this%20to%20check%20the%20output%20%0A%3C%2FPRE%3E%0A%0A%3CBR%20%2F%3EEnsuring%20that%20we're%20getting%20the%20results%20we%20expect%2C%20now%20we%20can%20write%20the%20result%20to%20a%20sql%20table.%20We'll%20do%20this%20by%20using%20the%20Data.sqlclient.sqlbulkcopy%20object%20and%20mapping%20it%20to%20a%20predefined%20destination%20table.%20The%20below%20code%20segment%20handles%20this%20part%20of%20the%20process%3A%20%0A%3CBR%20%2F%3E%0A%3CPRE%3E%0A%23initialize%20a%20sqlbulk%20copy%20object%20to%20write%20the%20data%20to%20the%20centralized%20table%20%0A%0A%24connectionString%20%3D%20%22Data%20Source%3Dsql2016a%3B%20Integrated%20Security%3DTrue%3BInitial%20Catalog%3DPerformanceMonitor%3B%22%20%0A%0A%23open%20the%20connection%20%0A%0A%24bulkCopy%20%3D%20new-object%20(%22Data.SqlClient.SqlBulkCopy%22)%20%24connectionString%20%0A%0A%23set%20the%20destination%20table%20%0A%0A%24bulkCopy.DestinationTableName%20%3D%20%22DatabaseRolesList%22%20%0A%0A%23perform%20the%20column%20mappings%20%0A%0A%24bulkCopy.ColumnMappings.Add(%22ServerName%22%2C%22ServerName%22)%20%0A%0A%24bulkcopy.ColumnMappings.Add(%22DatabaseRoleName%22%2C%22DatabaseRoleName%22)%20%0A%0A%24bulkcopy.ColumnMappings.Add(%22DatabaseUserName%22%2C%22DatabaseUserName%22)%20%0A%0A%23write%20the%20data%20to%20the%20table%20%0A%0A%24bulkCopy.WriteToServer(%24dataTable)%20%0A%3C%2FPRE%3E%0A%0A%3CBR%20%2F%3EThe%20nice%20part%20about%20this%20script%20is%20that%20by%20simply%20changing%20the%20query%20in%20the%20invoke-sqlcmd%20function%20and%20doing%20the%20bulk%20copy%20mapping%20in%20the%20foreach%20loop%2C%20this%20script%20could%20be%20extended%20to%20run%20almost%20any%20sql%20query%20and%20write%20the%20results%20to%20a%20sql%20table.%20%0A%3CBR%20%2F%3E%0A%3CBR%20%2F%3EAn%20end%20to%20end%20sample%20of%20the%20code%20is%20available%20on%20the%20TechNet%20gallery%20%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2FFind-all-users-under-a-00e40ef8%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20here.%20%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-370919%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20MSDN%20on%20Aug%2011%2C%202016%20Recently%20I%20was%20working%20with%20a%20customer%20who%20wanted%20to%20know%20all%20the%20users%20in%20their%20environment%20who%20had%20ssis_admin%20permissions%20within%20their%20Integration%20Services%20environment.%3C%2FP%3E%3C%2FLINGO-TEASER%3E
msftchris
msftchris
Microsoft
‎03-15-2019 12:37 PM

Find users under a specific database role for all the servers in my environment

‎03-15-2019 12:37 PM

First published on MSDN on Aug 11, 2016
Recently I was working with a customer who wanted to know all the users in their environment who had ssis_admin permissions within their Integration Services environment. In SQL Server 2008 R2, a new catalog view was introduced that allows us to bridge between database_roles and their associated members, under sys.database_role_members. With this simple bridge table, we can do some quick joins to the sys.database_principals catalog view and get a nice report of who has permissions under a specific database role. Here is a very straight forward SQL query that allows us to see all the users who have ssis_admin on our server: 

SELECT dr.name [DatabaseRoleName]
	,ISNULL(pr.Name, 'No Members Found!') [DatabaseUserName]
FROM sys.database_role_members drm
RIGHT JOIN sys.database_principals dr ON drm.role_principal_id = dr.principal_id
LEFT JOIN sys.database_principals pr ON drm.member_principal_id = pr.principal_id
WHERE dr.name = 'ssis_admin'

You could easily change this to pull for any database role on any database. In this example I'm using it for ssis_admin under the SSISDB database. We can extend this in order to loop over a list of all servers in the environment by using PowerShell. In my environment, I have a centralized admin database that contains a list of all the servers that I want to track in my lab. I can query this from PowerShell by using Invoke-sqlcmd: 
#list of servers to be check 
$servers = Invoke-Sqlcmd -ServerInstance sql2016a -Database PerformanceMonitor -Query "SELECT DISTINCT [ServerName] FROM Server WHERE HasIsCatalog = 1"

Next, we are going to wrap the actual sql statement we want to run inside of a function: 
#function to retrieve database users and roles</pre> 
Function Get-DatabaseUsers ([string]$Servername) 
{ 
	$query = Invoke-Sqlcmd -ServerInstance $Servername -Database SSISDB -Query "SELECT @@SERVERNAME [ServerName]
	,dr.name [DatabaseRoleName] 
	,ISNULL(pr.Name, 'No Members Found!') [DatabaseUserName] 
	FROM sys.database_role_members drm 
	RIGHT JOIN sys.database_principals dr 
	ON drm.role_principal_id=dr.principal_id 
	LEFT JOIN sys.database_principals pr 
	ON drm.member_principal_id=pr.principal_id 
	WHERE dr.name = 'ssis_admin'" 

	#the below outputs the result of the above when the function is called 
	$query 
}

The function itself is relatively straight-forward. It takes the query we wrote earlier in this blog, calls it from invoke-sqlcmd, and uses a parameter called $Servername as an input to know which server to run against. The bottom $query statement outputs the result of the invoke-sqlcmd from calling the function.

Next on our list is to write the result into our centralized admin server. One of the easiest ways to do this in PowerShell is to use a datatable and then bulk copy the data into the table. We need to set the stage by creating a function: 
Function out-DataTable 
{ 

	$dt = new-object Data.datatable 

	$First = $true 
	foreach ($item in $input){ 
		$DR = $DT.NewRow() 

		$Item.PsObject.get_properties() | foreach { 
			if ($first) {
				$Col = new-object Data.DataColumn 
				$Col.ColumnName = $_.Name.ToString() 
				$DT.Columns.Add($Col)
			} 

			if ($_.value -eq $null) { 
				$DR.Item($_.Name) = "[empty]" 
			} 
			elseif ($_.IsArray) { 
				$DR.Item($_.Name) =[string]::Join($_.value ,";") 
			} 
			else { 
				$DR.Item($_.Name) = $_.value 
			} 
		} 

		$DT.Rows.Add($DR) 

		$First = $false 
	} 
	return @(,($dt))
}

And then we can loop over the list of servers in our environment that we want to manage and write the result to our data table. 
#execute the functions 
foreach ($ServerName in $servers) 
{ 
	$dataTable = Get-DatabaseUsers $ServerName.ServerName | out-DataTable 
	#$dataTable #you can use this to check the output

Ensuring that we're getting the results we expect, now we can write the result to a sql table. We'll do this by using the Data.sqlclient.sqlbulkcopy object and mapping it to a predefined destination table. The below code segment handles this part of the process: 
#initialize a sqlbulk copy object to write the data to the centralized table 

$connectionString = "Data Source=sql2016a; Integrated Security=True;Initial Catalog=PerformanceMonitor;" 

#open the connection 

$bulkCopy = new-object ("Data.SqlClient.SqlBulkCopy") $connectionString 

#set the destination table 

$bulkCopy.DestinationTableName = "DatabaseRolesList" 

#perform the column mappings 

$bulkCopy.ColumnMappings.Add("ServerName","ServerName") 

$bulkcopy.ColumnMappings.Add("DatabaseRoleName","DatabaseRoleName") 

$bulkcopy.ColumnMappings.Add("DatabaseUserName","DatabaseUserName") 

#write the data to the table 

$bulkCopy.WriteToServer($dataTable)

The nice part about this script is that by simply changing the query in the invoke-sqlcmd function and doing the bulk copy mapping in the foreach loop, this script could be extended to run almost any sql query and write the results to a sql table.

An end to end sample of the code is available on the TechNet gallery here.

0 Likes
Like