Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Parse JSON scan results file from a SQL Vulnerability Assessment Tool into a relational structure
DECLARE @j NVARCHAR(MAX)
SELECT @j = BulkColumn
FROM OPENROWSET (
BULK 'C:\Temp\vat_example_results_file.json'
, SINGLE_NCLOB) FileName
IF ISJSON(@j) = 1
PRINT N'Imported JSON is valid'
ELSE
BEGIN
RAISERROR(N'Imported JSON is invalid!', 16,1);
GOTO Quit
END
SELECT b.[key] AS RuleId
, JSON_VALUE(b.[value], '$.Severity') AS [Severity]
, JSON_VALUE(b.[value], '$.Category') AS [Category]
, JSON_VALUE(b.[value], '$.RuleType') AS [RuleType]
, JSON_VALUE(b.[value], '$.Title') AS [Title]
, JSON_VALUE(b.[value], '$.Description') AS [Description]
, JSON_VALUE(b.[value], '$.Rationale') AS [Rationale]
, ISNULL(JSON_VALUE(b.[value], '$.QueryCheck.Query'), qc.[value]) AS [Query]
, JSON_QUERY(b.[value], '$.QueryCheck.ColumnNames') AS [ColumnNames]
, JSON_VALUE(r.[value], '$.Remediation.Description') AS [RemediationDescription], JSON_VALUE(r.[value], '$.Remediation.Script') AS [RemediationScript]
--, JSON_QUERY(b.[value], '$.QueryCheck') AS [QueryChecks_Raw]
--, JSON_QUERY(r.[value], '$.Remediation') AS [Remediation_Raw]
--, JSON_VALUE(r.[value], '$.Status') AS [FindingStatus]
--, JSON_QUERY(r.[value], '$.QueryResults') AS [FindingQueryResults]
FROM OPENJSON(@j, '$.Scans') AS a
CROSS APPLY OPENJSON(a.[value], '$.Rules') AS b
CROSS APPLY OPENJSON(a.[value], '$.Results') AS r
OUTER APPLY (SELECT [value] FROM OPENJSON(b.[value], '$.QueryCheck') WHERE [key] = 'Query') AS qc
WHERE b.[key] = JSON_VALUE(r.[value], '$.RuleId')
Quit:
{
"Format": "VANative",
"Version": "1.0",
"Scans": [
{
"Id": "2019-07-21T12-37-37",
"Tool": {
"Name": "<Unknown>",
"Version": "x.x.xxx"
},
"ScanType": "BoxDatabase",
"ScanTriggerType": "OnDemand",
"Server": "DESKTOP-LOCAL",
"Database": "ReportServer",
"Platform": "SqlServer2016",
"SqlVersion": "13.0.5153",
"StartTime": "2019-07-21T09:37:37.8745308Z",
"Results": [
{
"RuleId": "VA1020",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Remove the special principal GUEST from all roles.",
"Script": "ALTER ROLE [$0] DROP MEMBER GUEST",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1042",
"Status": "NonFinding",
"QueryResults": [
[
"0",
"ReportServer"
]
],
"Remediation": {
"Description": "Disable DB_CHANING option for this database",
"Script": "ALTER DATABASE [$1] SET DB_CHAINING OFF",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1043",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Remove all permissions granted to GUEST, especially the connect permission. The easiest way to perform such action is by using DROP USER [guest] syntax",
"Script": "DROP USER [guest]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1044",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Disable remote dedicated admin connections.",
"Script": "EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;\r\nEXECUTE sp_configure 'remote admin connections', 0; RECONFIGURE;\r\nEXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1051",
"Status": "NonFinding",
"QueryResults": [
[
"0",
"ReportServer"
]
],
"Remediation": {
"Description": "Disable the AUTO_CLOSE option on the affected databases.",
"Script": "ALTER DATABASE [$1] SET AUTO_CLOSE OFF",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1054",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke unnecessary permissions granted to PUBLIC",
"Script": "REVOKE $0 ON [$1].[$2] FROM PUBLIC",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1069",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke unnecessary permissions to system tables",
"Script": "REVOKE SELECT ON OBJECT::[$0].[$1] FROM [$2]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1070",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "You must rename the affected users or logins to avoid the confusion, updating all affected applications as well.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1094",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions granted to users directly. Instead use Windows groups or server roles to grant permissions, and manage role memberships instead.",
"Script": "REVOKE $0 ON $1::[$2] FROM [$3]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1095",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke any unnecessary permissions granted to PUBLIC, but avoid changing permissions granted out of the box.",
"Script": "REVOKE $2 ON $0::[$1] FROM PUBLIC",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1096",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke any unnecessary permissions granted to the special account GUEST",
"Script": "REVOKE $0 FROM GUEST",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1097",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke any unnecessary permissions granted to the special account GUEST",
"Script": "REVOKE $2 ON [$0].[$1] FROM GUEST",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1099",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke any unnecessary permissions granted to the special account GUEST",
"Script": "REVOKE $2 ON $0::[$1] FROM GUEST",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1253",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Review the list of events and make sure they match your needs. For more details visit https://msdn.microsoft.com/en-us/library/cc280386.aspx.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1265",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Create and enable a new SERVER AUDIT SPECIFICATION that will audit FAILED_LOGIN_GROUP & SUCCESSFUL_LOGIN_GROUP events. This SERVER AUDIT SPECIFICATION must target a valid SERVER AUDIT object that is enabled.",
"Script": "CREATE DATABASE AUDIT SPECIFICATION [DbAuditSpec_db_logon_information_failed_succeessful]\r\n FOR SERVER AUDIT [<REPLACE WITH VALID AUDIT SPECIFICATION NAME>]\r\nADD (FAILED_DATABASE_AUTHENTICATION_GROUP),\r\nADD (SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP)\r\nWITH (STATE = ON)",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1267",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Remove all contained users with password.\r\nAll affected applications will have to switch to Windows authentication, or create logins with password policy enforcement in order to connect to the DB.",
"Script": "DROP USER [$0];",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1143",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Create users with low privileges to access the DB and any data stored in it with the appropriate set of permissions.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1223",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Create new certificates, re-encrypt the data/sign-data using the new key, and drop the affected keys.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1244",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Drop the orphaned users or remap them to a different login.",
"Script": "DROP USER [$0]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1246",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Remove the application roles. Use users without login as a permission-based replacement",
"Script": "DROP APPLICATION ROLE [$0]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1248",
"Status": "Finding",
"QueryResults": [
[
"db_owner",
"RSExecRole"
]
],
"Remediation": {
"Description": "Remove user defined roles from fixed-database roles",
"Script": "ALTER ROLE [$0] DROP MEMBER [$1]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1102",
"Status": "NonFinding",
"QueryResults": [
[
"0",
"ReportServer"
]
],
"Remediation": {
"Description": "Disable the trustworthy bit (TWbit) from all affected databases.\r\nIf you need to use functionality that is controlled by the TWbit, it is recommended to use digital signatures to enable the functionality instead of enabling the TWbit on the database.",
"Script": "ALTER DATABASE [$1] SET TRUSTWORTHY OFF",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1277",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Enable polybase network encryption (default)",
"Script": "EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;\r\nEXECUTE sp_configure 'ad hoc distributed queries', 1; RECONFIGURE;\r\nEXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1256",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Drop assemblies from the affected databases",
