Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

MS SQL Server: Check to see if a user can execute a stored procedure

Tags:

sql

sql-server

tsql

sql-server-2005

stored-procedures

How can you check to see if a user can execute a stored procedure in MS SQL server?

I can see if the user has explicit execute permissions by connecting to the master database and executing:

databasename..sp_helpprotect 'storedProcedureName', 'username'

however if the user is a member of a role that has execute permissions sp_helprotect won't help me.

Ideally I'd like to be able to call something like 

databasename..sp_canexecute 'storedProcedureName', 'username'

which would return a bool.

like image 397
Andrew Avatar asked Jan 27 '09 16:01

Andrew

3 Answers

Try something like this:

CREATE PROCEDURE [dbo].[sp_canexecute]
@procedure_name varchar(255),
@username varchar(255),
@has_execute_permissions bit OUTPUT
AS

IF EXISTS (
        /* Explicit permission */
        SELECT 1
        FROM sys.database_permissions p
        INNER JOIN sys.all_objects o ON p.major_id = o.[object_id] AND o.[name] = @procedure_name
        INNER JOIN sys.database_principals dp ON p.grantee_principal_id = dp.principal_id AND dp.[name] = @username
    )
    OR EXISTS (
        /* Role-based permission */
        SELECT 1
        FROM sys.database_permissions p
        INNER JOIN sys.all_objects o ON p.major_id = o.[object_id]
        INNER JOIN sys.database_principals dp ON p.grantee_principal_id = dp.principal_id AND o.[name] = @procedure_name
        INNER JOIN sys.database_role_members drm ON dp.principal_id = drm.role_principal_id
        INNER JOIN sys.database_principals dp2 ON drm.member_principal_id = dp2.principal_id AND dp2.[name] = @username
    )
BEGIN
    SET @has_execute_permissions = 1
END
ELSE
BEGIN
    SET @has_execute_permissions = 0
END
GO
like image 31
Dane Avatar answered Sep 29 '22 09:09

Dane

fn_my_permissions and HAS_PERMS_BY_NAME

like image 95
Cade Roux Avatar answered Sep 29 '22 10:09

Cade Roux

Assuming the SP only runs a SELECT statement:

EXECUTE AS USER = [User's ID/Login]
EXEC sp_foobar( sna, fu)
REVERT

It's important to note that you will need to run the REVERT command after the prompt as SQL Server will regard you as the user you are EXECUTING AS until you either shut down the connection or REVERT the impersonation. That said, you should see exactly what a user would get (getting some rows but not all? This should help you out).

like image 40
Pulsehead Avatar answered Sep 29 '22 11:09

Pulsehead
Sign in to Comment

Related questions

Why do NULL values come first when ordering DESC in a PostgreSQL query?
Mapping lots of similar tables in SQLAlchemy
How to Pass Bool (BIT) parameter to SQL server?
Split comma separated values of a column in row, through Oracle SQL query
c# - SqlConnection InfoMessage triggering only at end of execution
querying and selecting specific column in SQLAlchemy
How to create a table before using sqlbulkcopy
Trying to show datediff greater than ten days
How to sum a field based on a condition in another field in RDLC report?
Extract string from a text after a keyword in sql?
Table-Valued Function using IF statement in SQL Server
How do I solve "Keyword not supported: 'metadata' "?
Getting most used words from a column of strings in SQL
Empty string vs NULL
Incorrect syntax near OFFSET command
Presto create table with 'with' queries
SQL: Remove part of the string from all the entries returned by the SELECT statement
How do I prepend string to a field value in MySQL?
Convert nvarchar to numeric in MSSQL Server
Table vs Materialized View

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!