Author | Patrick Flynn (@sqllensman) |
Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Export-DbaDbRole on GitHub.
Want to see the Bill Of Health for this command? Check out Export-DbaDbRole.
Generates T-SQL scripts for database role definitions with their complete permission sets and schema ownership
Creates executable T-SQL scripts that fully define database roles including CREATE ROLE statements, granular object permissions, and schema ownership assignments. The output captures every permission granted to custom roles across all database securables like tables, schemas, assemblies, and certificates so you can recreate identical security configurations in other environments. This is particularly useful for migrating role-based security between development, test, and production databases, or documenting security configurations for compliance audits.
This command is based off of John Eisbrener's post "Fully Script out a MSSQL Database Role"
Reference: https://dbaeyes.wordpress.com/2013/04/19/fully-script-out-a-mssql-database-role/
Export-DbaDbRole
[[-SqlInstance] <DbaInstanceParameter[]>]
[[-SqlCredential] <PSCredential>]
[[-InputObject] <Object[]>]
[[-ScriptingOptionsObject] <ScriptingOptions>]
[[-Database] <Object[]>]
[[-Role] <Object[]>]
[[-ExcludeRole] <Object[]>]
[-ExcludeFixedRole]
[-IncludeRoleMember]
[[-Path] <String>]
[[-FilePath] <String>]
[-Passthru]
[[-BatchSeparator] <String>]
[-NoClobber]
[-Append]
[-NoPrefix]
[[-Encoding] <String>]
[-EnableException]
[<CommonParameters>]
PS C:\> Export-DbaDbRole -SqlInstance sql2005 -Path C:\temp
Exports all the Database Roles for SQL Server "sql2005" and writes them to the file "C:\temp\sql2005-logins.sql"
PS C:\> Export-DbaDbRole -SqlInstance sqlserver2014a -ExcludeRole realcajun -SqlCredential $scred -Path C:\temp\roles.sql -Append
Authenticates to sqlserver2014a using SQL Authentication. Exports all roles except for realcajun to C:\temp\roles.sql, and appends to the file if it exists. If not, the file will be created.
PS C:\> Export-DbaDbRole -SqlInstance sqlserver2014a -Role realcajun,netnerds -Path C:\temp\roles.sql
Exports ONLY roles netnerds and realcajun FROM sqlserver2014a to the file C:\temp\roles.sql
PS C:\> Export-DbaDbRole -SqlInstance sqlserver2014a -Role realcajun,netnerds -Database HR, Accounting
Exports ONLY roles netnerds and realcajun FROM sqlserver2014a with the permissions on databases HR and Accounting
PS C:\> Get-DbaDatabase -SqlInstance sqlserver2014a -Database HR, Accounting | Export-DbaDbRole
Exports ONLY roles FROM sqlserver2014a with permissions on databases HR and Accounting
PS C:\> Set-DbatoolsConfig -FullName formatting.batchseparator -Value $null
PS C:\> Export-DbaDbRole -SqlInstance sqlserver2008 -Role realcajun,netnerds -Path C:\temp\roles.sql
Sets the BatchSeparator configuration to null, removing the default "GO" value.
Exports ONLY roles netnerds and realcajun FROM sqlserver2008 server, to the C:\temp\roles.sql file, without the "GO" batch separator.
PS C:\> Export-DbaDbRole -SqlInstance sqlserver2008 -Role realcajun,netnerds -Path C:\temp\roles.sql -BatchSeparator $null
Exports ONLY roles netnerds and realcajun FROM sqlserver2008 server, to the C:\temp\roles.sql file, without the "GO" batch separator.
PS C:\> Get-DbaDatabase -SqlInstance sqlserver2008 | Export-DbaDbRole -Role realcajun
Exports role realcajun for all databases on sqlserver2008
PS C:\> Get-DbaDbRole -SqlInstance sqlserver2008 -ExcludeFixedRole | Export-DbaDbRole
Exports all roles from all databases on sqlserver2008, excludes all roles marked as as FixedRole
The target SQL Server instance or instances. SQL Server 2005 and above supported.
Any databases in CompatibilityLevel 80 or lower will be skipped
Alias | |
Required | False |
Pipeline | false |
Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Accepts database role objects from Get-DbaDbRole, database objects from Get-DbaDatabase, or server instances.
Use this when you need to export roles from a filtered set of databases or specific role objects.
Alias | |
Required | False |
Pipeline | true (ByValue) |
Default Value |
Controls T-SQL script generation options using an SMO ScriptingOptions object from New-DbaScriptingOption.
Customize output format, object naming, and scripting behavior to match your deployment requirements.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Specifies which databases to export role definitions from. Accepts wildcards for pattern matching.
Use this when you need role scripts for specific databases rather than processing all databases on the instance.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Specifies which database roles to export. Accepts wildcards and multiple role names.
Use this when you need scripts for specific custom roles rather than all roles in the database.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Excludes specific database roles from the export operation. Accepts wildcards and multiple role names.
Useful when you want most roles except certain application-specific or sensitive roles.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Excludes built-in SQL Server fixed database roles like db_datareader, db_datawriter, and db_owner.
Use this when you only want to export custom application roles and not the standard SQL Server roles.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |
Includes ALTER ROLE statements to add existing members back to the roles.
Use this when you need to recreate both the role definitions and their current membership assignments.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |
Specifies the output directory for generated SQL script files. Defaults to the configured DbatoolsExport path.
Each database gets its own script file named with the instance and database name for organization.
Alias | |
Required | False |
Pipeline | false |
Default Value | (Get-DbatoolsConfigValue -FullName 'Path.DbatoolsExport') |
Specifies the exact file path for the output script. Auto-generates filename based on instance and database if not provided.
Only use this when processing a single database, as multiple databases would overwrite the same file.
Alias | OutFile,FileName |
Required | False |
Pipeline | false |
Default Value |
Outputs the T-SQL script to the console instead of writing to files.
Use this to review the generated scripts before saving them or to pipe output to other commands.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |
Sets the batch separator between T-SQL statements in the output script. Defaults to "GO" from configuration.
Change this when deploying to tools that require different batch separators or set to null to remove separators entirely.
Alias | |
Required | False |
Pipeline | false |
Default Value | (Get-DbatoolsConfigValue -FullName 'Formatting.BatchSeparator') |
Prevents overwriting existing files at the target location. The operation will fail if files already exist.
Use this as a safety measure when you want to avoid accidentally replacing existing role scripts.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |
Adds the generated T-SQL scripts to the end of existing files rather than overwriting them.
Use this to combine role scripts from multiple operations into a single deployment file.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |
Removes the header comment block that includes creation timestamp, user, and source information.
Use this when you need clean T-SQL scripts without metadata comments for automated deployments.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |
Sets the character encoding for output files. Defaults to UTF8 for broad compatibility.
Change to Unicode when working with international character sets in role names or comments.
Alias | |
Required | False |
Pipeline | false |
Default Value | UTF8 |
Accepted Values | ASCII,BigEndianUnicode,Byte,String,Unicode,UTF7,UTF8,Unknown |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |