.NET Playground

Monday, December 31, 2007 #

Is_Member returning 0 for dba's

It's a pretty frustrating situation where you call Is_Member in sql server 2005 to find if the current user belongs to a particular role, only to have it return 0 when that user is in fact a member. The reason for this is that when you log in as a member of the sysadmin role, you essentially become dbo which ignores all such role mappings.

To put it simply running the following as a dba,

select * from sys.user_token

would return one row - the dbo. Running it as a non dba user will return all the principals the user is mapped to.

To create a workaround for this, I've had to implement my own Udf that pulls directly from the sys.database_principals and sys.database_role_members tables to fetch which database roles a user belongs to. Please not that this does NOT map out which windows principals the user belongs to:

create function [Security].[Is_Member](@rolename varchar(255))
returns tinyint
as
begin
 
-- Check to see that the principal being queried exists
declare @roleExists bit
select @roleExists = 1 from sys.database_principals where name = @roleName
if @roleExists is null return null
 
-- See if the current user is a member of that principal
declare @isMember bit
set @isMember = 0
 
select 
   @isMember = 1
from 
   sys.database_principals u 
   join sys.database_role_members m on u.name = suser_name() and u.principal_id = m.member_principal_id 
   join sys.database_principals r on m.role_principal_id = r.principal_id and r.name = @rolename
 
return @isMember
 
end

The function merely creates a new Is_member Udf within my own security schema which goes off and checks the aforementioned principal tables ot see if the current user is allocated to that principal.

Update

Alright, after a bit of playing with the above script, I ran into a wall when part of my app needed to use is_member to take advantage of windows groups being allocated to sql groups. Because of this, I've modified the udf back to the regular behaviour of the is_member function, except changing the default return value for dbo users to return 1 rather than 0 to role membership as such:

ALTER function [Security].[Is_Member](@rolename varchar(255))
returns tinyint
as
begin
 
-- Check to see that the principal being queried exists
declare @roleExists bit
select @roleExists = 1 from sys.database_principals where name = @roleName
if @roleExists is null return null
 
-- Check to see if the user is dbo
if user = 'dbo' return 1
return is_member(@rolename)
 
end

posted @ Monday, December 31, 2007 7:47 AM | Feedback (2)

December

Sun

Mon

Tue

Wed

Thu

Fri

Sat

About

Twitter

adenhertog finished mcpd & mcitp - no more cert exams! about 476 days ago

adenhertog if((mcpd && mcitp) == false && (mcpd)) System.WriteLine("one down, one to go"); about 520 days ago

adenhertog Passed my 528 exam in even greater style ;) about 547 days ago

adenhertog passed my 536 exam in style :D about 599 days ago

adenhertog passed my 442 exam! about 605 days ago

adenhertog look up hash memory searching in sql about 647 days ago

adenhertog half way through the book for the second time about 665 days ago

adenhertog scratch that, yes I CAN call ssas clr procs from ssrs, but I need to unbind my query params before I can send it down my own string data about 666 days ago

adenhertog can't call sass clr procs from ssrs wtf about 666 days ago

adenhertog multiple parameters? pfeeeeh about 667 days ago

Syndication:

RSS ATOM

unearthing the fun in .net and sql server

Monday, December 31, 2007 #

Is_Member returning 0 for dba's

About

Twitter

Archives

Syndication: