-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathRevokeObjectRoleByID.sql
112 lines (99 loc) · 3.46 KB
/
RevokeObjectRoleByID.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
USE [Certificate_Administration]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
-- ======================================================================
-- Author: John Merkel
-- Creation date: October 20, 2021
-- Description: Revokes a TargetRole from the SourceObject.
-- Requires: SA
-- ======================================================================
CREATE OR ALTER PROCEDURE [Permission].[RevokeObjectRoleByID]
@SourceObjectID INT
, @TargetRoleID INT
, @DropRequest BIT
, @debug BIT = 1
AS
SET XACT_ABORT, NOCOUNT ON
BEGIN TRY
BEGIN TRANSACTION
DECLARE
@TargetDatabaseID INT
, @tar_db_id INT
, @tar_role_id INT
, @tar_cert_id INT
, @granted BIT
SELECT
@TargetDatabaseID = [td].[TargetDatabaseID]
, @tar_db_id = [td].[database_id]
, @tar_role_id = [tr].[role_principal_id]
, @tar_cert_id = [toc].[certificate_id]
, @granted = [orr].[Granted]
FROM
[Permission].[ObjectRoleRequest] AS [orr]
JOIN [Permission].[TargetRole] AS [tr]
ON [orr].[TargetRoleID] = [tr].[TargetRoleID]
JOIN [Permission].[TargetDatabase] AS [td]
ON [tr].[TargetDatabaseID] = [td].[TargetDatabaseID]
JOIN [Permission].[SourceObjectCertificate] AS [soc]
ON [orr].[SourceObjectID] = [soc].[SourceObjectID]
JOIN [Permission].[TargetObjectCertificate] AS [toc]
ON [soc].[SourceObjectCertificateID] = [toc].[SourceObjectCertificateID]
WHERE
[orr].[SourceObjectID] = @SourceObjectID
AND [orr].[TargetRoleID] = @TargetRoleID
IF @tar_db_id IS NULL
RAISERROR(
'No object permission request exists with SourceObjectID: "%d" TargetRoleID: "%d"'
, 16, 1
, @SourceObjectID, @TargetRoleID
)
-- Only hit other databases if the permission has been granted
IF @granted = 1
BEGIN
DECLARE
@tar_db_name SYSNAME
, @tar_role_name SYSNAME
, @tar_cert_username SYSNAME
-- Get db name
EXEC [Validation].[DBNameFromID] @tar_db_id, @tar_db_name, 1
-- Get certificate username
EXEC [Validation].[CertUsernameFromCertID]
@tar_db_id
, @tar_cert_id
, @tar_cert_username OUTPUT
, 1
, @debug
-- Revoke role
EXEC [Definition].[DropMemberFromRoleByName]
@tar_db_name
, @tar_role_name
, @tar_cert_username
, @debug
END
IF @DropRequest = 1
-- Permissions revoked, drop request
DELETE [orr]
FROM [Permission].[ObjectRoleRequest] AS [orr]
WHERE
[orr].[SourceObjectID] = @SourceObjectID
AND [orr].[TargetRoleID] = @TargetRoleID
ELSE IF @granted = 1
-- Permissions revoked, set Granted = 0
UPDATE [orr]
SET [orr].[Granted] = 0
FROM [Permission].[ObjectRoleRequest] AS [orr]
WHERE
[orr].[SourceObjectID] = @SourceObjectID
AND [orr].[TargetRoleID] = @TargetRoleID
-- Try to clear any certs that aren't granting permissions
EXEC [Permission].[TryToDropObjectCertificates] @SourceObjectID, @TargetDatabaseID, @debug
COMMIT TRANSACTION
END TRY
BEGIN CATCH
IF @@TRANCOUNT > 0 ROLLBACK TRANSACTION
; THROW
END CATCH
GO