"Script": "DROP ASSEMBLY [$0]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1245",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Use ALTER AUTHORIZATION DDL to specify the user that should be the dbo for the database",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1098",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Change the affected endpoints to accept only AES connections",
"Script": "ALTER ENDPOINT [$0] FOR $1 ( ENCRYPTION = REQUIRED ALGORITHM AES )",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1219",
"Status": "Finding",
"QueryResults": [
[
"1"
]
],
"Remediation": {
"Description": "Enable TDE on the affected database. Please follow the instructions on https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1221",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Regenerate the DEK using AES",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1222",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Create AES keys, re-encrypt the data using the new key, and drop the affected keys.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1224",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Create new asymmetric Keys, re-encrypt the data/sign-data using the new key, and drop the affected keys.",
"Script": "DROP ASYMMETRIC KEY [$0]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1281",
"Status": "Finding",
"QueryResults": [
[
"RSExecRole",
"NT SERVICE\\ReportServer"
],
[
"RSExecRole",
"NT AUTHORITY\\SYSTEM"
],
[
"RSExecRole",
"NT AUTHORITY\\NETWORK SERVICE"
]
],
"Remediation": {
"Description": "Keep track of role membership and remove unnecessary members from roles to avoid granting excessive permissions or update baseline to comply with new changes",
"Script": "ALTER ROLE [$0] DROP MEMBER [$1]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1282",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Drop the unnecessary roles.",
"Script": "DROP ROLE [$0]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1287",
"Status": "Finding",
"QueryResults": [
[
"dbo",
"CachePolicy",
"CacheExpiration",
"Credit Card",
"Confidential"
],
[
"dbo",
"CachePolicy",
"ExpirationFlags",
"Credit Card",
"Confidential"
],
[
"dbo",
"DataSource",
"Password",
"Credentials",
"Confidential"
],
[
"dbo",
"DataSource",
"UserName",
"Credentials",
"Confidential"
],
[
"dbo",
"ExecutionLogStorage",
"UserName",
"Credentials",
"Confidential"
],
[
"dbo",
"ServerParametersInstance",
"Expiration",
"Credit Card",
"Confidential"
],
[
"dbo",
"SnapshotData",
"ExpirationDate",
"Credit Card",
"Confidential"
],
[
"dbo",
"Users",
"UserName",
"Credentials",
"Confidential"
]
],
"Remediation": {
"Description": "Review the identified list of potentially sensitive columns and apply classifications where relevant via the Classify Data task of the database.\r\n\r\nIf none of the identified columns actually represent sensitive elements in your database, you can set them as your approved baseline to acknowledge their status and to prevent them from being identified again. \r\n\r\nIn addition, apply column-level data protection security measures where appropriate: Always Encrypted -- keeps sensitive data columns encrypted on the server side ('https://go.microsoft.com/fwlink/?linkid=862688') or Dynamic Data Masking -- limits sensitive data exposure by dynamically masking it to non-privileged users when data is returned from the server to the client ('https://go.microsoft.com/fwlink/?linkid=524331'). You can also use Row Level Security to restrict access to data rows by creating a security policy based on characteristics of the user executing a query ('https://go.microsoft.com/fwlink/?linkid=862687').",
"Script": "",
"Automated": false,
"PortalLink": "ClassifyData"
}
},
{
"RuleId": "VA1286",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions granted to users directly. Instead use Windows groups or server roles to grant permissions, and manage role memberships instead.",
"Script": "REVOKE $0 ON [$1].[$2] FROM [$3]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA2000",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $1 FROM [$3]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2001",
"Status": "Finding",
"QueryResults": [
[
"OBJECT_OR_COLUMN",
"dbo",
"ExtendedDataSets",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DBUpgradeHistory",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLog3",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DataSets",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLog",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ServerUpgradeHistory",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Keys",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"History",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SubscriptionResults",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ConfigurationInfo",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Favorites",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Catalog",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SubscriptionsBeingDeleted",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ModelDrill",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Segment",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExtendedCatalog",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExtendedDataSources",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ChunkSegmentMapping",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ModelPerspective",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CachePolicy",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SegmentedChunk",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Users",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLogStorage",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DataSource",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Policies",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLog2",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SecData",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Roles",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"PolicyUserRole",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Event",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Subscriptions",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ActiveSubscriptions",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SnapshotData",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ChunkData",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Notifications",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Batch",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Schedule",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ReportSchedule",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RunningJobs",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
]
],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $3 ON [$1].[$2] FROM [$5]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2002",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $2 ON $0::[$1] FROM [$4]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2010",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $1 FROM [$3]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2020",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $1 FROM [$3]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2021",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $3 ON [$1].[$2] FROM [$5]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2022",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $2 ON $0::[$1] FROM [$4]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2030",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $1 FROM [$3]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2031",
"Status": "Finding",
"QueryResults": [
[
"OBJECT_OR_COLUMN",
"dbo",
