forked from drewfurgiuele/AutomatedSQLPermissions
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSet-DatabasePermissions.ps1
More file actions
130 lines (115 loc) · 5.64 KB
/
Copy pathSet-DatabasePermissions.ps1
File metadata and controls
130 lines (115 loc) · 5.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
[CmdletBinding(SupportsShouldProcess=$true)]
Param (
[parameter(Mandatory=$true)]
[string]$servername,
[parameter(Mandatory = $false)]
[string]$repoServerName,
[parameter(Mandatory = $true)]
[string]$repodatabasename,
[parameter(Mandatory = $false)]
[string]$databaseName
)
begin {
$InstanceName = $null
if ($ServerName.Contains("\")) {
$InstanceName = $ServerName.Split("\")[1]
} else {
$InstanceName = 'DEFAULT'
}
$RepoInstanceName = $null
if ($repoServerName.Contains("\")) {
$RepoInstanceName = $repoServerName.Split("\")[1]
} else {
$RepoInstanceName = 'DEFAULT'
}
if ($instanceName -ne "DEFAULT") {
$instance = Get-ChildItem -Path SQLSERVER:\SQL\$ServerName | Where-Object {$_.InstanceName -eq $InstanceName}
} else {
$instance = Get-ChildItem -Path SQLSERVER:\SQL\$ServerName | Where-Object {$_.InstanceName -eq ""}
}
$Databases = Get-ChildItem -Path SQLSERVER:\SQL\$ServerName\$InstanceName\Databases
if ($DatabaseName) {
$Databases = $Databases | Where-Object {$_.Name -eq $DatabaseName}
}
$Repository = Get-ChildItem -Path SQLSERVER:\SQL\$repoServerName\$repoInstanceName\Databases | Where-Object {$_.Name -eq $repodatabasename}
}
process {
ForEach ($d in $Databases) {
$CurrentDatabase = $d.Name
$Results = [pscustomobject] @{
ServerName = $ServerName
InstanceName = $instanceName
DatabaseName = $CurrentDatabase
PermissionSet = $null
TotalSuccessful = 0
TotalError = 0
SuccessStatements = @()
ErrorStatements = @()
}
$RefreshID = ($Repository.ExecuteWithResults("SELECT TOP 1 CaptureID, CaptureDateTime, ServerName, InstanceName, DatabaseName FROM Permissions.Captures WHERE ServerName = '$servername' AND InstanceName = '$instanceName' AND DatabaseName = '$CurrentDatabase' ORDER BY CaptureDateTime DESC")).Tables[0].CaptureID
if ($RefreshID) {
$Results.PermissionSet = $RefreshID
$Users = ($Repository.ExecuteWithResults("SELECT CreateScript FROM Permissions.DatabaseUsers WHERE CaptureID = '$RefreshID' ORDER BY ID")).Tables[0].CreateScript
ForEach ($u in $users) {
try {
$d.ExecuteWithResults($u) | Out-Null
$Results.TotalSuccessful++
$Results.SuccessStatements += $u
} catch {
$Results.TotalError++
$Results.ErrorStatements += $u
}
}
$RoleMembers = ($Repository.ExecuteWithResults("SELECT RoleName, RoleMember FROM Permissions.DatabaseRoleMembers WHERE CaptureID = '$RefreshID' ORDER BY ID")).Tables[0]
ForEach ($r in $RoleMembers) {
try {
if ($ServerVersion -gt 10) {
$statement = "ALTER ROLE " + $r.RoleName + " ADD MEMBER [" + $r.RoleMember + "]"
} else {
$statement = "EXEC sp_addrolemember N'" + ($r.RoleName.Replace("[","").Replace("]","")) + "', N'" + ($r.RoleMember.Replace("[","").Replace("]","")) + "';"
}
$d.ExecuteWithResults($statement) | Out-Null
$Results.TotalSuccessful++
$Results.SuccessStatements += $statement
} catch {
$Results.TotalError++
$Results.ErrorStatements += $statement
}
}
$DatabaseLevelPermissions = ($Repository.ExecuteWithResults("SELECT ObjectName, PermissionState, PermissionType, Grantee FROM Permissions.DatabaseObjectPermissions WHERE CaptureID = '$RefreshID' AND ObjectClass = 'Database' ORDER BY ID")).Tables[0]
ForEach ($dbl in $DatabaseLevelPermissions)
{
$statement = $dbl.permissionState + " " + $dbl.PermissionType + " TO [" + $dbl.Grantee + "]"
try {
$d.ExecuteWithResults($statement) | Out-Null
$Results.TotalSuccessful++
$Results.SuccessStatements += $statement
} catch {
$Results.TotalError++
$Results.ErrorStatements += $statement
}
}
$DatabaseObjectPermissions = ($Repository.ExecuteWithResults("SELECT ObjectName, ObjectClass, ObjectSchema, PermissionState, PermissionType, Grantee FROM Permissions.DatabaseObjectPermissions WHERE CaptureID = '$RefreshID' AND ObjectClass != 'Database' ORDER BY ID")).Tables[0]
ForEach ($dbop in $DatabaseObjectPermissions)
{
switch ($dbop.ObjectClass) {
Schema {$statement = $dbop.permissionState + " " + $dbop.PermissionType + " ON SCHEMA :: [" + $dbop.ObjectName + "] TO [" + $dbop.Grantee + "]"}
default {$statement = $dbop.permissionState + " " + $dbop.PermissionType + " ON [" + $dbop.ObjectSchema + "].[" + $dbop.ObjectName + "] TO [" + $dbop.Grantee + "]"}
}
if ($PSCmdlet.ShouldProcess("$statement", "Setting permission"))
{
try {
$d.ExecuteWithResults($statement) | Out-Null
$Results.TotalSuccessful++
$Results.SuccessStatements += $statement
} catch {
Write-Warning "Unable to apply '$statement'"
$Results.TotalError++
$Results.ErrorStatements += $statement
}
}
}
}
$Results
}
}