SqlPermission: Refactor to use new server permission commands (#2360)

johlju · web-flow · commit 003706498e8e · 2025-12-06T14:28:52.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -21,6 +21,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- `SqlPermission`
+  - Refactored to use the new object-based server permission commands
+    (`Grant-SqlDscServerPermission`, `Deny-SqlDscServerPermission`,
+    `Revoke-SqlDscServerPermission`, and `Get-SqlDscServerPermission`)
+    instead of the deprecated `Set-SqlDscServerPermission` command
+    ([issue #2159](https://github.com/dsccommunity/SqlServerDsc/issues/2159)).
 - Updated comment-based help `.INPUTS` and `.OUTPUTS` sections across all public
   commands and private functions to comply with DSC community style guidelines
   ([issue #2103](https://github.com/dsccommunity/SqlServerDsc/issues/2103)).
diff --git a/source/Classes/020.SqlPermission.ps1 b/source/Classes/020.SqlPermission.ps1
@@ -353,15 +353,16 @@ class SqlPermission : SqlResourceBase
     {
         $serverObject = $this.GetServerObject()
 
-        $testSqlDscIsLoginParameters = @{
+        $testSqlDscIsPrincipalParameters = @{
             ServerObject = $serverObject
             Name         = $this.Name
         }
 
-        # This will test wether the principal exist.
-        $isLogin = Test-SqlDscIsLogin @testSqlDscIsLoginParameters
+        # This will test whether the principal exist.
+        $isLogin = Test-SqlDscIsLogin @testSqlDscIsPrincipalParameters
+        $isRole = Test-SqlDscIsRole @testSqlDscIsPrincipalParameters
 
-        if (-not $isLogin)
+        if (-not $isLogin -and -not $isRole)
         {
             $missingPrincipalMessage = $this.localizedData.NameIsMissing -f @(
                 $this.Name,
@@ -371,6 +372,32 @@ class SqlPermission : SqlResourceBase
             New-InvalidOperationException -Message $missingPrincipalMessage
         }
 
+        # Get the principal object (Login or ServerRole)
+        $principalObject = $null
+
+        if ($isLogin)
+        {
+            $principalObject = $serverObject | Get-SqlDscLogin -Name $this.Name -ErrorAction 'Stop'
+        }
+        else
+        {
+            $principalObject = $serverObject | Get-SqlDscRole -Name $this.Name -ErrorAction 'Stop'
+        }
+
+        # Create splatting parameter for principal to avoid repeated if/else blocks
+        $principalParameter = if ($isLogin)
+        {
+            @{
+                Login = $principalObject
+            }
+        }
+        else
+        {
+            @{
+                ServerRole = $principalObject
+            }
+        }
+
         # This holds each state and their permissions to be revoked.
         [ServerPermission[]] $permissionsToRevoke = @()
         [ServerPermission[]] $permissionsToGrantOrDeny = @()
@@ -455,32 +482,34 @@ class SqlPermission : SqlResourceBase
             #>
             foreach ($currentStateToRevoke in $permissionsToRevoke)
             {
-                $revokePermissionSet = $currentStateToRevoke | ConvertFrom-SqlDscServerPermission
-
-                $setSqlDscServerPermissionParameters = @{
-                    ServerObject = $serverObject
-                    Name         = $this.Name
-                    Permission   = $revokePermissionSet
-                    State        = 'Revoke'
-                    Force        = $true
-                }
+                # Convert ServerPermission to array of SqlServerPermission enum values
+                $permissionsToRevokeArray = $currentStateToRevoke.Permission
 
-                if ($currentStateToRevoke.State -eq 'GrantWithGrant')
+                # Only revoke if there are permissions to revoke
+                if ($permissionsToRevokeArray.Count -gt 0)
                 {
-                    $setSqlDscServerPermissionParameters.WithGrant = $true
-                }
+                    $revokeSqlDscServerPermissionParameters = @{
+                        Permission = $permissionsToRevokeArray
+                        Force      = $true
+                    }
 
-                try
-                {
-                    Set-SqlDscServerPermission @setSqlDscServerPermissionParameters
-                }
-                catch
-                {
-                    $errorMessage = $this.localizedData.FailedToRevokePermissionFromCurrentState -f @(
-                        $this.Name
-                    )
+                    if ($currentStateToRevoke.State -eq 'GrantWithGrant')
+                    {
+                        $revokeSqlDscServerPermissionParameters.WithGrant = $true
+                    }
+
+                    try
+                    {
+                        Revoke-SqlDscServerPermission @principalParameter @revokeSqlDscServerPermissionParameters
+                    }
+                    catch
+                    {
+                        $errorMessage = $this.localizedData.FailedToRevokePermissionFromCurrentState -f @(
+                            $this.Name
+                        )
 
-                    New-InvalidOperationException -Message $errorMessage -ErrorRecord $_
+                        New-InvalidOperationException -Message $errorMessage -ErrorRecord $_
+                    }
                 }
             }
         }
@@ -496,27 +525,42 @@ class SqlPermission : SqlResourceBase
                 # If there is not an empty array, change permissions.
                 if (-not [System.String]::IsNullOrEmpty($currentDesiredPermissionState.Permission))
                 {
-                    $permissionSet = $currentDesiredPermissionState | ConvertFrom-SqlDscServerPermission
-
-                    $setSqlDscServerPermissionParameters = @{
-                        ServerObject = $serverObject
-                        Name         = $this.Name
-                        Permission   = $permissionSet
-                        Force        = $true
-                    }
+                    # Convert ServerPermission to array of SqlServerPermission enum values
+                    $permissionsArray = $currentDesiredPermissionState.Permission
 
                     try
                     {
                         switch ($currentDesiredPermissionState.State)
                         {
+                            'Grant'
+                            {
+                                $grantParameters = @{
+                                    Permission = $permissionsArray
+                                    Force      = $true
+                                }
+
+                                Grant-SqlDscServerPermission @principalParameter @grantParameters
+                            }
+
                             'GrantWithGrant'
                             {
-                                Set-SqlDscServerPermission @setSqlDscServerPermissionParameters -State 'Grant' -WithGrant
+                                $grantParameters = @{
+                                    Permission = $permissionsArray
+                                    WithGrant  = $true
+                                    Force      = $true
+                                }
+
+                                Grant-SqlDscServerPermission @principalParameter @grantParameters
                             }
 
-                            default
+                            'Deny'
                             {
-                                Set-SqlDscServerPermission @setSqlDscServerPermissionParameters -State $currentDesiredPermissionState.State
+                                $denyParameters = @{
+                                    Permission = $permissionsArray
+                                    Force      = $true
+                                }
+
+                                Deny-SqlDscServerPermission @principalParameter @denyParameters
                             }
                         }
                     }
diff --git a/source/en-US/SqlPermission.strings.psd1 b/source/en-US/SqlPermission.strings.psd1
@@ -12,7 +12,7 @@ ConvertFrom-StringData @'
     EvaluateServerPermissionForPrincipal = Evaluate the current permissions for the principal '{0}' on the instance '{1}'. (SP0001)
     DesiredPermissionAreAbsent = The desired permission '{0}' that shall be present are absent. (SP0002)
     DesiredAbsentPermissionArePresent = The desired permission '{0}' that shall be absent are present. (SP0003)
-    NameIsMissing = The name '{0}' is not a login on the instance '{1}'. (SP0004)
+    NameIsMissing = The name '{0}' is not a login or server role on the instance '{1}'. (SP0004)
     FailedToRevokePermissionFromCurrentState = Failed to revoke the permissions from the current state for the user '{0}'. (SP0005)
     FailedToSetPermission = Failed to set the desired permissions for the user '{0}'. (SP0006)
     DuplicatePermissionState = One or more permission states was added more than once. It is only allowed to specify one of each permission state. (SP0007)
diff --git a/tests/Unit/Classes/SqlPermission.Tests.ps1 b/tests/Unit/Classes/SqlPermission.Tests.ps1