"ExtendedDataSets",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DBUpgradeHistory",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLog3",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DataSets",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLog",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ServerUpgradeHistory",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Keys",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"History",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SubscriptionResults",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ConfigurationInfo",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Favorites",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Catalog",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SubscriptionsBeingDeleted",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ModelDrill",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Segment",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExtendedCatalog",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExtendedDataSources",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ChunkSegmentMapping",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ModelPerspective",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CachePolicy",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SegmentedChunk",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Users",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLogStorage",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DataSource",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Policies",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLog2",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SecData",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Roles",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"PolicyUserRole",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Event",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Subscriptions",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ActiveSubscriptions",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SnapshotData",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ChunkData",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Notifications",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Batch",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Schedule",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ReportSchedule",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RunningJobs",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
]
],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $3 ON [$1].[$2] FROM [$5]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2032",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $2 ON $0::[$1] FROM [$4]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2033",
"Status": "Finding",
"QueryResults": [
[
"OBJECT_OR_COLUMN",
"dbo",
"CopyChunks",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ClearScheduleConsistancyFlags",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateNewSnapshotVersion",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetAReportsReportAction",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdateSnapshotReferences",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetTimeBasedSubscriptionReportAction",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"OpenSegmentedChunk",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetTaskProperties",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateSegmentedChunk",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteTask",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ReadChunkSegment",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSchedulesReports",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"WriteChunkSegment",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"EnforceCacheLimits",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateChunkSegment",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddReportSchedule",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"IsSegmentedChunk",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteReportSchedule",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ShallowCopyChunk",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSnapShotSchedule",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeepCopySegment",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateTimeBasedSubscriptionSchedule",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RemoveSegmentedMapping",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetTimeBasedSubscriptionSchedule",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RemoveSegment",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddRunningJob",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"MigrateExecutionLog",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RemoveRunningJob",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"TempChunkExists",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdateRunningJob",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateEditSession",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetMyRunningJobs",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ListRunningJobs",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CleanExpiredEditSessions",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CleanExpiredJobs",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetCacheLastUsed",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateObject",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSharePointPathsForUpgrade",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteObject",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSharePointSchedulePathsForUpgrade",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindObjectsNonRecursive",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindObjectsRecursive",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpgradeSharePointPaths",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindParents",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpgradeSharePointSchedulePaths",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindObjectsByLink",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetDataSets",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetIDPairsByLink",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddDataSet",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetChildrenBeforeDelete",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteDataSets",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetAllProperties",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetDataSetForExecution",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetParameters",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetObjectContent",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"LoadForDefinitionCheck",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdateSubscriptionResult",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"LoadForRepublishing",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindItemsToUpdateByDataSet",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetAllFavoriteItems",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RebindDataSource",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindFavoriteableItemsNonRecursive",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RebindDataSet",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindFavoriteableItemsRecursive",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetUserServiceToken",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"IsFavoriteItem",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetUserServiceToken",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RemoveItemFromFavorites",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetUserSettings",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddItemToFavorites",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetUserSettings",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetDBVersion",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateOrUpdateContentCache",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetCompiledDefinition",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetContentCache",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetReportForExecution",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetContentCacheDetails",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetReportParametersForExecution",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CleanExpiredContentCache",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"MoveObject",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FlushContentCache",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ObjectExists",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetAllProperties",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FlushCacheByID",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FlushReportFromCache",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetParameters",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetObjectContent",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetLastModified",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetNameById",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddDataSource",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetDataSources",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetKeysForInstallation",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteDataSources",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetAnnouncedKey",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ChangeStateOfDataSource",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AnnounceOrGetKey",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindItemsByDataSource",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetMachineName",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindItemsByDataSet",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ListInstallations",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindItemsByDataSourceRecursive",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ListSubscriptionIDs",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateRole",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ListInfoForReencryption",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetRoles",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetDatasourceInfoForReencryption",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteRole",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetReencryptedDatasourceInfo",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ReadRoleProperties",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSubscriptionInfoForReencryption",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetRoleProperties",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetReencryptedSubscriptionInfo",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetPoliciesForRole",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetClientSecret",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdatePolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetUserServiceTokenForReencryption",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetPolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetReencryptedUserServiceToken",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetSystemPolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteEncryptedContent",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetModelItemPolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteKey",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdatePolicyPrincipal",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetAllConfigurationInfo",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdatePolicyRole",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetOneConfigurationInfo",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetPolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetConfigurationInfo",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSystemPolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddEvent",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeletePolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteEvent",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateSession",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CleanEventRecords",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteModelItemPolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddExecutionLogEntry",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteAllModelItemPolicies",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExpireExecutionLogEntries",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetModelItemInfo",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetUserIDBySid",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetModelDefinition",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetUserIDByName",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddModelPerspective",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetUserID",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteModelPerspectives",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetUserIDWithNoCreate",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetModelsAndPerspectives",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetPrincipalID",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetModelPerspectives",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateSubscription",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DereferenceSessionSnapshot",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeliveryRemovedInactivateSubscription",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetSessionData",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddSubscriptionToBeingDeleted",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"WriteLockSession",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RemoveSubscriptionFromBeingDeleted",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CheckSessionLock",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteSubscription",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSessionData",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSubscription",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSnapshotFromHistory",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ListSubscriptionsUsingDataSource",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CleanExpiredSessions",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdateSubscriptionStatus",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CleanExpiredCache",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdateSubscriptionLastRunInfo",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetSessionCredentials",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdateSubscription",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetSessionParameters",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"InvalidateSubscription",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ClearSessionSnapshot",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CleanNotificationRecords",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RemoveReportFromSession",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateSnapShotNotifications",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CleanBrokenSnapshots",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateDataDrivenNotification",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CleanOrphanedSnapshots",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateNewActiveSubscription",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdateActiveSubscription",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetCacheOptions",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteActiveSubscription",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetCacheOptions",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateCacheUpdateNotifications",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddReportToCache",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetCacheSchedule",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetExecutionOptions",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteNotification",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetExecutionOptions",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetNotificationAttempt",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdateSnapshot",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateTimeBasedSubscriptionNotification",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateChunkAndGetPointer",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteTimeBasedSubscriptionSchedule",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"WriteChunkPortion",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ListUsedDeliveryProviders",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[