Permissions

The permissions page in Redgate Monitor Enterprise allows DBAs to view user access rights in their database environments. It displays comprehensive information about each user's access privileges and allows DBAs to easily identify users with access to sensitive information.

Permissions are only available for SQL Server instances and databases.


Permission changes tab:

This tab will display permission changes that are made on all servers and databases for a selected date range. The permission changes that Redgate Monitor detects and doesn't detect are detailed below.

Redgate Monitor detects the following changes:

  • Creating a security principal (CREATE)
  • Adding a member to a Role (ADD MEMBER)
  • Adding/Changing permissions on security principals (GRANT/DENY)
  • Removing permissions on security principals (REVOKE)

What we don't show:

  • Deleting a security principal (DROP)
  • Removing security principals from a Role (DROP MEMBER)
  • Changes to Login-Database User mapping
  • Indirect permission changes

    Eg: A permission change on a role will not reflect the change that is implied on a User in that role

  • Permissions changes that occur when an entity is created or deleted.
  • AD User/Group created as a login
  • AD Group membership changes (which are mapped to a login)


Below is a definition for each column on the Permission changes grid.

  • Change detected: The date and time that Redgate Monitor detected the change, this is not the time that the change happened but the time it was detected.
  • Server: The server name
  • Database: The database name, will be '-' if the permission changed is a server-level permission.
  • Object name: The object name, will be '-' if the permission is not related to a single object.
  • Security principal: The server or database security principal that is impacted by the permission change.
  • Security principal type: The type of the security principal, possible values are Login, Server role, Database user, Database role and Application role.
  • Permission change: A description of the permission change.
  • Changed by: The user that affected the change. Can be unknown if, for example:
    • Adding Member to a Role.
    • Creating a security principal.



Servers tab:

In this tab, you can find vital information about the common permissions that have been assigned to each of your servers. This includes detailed tracking of the number of groups and users for which the "sysadmins," "serveradmins," and "securityadmins" permissions are enabled.

In this tab, you will be able to view a comprehensive table that provides the following information for each server:

  • Server: A clear and concise identification of the server.
  • Group: The name of the group that the server is associated with.
  • Tags: A list of current tags for the server.
  • sysadmins: The number of groups and users with "sysadmins" permissions enabled for that server.
  • serveradmins: The number of groups and users with "serveradmins" permissions enabled for that server.
  • securityadmins: The number of groups and users with "securityadmins" permissions enabled for that server.
  • Total: The number of groups and users with any permissions enabled for that server.
  • Collection date: The date and time when the information was last gathered and updated in the table.



Servers tab


For the purpose of clarity and ease of access, every record in this table is interactive. By clicking on a specific server, you will be redirected to a more detailed page that provides comprehensive information about that server's permissions. This includes:

  1. Server roles tab: A list of all server roles and the associated groups and users. By clicking on any User link you will be redirected to that user details page.
  2. Users tab: A list of all users, along with their associated roles and the date they were created. By clicking on any User link you will be redirected to that user details page.
  3. Databases tab: A list of all databases, including their availability, the owner, and the total number of users. By clicking on any Database link you will be redirected to that database details page.



Databases tab:

In this tab, you can access crucial details about the typical permissions assigned to each of your databases. Here, you'll find comprehensive tracking of user counts, the creation date of each database, and their current status. This information can help you manage and optimize your databases effectively. In this tab, you will be able to view a comprehensive table that provides the following information for each database:

  • Database: A clear and concise identification of the database.
  • Server: A clear and concise identification of the containing server.
  • Group: The name of the group that the server is associated with.
  • Tags: A list of current tags for the server.
  • Status: The State of the database.
  • Owner: The Owner of the database.
  • Total users: The number of users for the database.
  • Date created: Creation date of the database.
  • Latest sample date: The date and time when the information was last gathered and updated in the table.


Databases tab


For the purpose of clarity and ease of access, every record in this table is interactive. By clicking on a specific database, you will be redirected to a more detailed page that provides comprehensive information about that database's permissions. This includes:

  1. Database users tab: A list of all database users and the associated roles and Active Directory (AD) account.
  2. Roles tab: A list of all fixed and custom roles in the database.




Users tab:

In this tab, you can find vital information about the common permissions that have been assigned to each user. This includes detailed tracking of the number of Server roles (“sysadmins”, “serveradmins”, “securityadmins”) and Database roles (“db_owner”, “db_accessadmin”, “db-securityadmin”).In this tab, you will be able to view a comprehensive table that provides the following information for each user:

  • User: A clear and concise identification of the user.
  • (Server roles) sysadmins: The number of servers that this user has "sysadmins" role.
  • (Server roles) serveradmins: The number of servers that this user has "serveradmins" role.
  • (Server roles) securityadmins: The number of servers that this user has "securityadmins" role.
  • Total servers: The number of servers with any permissions enabled for the user.
  • (Database roles) db_owner: The number of servers that this user has "db_owner" role.
  • (Database roles) db_accessadmin: The number of servers that this user has "db_accessadmin" role.
  • (Database roles) db-securityadmin: The number of servers that this user has "db-securityadmin" role.
  • Total databases: The number of databases with any permissions enabled for the user.


Users tab


For the purpose of clarity and ease of access, every record in this table is interactive. By clicking on a specific user, you will be redirected to a more detailed page that provides comprehensive information about that user's permissions. This includes:

  1. Server roles tab: A list of all servers that this user has a role in.
  2. Database roles tab: A list of all database that this user has a role in.




By providing this level of detail, we aim to help you better understand and manage server permissions, ensuring a secure and efficiently managed system.


Didn't find what you were looking for?