tags:

views:

3544

answers:

3
+4  Q: 

MS SQL Server: Check to see if a user can execute a stored procedure

How can you check to see if a user can execute a stored procedure in MS SQL server?

I can see if the user has explicit execute permissions by connecting to the master database and executing:

databasename..sp_helpprotect 'storedProcedureName', 'username'

however if the user is a member of a role that has execute permissions sp_helprotect won't help me.

Ideally I'd like to be able to call something like 

databasename..sp_canexecute 'storedProcedureName', 'username'

which would return a bool.

+4  A: 

fn_my_permissions and HAS_PERMS_BY_NAME

Cade Roux  2009-01-27 16:43:57
A: 

Assuming the SP only runs a SELECT statement:

EXECUTE AS USER = [User's ID/Login]
EXEC sp_foobar( sna, fu)
REVERT

It's important to note that you will need to run the REVERT command after the prompt as SQL Server will regard you as the user you are EXECUTING AS until you either shut down the connection or REVERT the impersonation. That said, you should see exactly what a user would get (getting some rows but not all? This should help you out).

Pulsehead  2009-01-27 19:06:41
A: 

Try something like this:

CREATE PROCEDURE [dbo].[sp_canexecute]
@procedure_name varchar(255),
@username varchar(255),
@has_execute_permissions bit OUTPUT
AS

IF EXISTS (
     /* Explicit permission */
     SELECT 1
     FROM sys.database_permissions p
     INNER JOIN sys.all_objects o ON p.major_id = o.[object_id] AND o.[name] = @procedure_name
     INNER JOIN sys.database_principals dp ON p.grantee_principal_id = dp.principal_id AND dp.[name] = @username
    )
    OR EXISTS (
     /* Role-based permission */
     SELECT 1
     FROM sys.database_permissions p
     INNER JOIN sys.all_objects o ON p.major_id = o.[object_id]
     INNER JOIN sys.database_principals dp ON p.grantee_principal_id = dp.principal_id AND o.[name] = @procedure_name
     INNER JOIN sys.database_role_members drm ON dp.principal_id = drm.role_principal_id
     INNER JOIN sys.database_principals dp2 ON drm.member_principal_id = dp2.principal_id AND dp2.[name] = @username
    )
BEGIN
    SET @has_execute_permissions = 1
END
ELSE
BEGIN
    SET @has_execute_permissions = 0
END
GO
Dane  2009-01-27 20:56:19
Does that work if the user is a member of a role that has permissions, and has not been explicitly allowed to execute the stored procedure?
Andrew  2009-01-28 09:24:25
No, but you could put the role name in the @username parameter and that would still return the proper/expected boolean result.
Dane  2009-01-28 22:34:07
Ok, I've updated the proc code above to take permissions granted by way of roles as well as explicit granting.
Dane  2009-01-28 22:56:40

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?