Skip to content

SqlPermission: Refactor to use new server permission commands #2360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
johlju merged 4 commits into from
Dec 6, 2025
Merged

SqlPermission: Refactor to use new server permission commands #2360

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
76774fc
SqlPermission: Refactor to use new server permission commands
johlju Dec 4, 2025
f7d4ca4
SqlPermission: Update logic to check for server roles and enhance err…
johlju Dec 5, 2025
a28c2d6
Merge branch 'main' into fix/issue-#2159
johlju Dec 5, 2025
364c0de
SqlPermission: Simplify permission handling by using splatting for pr…
johlju Dec 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

### Changed

- `SqlPermission`
- Refactored to use the new object-based server permission commands
(`Grant-SqlDscServerPermission`, `Deny-SqlDscServerPermission`,
`Revoke-SqlDscServerPermission`, and `Get-SqlDscServerPermission`)
instead of the deprecated `Set-SqlDscServerPermission` command
([issue #2159](https://github.com/dsccommunity/SqlServerDsc/issues/2159)).
- Updated comment-based help `.INPUTS` and `.OUTPUTS` sections across all public
commands and private functions to comply with DSC community style guidelines
([issue #2103](https://github.com/dsccommunity/SqlServerDsc/issues/2103)).
Expand Down
118 changes: 81 additions & 37 deletions source/Classes/020.SqlPermission.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,15 +353,16 @@ class SqlPermission : SqlResourceBase
{
$serverObject = $this.GetServerObject()

$testSqlDscIsLoginParameters = @{
$testSqlDscIsPrincipalParameters = @{
ServerObject = $serverObject
Name = $this.Name
}

# This will test wether the principal exist.
$isLogin = Test-SqlDscIsLogin @testSqlDscIsLoginParameters
# This will test whether the principal exist.
$isLogin = Test-SqlDscIsLogin @testSqlDscIsPrincipalParameters
$isRole = Test-SqlDscIsRole @testSqlDscIsPrincipalParameters

if (-not $isLogin)
if (-not $isLogin -and -not $isRole)
{
$missingPrincipalMessage = $this.localizedData.NameIsMissing -f @(
$this.Name,
Expand All @@ -371,6 +372,32 @@ class SqlPermission : SqlResourceBase
New-InvalidOperationException -Message $missingPrincipalMessage
}

# Get the principal object (Login or ServerRole)
$principalObject = $null

if ($isLogin)
{
$principalObject = $serverObject | Get-SqlDscLogin -Name $this.Name -ErrorAction 'Stop'
}
else
{
$principalObject = $serverObject | Get-SqlDscRole -Name $this.Name -ErrorAction 'Stop'
}

# Create splatting parameter for principal to avoid repeated if/else blocks
$principalParameter = if ($isLogin)
{
@{
Login = $principalObject
}
}
else
{
@{
ServerRole = $principalObject
}
}

# This holds each state and their permissions to be revoked.
[ServerPermission[]] $permissionsToRevoke = @()
[ServerPermission[]] $permissionsToGrantOrDeny = @()
Expand Down Expand Up @@ -455,32 +482,34 @@ class SqlPermission : SqlResourceBase
#>
foreach ($currentStateToRevoke in $permissionsToRevoke)
{
$revokePermissionSet = $currentStateToRevoke | ConvertFrom-SqlDscServerPermission

$setSqlDscServerPermissionParameters = @{
ServerObject = $serverObject
Name = $this.Name
Permission = $revokePermissionSet
State = 'Revoke'
Force = $true
}
# Convert ServerPermission to array of SqlServerPermission enum values
$permissionsToRevokeArray = $currentStateToRevoke.Permission

if ($currentStateToRevoke.State -eq 'GrantWithGrant')
# Only revoke if there are permissions to revoke
if ($permissionsToRevokeArray.Count -gt 0)
{
$setSqlDscServerPermissionParameters.WithGrant = $true
}
$revokeSqlDscServerPermissionParameters = @{
Permission = $permissionsToRevokeArray
Force = $true
}

try
{
Set-SqlDscServerPermission @setSqlDscServerPermissionParameters
}
catch
{
$errorMessage = $this.localizedData.FailedToRevokePermissionFromCurrentState -f @(
$this.Name
)
if ($currentStateToRevoke.State -eq 'GrantWithGrant')
{
$revokeSqlDscServerPermissionParameters.WithGrant = $true
}

try
{
Revoke-SqlDscServerPermission @principalParameter @revokeSqlDscServerPermissionParameters
}
catch
{
$errorMessage = $this.localizedData.FailedToRevokePermissionFromCurrentState -f @(
$this.Name
)

New-InvalidOperationException -Message $errorMessage -ErrorRecord $_
New-InvalidOperationException -Message $errorMessage -ErrorRecord $_
}
}
}
}
Expand All @@ -496,27 +525,42 @@ class SqlPermission : SqlResourceBase
# If there is not an empty array, change permissions.
if (-not [System.String]::IsNullOrEmpty($currentDesiredPermissionState.Permission))
{
$permissionSet = $currentDesiredPermissionState | ConvertFrom-SqlDscServerPermission

$setSqlDscServerPermissionParameters = @{
ServerObject = $serverObject
Name = $this.Name
Permission = $permissionSet
Force = $true
}
# Convert ServerPermission to array of SqlServerPermission enum values
$permissionsArray = $currentDesiredPermissionState.Permission

try
{
switch ($currentDesiredPermissionState.State)
{
'Grant'
{
$grantParameters = @{
Permission = $permissionsArray
Force = $true
}

Grant-SqlDscServerPermission @principalParameter @grantParameters
}

'GrantWithGrant'
{
Set-SqlDscServerPermission @setSqlDscServerPermissionParameters -State 'Grant' -WithGrant
$grantParameters = @{
Permission = $permissionsArray
WithGrant = $true
Force = $true
}

Grant-SqlDscServerPermission @principalParameter @grantParameters
}

default
'Deny'
{
Set-SqlDscServerPermission @setSqlDscServerPermissionParameters -State $currentDesiredPermissionState.State
$denyParameters = @{
Permission = $permissionsArray
Force = $true
}

Deny-SqlDscServerPermission @principalParameter @denyParameters
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion source/en-US/SqlPermission.strings.psd1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ ConvertFrom-StringData @'
EvaluateServerPermissionForPrincipal = Evaluate the current permissions for the principal '{0}' on the instance '{1}'. (SP0001)
DesiredPermissionAreAbsent = The desired permission '{0}' that shall be present are absent. (SP0002)
DesiredAbsentPermissionArePresent = The desired permission '{0}' that shall be absent are present. (SP0003)
NameIsMissing = The name '{0}' is not a login on the instance '{1}'. (SP0004)
NameIsMissing = The name '{0}' is not a login or server role on the instance '{1}'. (SP0004)
FailedToRevokePermissionFromCurrentState = Failed to revoke the permissions from the current state for the user '{0}'. (SP0005)
FailedToSetPermission = Failed to set the desired permissions for the user '{0}'. (SP0006)
DuplicatePermissionState = One or more permission states was added more than once. It is only allowed to specify one of each permission state. (SP0007)
Expand Down
Loading
Loading