| Author | Brandon Abshire, netnerds.net , Josh Smith |
| Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Get-DbaUserPermission on GitHub.
Want to see the Bill Of Health for this command? Check out Get-DbaUserPermission.
Displays detailed permissions information for the server and database roles and securables.
This command will display all server logins, server level securables, database logins and database securables.
DISA STIG implementors will find this command useful as it uses Permissions.sql provided by DISA.
Note that if you Ctrl-C out of this command and end it prematurely, it will leave behind a STIG schema in tempdb.
Get-DbaUserPermission
[-SqlInstance] <DbaInstanceParameter[]>
[[-SqlCredential] <PSCredential>]
[[-Database] <Object[]>]
[[-ExcludeDatabase] <Object[]>]
[-ExcludeSystemDatabase]
[-IncludePublicGuest]
[-IncludeSystemObjects]
[-ExcludeSecurables]
[-EnableException]
[<CommonParameters>]
PS C:\> Get-DbaUserPermission -SqlInstance sql2008, sqlserver2012
Check server and database permissions for servers sql2008 and sqlserver2012.
PS C:\> Get-DbaUserPermission -SqlInstance sql2008 -Database TestDB
Check server and database permissions on server sql2008 for only the TestDB database
PS C:\> Get-DbaUserPermission -SqlInstance sql2008 -Database TestDB -IncludePublicGuest -IncludeSystemObjects
Check server and database permissions on server sql2008 for only the TestDB database,
including public and guest grants, and sys schema objects.
The target SQL Server instance or instances.
| Alias | |
| Required | True |
| Pipeline | true (ByValue) |
| Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
The database(s) to process - this list is auto-populated from the server. If unspecified, all databases will be processed.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
The database(s) to exclude - this list is auto-populated from the server
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Allows you to suppress output on system databases
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Allows you to include output for public and guest grants.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Allows you to include output on sys schema objects.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Allows you to exclude object-level permissions from the output, and only return role permission(s).
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |