Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Parse JSON scan results file from a SQL Vulnerability Assessment Tool into a relational structure https://eitanblumin.com/sql-vulnerability-assessment-tool-rules-reference-list/
/******************************************************************
Parse SQL Vulnerability Assessment Tool Results
***********************************************
Author: Eitan Blumin | https://www.eitanblumin.com
Description:
Use this script to parse a Vulnerability Assessment Tool
results file into a relational structure.
This will output the T-SQL queries used by VAT behind the scenes
and their respective meta-data, as displayed in the VAT.
Also, if you uncomment two additional lines in the SQL
results below, then it will also output the results
saved in your specific results file.
Instructions:
1. Use SSMS to run a vulnerability check on your database.
2. Save the results file to a location accessible by a SQL Server.
3. Change the file path to the JSON file in the OPENROWSET command below.
4. Run the script and review the results.
Change Log:
2020-01-27 - Fixed severity anchor names and used textual anchors instead of meaningless numbers
2020-01-14 - Added Split_On_Upper_Case
2020-01-13 - Added comments, moved some columns around, added SINGLE_CLOB option
2019-07-21 - Initial version
*******************************************************************/
GO
USE tempdb
GO
IF OBJECT_ID('dbo.Split_On_Upper_Case') IS NOT NULL DROP FUNCTION dbo.Split_On_Upper_Case;
GO
-- Source: https://stackoverflow.com/questions/23470794/split-words-with-a-capital-letter-in-sql
Create Function dbo.Split_On_Upper_Case(@Temp VarChar(1000))
Returns VarChar(1000)
AS
Begin
Declare @KeepValues as varchar(50)
Set @KeepValues = '%[^ ][A-Z]%'
While PatIndex(@KeepValues collate Latin1_General_Bin, @Temp) > 0
Set @Temp = Stuff(@Temp, PatIndex(@KeepValues collate Latin1_General_Bin, @Temp) + 1, 0, ' ')
Return @Temp
End
GO
DECLARE @j NVARCHAR(MAX);
SELECT @j = BulkColumn
FROM OPENROWSET (
BULK 'C:\Temp\vat_example_results_file.json' -- enter the path to the json results file from the Vulnerability Assessment Tool
, SINGLE_CLOB -- uncomment this if the file is ASCII
-- , SINGLE_NCLOB -- uncomment this if the file is Unicode
) [FileName]
SET NOCOUNT ON;
IF ISJSON(@j) = 1
PRINT N'Imported JSON is valid'
ELSE
BEGIN
RAISERROR(N'Imported JSON is invalid!', 16,1);
GOTO Quit
END
DECLARE
@HTMLHeader NVARCHAR(MAX)
, @HTMLFooter NVARCHAR(MAX)
, @HTMLTemplateCategoryStart NVARCHAR(MAX)
, @HTMLTemplateCategoryEnd NVARCHAR(MAX)
, @HTMLTemplateSeverityStart NVARCHAR(MAX)
, @HTMLTemplateSeverityEnd NVARCHAR(MAX)
, @HTMLTemplatePerRow NVARCHAR(MAX)
, @HTMLNavHeader NVARCHAR(MAX)
, @HTMLNavFooter NVARCHAR(MAX)
, @HTMLNavCategoryStart NVARCHAR(MAX)
, @HTMLNavCategoryEnd NVARCHAR(MAX)
, @HTMLNavSeverityStart NVARCHAR(MAX)
, @HTMLNavSeverityEnd NVARCHAR(MAX)
, @HTMLNavPerRow NVARCHAR(MAX)
SET @HTMLHeader = N'<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="stylesheet" href="assets/css/main.css" />
<title>Vulnerability Assessment Tool Rules</title>
<style>pre {
/*background-color: lightgray;*/
white-space: pre-wrap; /* css-3 */
white-space: -moz-pre-wrap; /* Mozilla, since 1999 */
white-space: -pre-wrap; /* Opera 4-6 */
white-space: -o-pre-wrap; /* Opera 7 */
word-wrap: break-word; /* Internet Explorer 5.5+ */
}</style>
</head>
<body>
<!-- Replace this line with the contents from the Nav column -->
<main>'
SET @HTMLFooter = N'
</main>
</body></html>'
SET @HTMLTemplateCategoryStart = N'<section><header><h1 align="left"><a id="{{CategoryId}}"></a>{{Category}} - {{RuleCount}} rule(s)</h1></header>'
SET @HTMLTemplateCategoryEnd = N'</section>'
SET @HTMLTemplateSeverityStart = N'<section><header><h3 align="left"><a id="{{CategoryId}}_{{Severity}}"></a>Severity: {{Severity}}</h3></header>
<table cellspacing="0" border="1" cellpadding="3">'
SET @HTMLTemplateSeverityEnd = N'</table><p style="font-size: 12px"><a href="#nav">☝ back to top</a></p><hr></section>'
SET @HTMLTemplatePerRow = N'<tr><td><article>
<header><h3><a id="Rule_{{RuleId}}"></a>{{RuleId}}: {{Title}}</h3></header>
<details>
<summary>{{Description}}</summary>
<h4>Rationale:</h4><p>{{Rationale}}</p>
<h4>Query:</h4><p><pre>{{Query}}</pre></p>
<h4>Remediation:</h4>
<p>{{RemediationDescription}}</p>
<p><pre>{{RemediationScript}}</pre></p>
</details>
</article></td></tr>'
SET @HTMLNavHeader = N'<aside id="nav"><header><h1>Navigation</h1></header><nav><ul>'
SET @HTMLNavFooter = N'</ul></nav></aside>'
SET @HTMLNavCategoryStart = N'<li><a href="#{{CategoryId}}">{{Category}}</a> - {{RuleCount}} rule(s)<ul>'
SET @HTMLNavCategoryEnd = N'</ul></li>'
SET @HTMLNavSeverityStart = N'<li><a href="#{{CategoryId}}_{{Severity}}">Severity: {{Severity}}</a> - {{RuleCount}} rule(s)<ol>'
SET @HTMLNavSeverityEnd = N'</ol></li>'
SET @HTMLNavPerRow = N'<li><a href="#Rule_{{RuleId}}">{{RuleId}}</a>: {{Title}}</li>'
--SET @HTMLNavSeverityStart = N'<li><a href="#{{CategoryId}}_{{Severity}}">Severity: {{Severity}}</a> - {{RuleCount}} rule(s)'
--SET @HTMLNavSeverityEnd = N'</li>'
--SET @HTMLNavPerRow = N''
IF OBJECT_ID('tempdb..#data') IS NOT NULL DROP TABLE #data;
SELECT
dbo.Split_On_Upper_Case(JSON_VALUE(b.[value], '$.Category')) COLLATE database_default AS [CategoryTitle]
, JSON_VALUE(b.[value], '$.Category') COLLATE database_default AS [Category]
, JSON_VALUE(b.[value], '$.Severity') COLLATE database_default AS [Severity]
, CASE JSON_VALUE(b.[value], '$.Severity') WHEN 'High' THEN 1 WHEN 'Medium' THEN 2 WHEN 'Low' THEN 3 ELSE 0 END AS [Severity_Num]
, b.[key] COLLATE database_default AS RuleId
, JSON_VALUE(b.[value], '$.Title') COLLATE database_default AS [Title]
, JSON_VALUE(b.[value], '$.Description') COLLATE database_default AS [Description]
, JSON_VALUE(b.[value], '$.Rationale') COLLATE database_default AS [Rationale]
, ISNULL(JSON_VALUE(b.[value], '$.QueryCheck.Query'), qc.[value]) COLLATE database_default AS [Query]
, JSON_VALUE(b.[value], '$.RuleType') COLLATE database_default AS [RuleType]
, JSON_QUERY(b.[value], '$.QueryCheck.ColumnNames') COLLATE database_default AS [ColumnNames]
, JSON_VALUE(r.[value], '$.Remediation.Script') COLLATE database_default AS [RemediationScript]
, JSON_VALUE(r.[value], '$.Remediation.Description') COLLATE database_default AS [RemediationDescription]
-- Uncomment the two lines below if you want to output the specific results for your server
--, JSON_VALUE(r.[value], '$.Status') COLLATE database_default AS [FindingStatus]
--, JSON_QUERY(r.[value], '$.QueryResults') COLLATE database_default AS [FindingQueryResults]
INTO #data
FROM OPENJSON(@j, '$.Scans') AS a
CROSS APPLY OPENJSON(a.[value], '$.Rules') AS b
CROSS APPLY OPENJSON(a.[value], '$.Results') AS r
OUTER APPLY (SELECT [value] FROM OPENJSON(b.[value], '$.QueryCheck') WHERE [key] = 'Query') AS qc
WHERE b.[key] = JSON_VALUE(r.[value], '$.RuleId')
SELECT
Contents =
CASE
WHEN [Severity] IS NULL THEN -- Category header
CASE WHEN [CategoryId] > 1 THEN @HTMLTemplateCategoryEnd ELSE @HTMLHeader END
+ REPLACE(REPLACE(REPLACE(
@HTMLTemplateCategoryStart
, N'{{Category}}', [CategoryTitle])
, N'{{RuleCount}}', CONVERT(nvarchar,COUNT(*)))
, N'{{CategoryId}}', [Category])
WHEN [Severity] IS NOT NULL AND [RuleId] IS NULL THEN -- Severity header
REPLACE(REPLACE(REPLACE(REPLACE(
@HTMLTemplateSeverityStart
, N'{{Severity}}', [Severity])
, N'{{RuleCount}}', CONVERT(nvarchar,COUNT(*)))
, N'{{SeverityNum}}', [Severity_Num])
, N'{{CategoryId}}', [Category])
ELSE -- Data Row
REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(
@HTMLTemplatePerRow
,N'{{RuleId}}',[RuleId])
,N'{{Title}}',[Title])
,N'{{Description}}',[Description])
,N'{{Rationale}}',[Rationale])
,N'{{Query}}',ISNULL([Query], N''))
,N'{{RemediationScript}}', ISNULL([RemediationScript],N''))
,N'{{RemediationDescription}}', [RemediationDescription])
,N'{{Severity}}', [Severity])
END
+ CASE WHEN [RuleId_Desc] = 1 THEN @HTMLTemplateSeverityEnd ELSE N'' END
+ CASE WHEN Everything_Desc = 1 THEN @HTMLFooter ELSE N'' END
, Nav =
CASE
WHEN [Severity] IS NULL THEN -- Category header
CASE WHEN [CategoryId] > 1 THEN @HTMLNavCategoryEnd ELSE @HTMLNavHeader END
+ REPLACE(REPLACE(REPLACE(
@HTMLNavCategoryStart
, N'{{Category}}', [CategoryTitle])
, N'{{RuleCount}}', CONVERT(nvarchar,COUNT(*)))
, N'{{CategoryId}}', [Category])
WHEN [Severity] IS NOT NULL AND [RuleId] IS NULL THEN -- Severity header
REPLACE(REPLACE(REPLACE(REPLACE(
@HTMLNavSeverityStart
, N'{{Severity}}', [Severity])
, N'{{RuleCount}}', CONVERT(nvarchar,COUNT(*)))
, N'{{SeverityNum}}', [Severity_Num])
, N'{{CategoryId}}', [Category])
ELSE -- Data Row
REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(
@HTMLNavPerRow
,N'{{RuleId}}',[RuleId])
,N'{{Title}}',[Title])
,N'{{Description}}',[Description])
,N'{{Rationale}}',[Rationale])
,N'{{Query}}',ISNULL([Query], N''))
,N'{{RemediationScript}}', ISNULL([RemediationScript],N''))
,N'{{RemediationDescription}}', [RemediationDescription])
,N'{{Severity}}', [Severity])
END
+ CASE WHEN [RuleId_Desc] = 1 THEN @HTMLNavSeverityEnd ELSE N'' END
+ CASE WHEN Everything_Desc = 1 THEN @HTMLNavFooter ELSE N'' END
,COUNT(*) AS RuleCount, *
FROM
(
SELECT
DENSE_RANK() OVER (ORDER BY [Category]) AS CategoryId
, DENSE_RANK() OVER (ORDER BY [Category] DESC) AS CategoryId_Desc
, DENSE_RANK() OVER (PARTITION BY [Category] ORDER BY [Severity_Num]) AS SeverityId
, RANK() OVER (PARTITION BY [Category], [Severity] ORDER BY [RuleId] DESC) AS RuleId_Desc
, RANK() OVER (ORDER BY [Category] DESC, [Severity_Num] DESC, [RuleId] DESC) AS Everything_Desc
, *
FROM #data
) AS q
GROUP BY GROUPING SETS
(
([Category],[CategoryTitle],[CategoryId],CategoryId_Desc)
,([Category],[CategoryTitle],[CategoryId],CategoryId_Desc,[Severity],[SeverityId],[Severity_Num])
,([Category],[CategoryTitle],[CategoryId],CategoryId_Desc,[Severity],[SeverityId],[Severity_Num],RuleId_Desc,Everything_Desc,[RuleId],[Title],[Description],[Rationale],[Query],[RuleType],[ColumnNames],[RemediationScript],[RemediationDescription])
)
ORDER BY CategoryId, ISNULL([SeverityId],0), RuleId
Quit:
/******************************************************************
Parse SQL Vulnerability Assessment Tool Results
***********************************************
Author: Eitan Blumin | https://www.eitanblumin.com
Description:
Use this script to parse a Vulnerability Assessment Tool
results file into a relational structure.
This will output the T-SQL queries used by VAT behind the scenes
and their respective meta-data, as displayed in the VAT.
Also, if you uncomment two additional lines in the SQL
results below, then it will also output the results
saved in your specific results file.
Instructions:
1. Use SSMS to run a vulnerability check on your database.
2. Save the results file to a location accessible by a SQL Server.
3. Change the file path to the JSON file in the OPENROWSET command below.
4. Run the script and review the results.
Change Log:
2020-01-13 - Added comments, moved some columns around, added SINGLE_CLOB option
2019-07-21 - Initial version
*******************************************************************/
DECLARE @j NVARCHAR(MAX);
SELECT @j = BulkColumn
FROM OPENROWSET (
BULK 'C:\Temp\vat_example_results_file.json' -- enter the path to the json results file from the Vulnerability Assessment Tool
, SINGLE_CLOB -- uncomment this if the file is ASCII
-- , SINGLE_NCLOB -- uncomment this if the file is Unicode
) [FileName]
SET NOCOUNT ON;
IF ISJSON(@j) = 1
PRINT N'Imported JSON is valid'
ELSE
BEGIN
RAISERROR(N'Imported JSON is invalid!', 16,1);
GOTO Quit
END
SELECT
JSON_VALUE(b.[value], '$.Category') AS [Category]
, JSON_VALUE(b.[value], '$.Severity') AS [Severity]
, b.[key] AS RuleId
, JSON_VALUE(b.[value], '$.Title') AS [Title]
, JSON_VALUE(b.[value], '$.Description') AS [Description]
, JSON_VALUE(b.[value], '$.Rationale') AS [Rationale]
, ISNULL(JSON_VALUE(b.[value], '$.QueryCheck.Query'), qc.[value]) AS [Query]
, JSON_VALUE(b.[value], '$.RuleType') AS [RuleType]
, JSON_QUERY(b.[value], '$.QueryCheck.ColumnNames') AS [ColumnNames]
, JSON_VALUE(r.[value], '$.Remediation.Script') AS [RemediationScript]
, JSON_VALUE(r.[value], '$.Remediation.Description') AS [RemediationDescription]
-- Uncomment the two lines below if you want to output the specific results for your server
--, JSON_VALUE(r.[value], '$.Status') AS [FindingStatus]
--, JSON_QUERY(r.[value], '$.QueryResults') AS [FindingQueryResults]
FROM OPENJSON(@j, '$.Scans') AS a
CROSS APPLY OPENJSON(a.[value], '$.Rules') AS b
CROSS APPLY OPENJSON(a.[value], '$.Results') AS r
OUTER APPLY (SELECT [value] FROM OPENJSON(b.[value], '$.QueryCheck') WHERE [key] = 'Query') AS qc
WHERE b.[key] = JSON_VALUE(r.[value], '$.RuleId')
ORDER BY 1, CASE JSON_VALUE(b.[value], '$.Severity') WHEN N'Low' THEN 1 WHEN N'Medium' THEN 2 WHEN N'High' THEN 3 END DESC, 3
Quit:
{
"Format": "VANative",
"Version": "1.0",
"Scans": [
{
"Id": "2019-07-21T12-37-37",
"Tool": {
"Name": "<Unknown>",
"Version": "x.x.xxx"
},
"ScanType": "BoxDatabase",
"ScanTriggerType": "OnDemand",
"Server": "DESKTOP-LOCAL",
"Database": "ReportServer",
"Platform": "SqlServer2016",
"SqlVersion": "13.0.5153",
"StartTime": "2019-07-21T09:37:37.8745308Z",
"Results": [
{
"RuleId": "VA1020",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Remove the special principal GUEST from all roles.",
"Script": "ALTER ROLE [$0] DROP MEMBER GUEST",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1042",
"Status": "NonFinding",
"QueryResults": [
[
"0",
"ReportServer"
]
],
"Remediation": {
"Description": "Disable DB_CHANING option for this database",
"Script": "ALTER DATABASE [$1] SET DB_CHAINING OFF",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1043",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Remove all permissions granted to GUEST, especially the connect permission. The easiest way to perform such action is by using DROP USER [guest] syntax",
"Script": "DROP USER [guest]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1044",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Disable remote dedicated admin connections.",
"Script": "EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;\r\nEXECUTE sp_configure 'remote admin connections', 0; RECONFIGURE;\r\nEXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1051",
"Status": "NonFinding",
"QueryResults": [
[
"0",
"ReportServer"
]
],
"Remediation": {
"Description": "Disable the AUTO_CLOSE option on the affected databases.",
"Script": "ALTER DATABASE [$1] SET AUTO_CLOSE OFF",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1054",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke unnecessary permissions granted to PUBLIC",
"Script": "REVOKE $0 ON [$1].[$2] FROM PUBLIC",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1069",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke unnecessary permissions to system tables",
"Script": "REVOKE SELECT ON OBJECT::[$0].[$1] FROM [$2]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1070",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "You must rename the affected users or logins to avoid the confusion, updating all affected applications as well.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1094",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions granted to users directly. Instead use Windows groups or server roles to grant permissions, and manage role memberships instead.",
"Script": "REVOKE $0 ON $1::[$2] FROM [$3]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1095",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke any unnecessary permissions granted to PUBLIC, but avoid changing permissions granted out of the box.",
"Script": "REVOKE $2 ON $0::[$1] FROM PUBLIC",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1096",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke any unnecessary permissions granted to the special account GUEST",
"Script": "REVOKE $0 FROM GUEST",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1097",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke any unnecessary permissions granted to the special account GUEST",
"Script": "REVOKE $2 ON [$0].[$1] FROM GUEST",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1099",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke any unnecessary permissions granted to the special account GUEST",
"Script": "REVOKE $2 ON $0::[$1] FROM GUEST",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1253",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Review the list of events and make sure they match your needs. For more details visit https://msdn.microsoft.com/en-us/library/cc280386.aspx.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1265",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Create and enable a new SERVER AUDIT SPECIFICATION that will audit FAILED_LOGIN_GROUP & SUCCESSFUL_LOGIN_GROUP events. This SERVER AUDIT SPECIFICATION must target a valid SERVER AUDIT object that is enabled.",
"Script": "CREATE DATABASE AUDIT SPECIFICATION [DbAuditSpec_db_logon_information_failed_succeessful]\r\n FOR SERVER AUDIT [<REPLACE WITH VALID AUDIT SPECIFICATION NAME>]\r\nADD (FAILED_DATABASE_AUTHENTICATION_GROUP),\r\nADD (SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP)\r\nWITH (STATE = ON)",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1267",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Remove all contained users with password.\r\nAll affected applications will have to switch to Windows authentication, or create logins with password policy enforcement in order to connect to the DB.",
"Script": "DROP USER [$0];",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1143",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Create users with low privileges to access the DB and any data stored in it with the appropriate set of permissions.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1223",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Create new certificates, re-encrypt the data/sign-data using the new key, and drop the affected keys.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1244",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Drop the orphaned users or remap them to a different login.",
"Script": "DROP USER [$0]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1246",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Remove the application roles. Use users without login as a permission-based replacement",
"Script": "DROP APPLICATION ROLE [$0]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1248",
"Status": "Finding",
"QueryResults": [
[
"db_owner",
"RSExecRole"
]
],
"Remediation": {
"Description": "Remove user defined roles from fixed-database roles",
"Script": "ALTER ROLE [$0] DROP MEMBER [$1]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1102",
"Status": "NonFinding",
"QueryResults": [
[
"0",
"ReportServer"
]
],
"Remediation": {
"Description": "Disable the trustworthy bit (TWbit) from all affected databases.\r\nIf you need to use functionality that is controlled by the TWbit, it is recommended to use digital signatures to enable the functionality instead of enabling the TWbit on the database.",
"Script": "ALTER DATABASE [$1] SET TRUSTWORTHY OFF",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1277",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Enable polybase network encryption (default)",
"Script": "EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;\r\nEXECUTE sp_configure 'ad hoc distributed queries', 1; RECONFIGURE;\r\nEXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1256",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Drop assemblies from the affected databases",
"Script": "DROP ASSEMBLY [$0]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1245",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Use ALTER AUTHORIZATION DDL to specify the user that should be the dbo for the database",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1098",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Change the affected endpoints to accept only AES connections",
"Script": "ALTER ENDPOINT [$0] FOR $1 ( ENCRYPTION = REQUIRED ALGORITHM AES )",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1219",
"Status": "Finding",
"QueryResults": [
[
"1"
]
],
"Remediation": {
"Description": "Enable TDE on the affected database. Please follow the instructions on https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1221",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Regenerate the DEK using AES",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1222",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Create AES keys, re-encrypt the data using the new key, and drop the affected keys.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1224",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Create new asymmetric Keys, re-encrypt the data/sign-data using the new key, and drop the affected keys.",
"Script": "DROP ASYMMETRIC KEY [$0]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1281",
"Status": "Finding",
"QueryResults": [
[
"RSExecRole",
"NT SERVICE\\ReportServer"
],
[
"RSExecRole",
"NT AUTHORITY\\SYSTEM"
],
[
"RSExecRole",
"NT AUTHORITY\\NETWORK SERVICE"
]
],
"Remediation": {
"Description": "Keep track of role membership and remove unnecessary members from roles to avoid granting excessive permissions or update baseline to comply with new changes",
"Script": "ALTER ROLE [$0] DROP MEMBER [$1]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1282",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Drop the unnecessary roles.",
"Script": "DROP ROLE [$0]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1287",
"Status": "Finding",
"QueryResults": [
[
"dbo",
"CachePolicy",
"CacheExpiration",
"Credit Card",
"Confidential"
],
[
"dbo",
"CachePolicy",
"ExpirationFlags",
"Credit Card",
"Confidential"
],
[
"dbo",
"DataSource",
"Password",
"Credentials",
"Confidential"
],
[
"dbo",
"DataSource",
"UserName",
"Credentials",
"Confidential"
],
[
"dbo",
"ExecutionLogStorage",
"UserName",
"Credentials",
"Confidential"
],
[
"dbo",
"ServerParametersInstance",
"Expiration",
"Credit Card",
"Confidential"
],
[
"dbo",
"SnapshotData",
"ExpirationDate",
"Credit Card",
"Confidential"
],
[
"dbo",
"Users",
"UserName",
"Credentials",
"Confidential"
]
],
"Remediation": {
"Description": "Review the identified list of potentially sensitive columns and apply classifications where relevant via the Classify Data task of the database.\r\n\r\nIf none of the identified columns actually represent sensitive elements in your database, you can set them as your approved baseline to acknowledge their status and to prevent them from being identified again. \r\n\r\nIn addition, apply column-level data protection security measures where appropriate: Always Encrypted -- keeps sensitive data columns encrypted on the server side ('https://go.microsoft.com/fwlink/?linkid=862688') or Dynamic Data Masking -- limits sensitive data exposure by dynamically masking it to non-privileged users when data is returned from the server to the client ('https://go.microsoft.com/fwlink/?linkid=524331'). You can also use Row Level Security to restrict access to data rows by creating a security policy based on characteristics of the user executing a query ('https://go.microsoft.com/fwlink/?linkid=862687').",
"Script": "",
"Automated": false,
"PortalLink": "ClassifyData"
}
},
{
"RuleId": "VA1286",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions granted to users directly. Instead use Windows groups or server roles to grant permissions, and manage role memberships instead.",
"Script": "REVOKE $0 ON [$1].[$2] FROM [$3]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA2000",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $1 FROM [$3]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2001",
"Status": "Finding",
"QueryResults": [
[
"OBJECT_OR_COLUMN",
"dbo",
"ExtendedDataSets",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DBUpgradeHistory",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLog3",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DataSets",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLog",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ServerUpgradeHistory",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Keys",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"History",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SubscriptionResults",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ConfigurationInfo",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Favorites",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Catalog",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SubscriptionsBeingDeleted",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ModelDrill",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Segment",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExtendedCatalog",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExtendedDataSources",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ChunkSegmentMapping",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ModelPerspective",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CachePolicy",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SegmentedChunk",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Users",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLogStorage",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DataSource",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Policies",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLog2",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SecData",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Roles",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"PolicyUserRole",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Event",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Subscriptions",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ActiveSubscriptions",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SnapshotData",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ChunkData",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Notifications",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Batch",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Schedule",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ReportSchedule",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RunningJobs",
"REFERENCES",
"DATABASE_ROLE",
"RSExecRole"
]
],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $3 ON [$1].[$2] FROM [$5]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2002",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $2 ON $0::[$1] FROM [$4]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2010",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $1 FROM [$3]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2020",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $1 FROM [$3]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2021",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $3 ON [$1].[$2] FROM [$5]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2022",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $2 ON $0::[$1] FROM [$4]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2030",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $1 FROM [$3]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2031",
"Status": "Finding",
"QueryResults": [
[
"OBJECT_OR_COLUMN",
"dbo",
"ExtendedDataSets",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DBUpgradeHistory",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLog3",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DataSets",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLog",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ServerUpgradeHistory",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Keys",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"History",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SubscriptionResults",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ConfigurationInfo",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Favorites",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Catalog",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SubscriptionsBeingDeleted",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ModelDrill",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Segment",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExtendedCatalog",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExtendedDataSources",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ChunkSegmentMapping",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ModelPerspective",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CachePolicy",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SegmentedChunk",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Users",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLogStorage",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DataSource",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Policies",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExecutionLog2",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SecData",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Roles",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"PolicyUserRole",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Event",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Subscriptions",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ActiveSubscriptions",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SnapshotData",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ChunkData",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Notifications",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Batch",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"Schedule",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ReportSchedule",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RunningJobs",
"SELECT",
"DATABASE_ROLE",
"RSExecRole"
]
],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $3 ON [$1].[$2] FROM [$5]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2032",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $2 ON $0::[$1] FROM [$4]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2033",
"Status": "Finding",
"QueryResults": [
[
"OBJECT_OR_COLUMN",
"dbo",
"CopyChunks",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ClearScheduleConsistancyFlags",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateNewSnapshotVersion",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetAReportsReportAction",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdateSnapshotReferences",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetTimeBasedSubscriptionReportAction",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"OpenSegmentedChunk",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetTaskProperties",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateSegmentedChunk",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteTask",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ReadChunkSegment",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSchedulesReports",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"WriteChunkSegment",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"EnforceCacheLimits",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateChunkSegment",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddReportSchedule",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"IsSegmentedChunk",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteReportSchedule",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ShallowCopyChunk",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSnapShotSchedule",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeepCopySegment",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateTimeBasedSubscriptionSchedule",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RemoveSegmentedMapping",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetTimeBasedSubscriptionSchedule",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RemoveSegment",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddRunningJob",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"MigrateExecutionLog",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RemoveRunningJob",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"TempChunkExists",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdateRunningJob",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateEditSession",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetMyRunningJobs",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ListRunningJobs",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CleanExpiredEditSessions",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CleanExpiredJobs",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetCacheLastUsed",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateObject",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSharePointPathsForUpgrade",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteObject",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSharePointSchedulePathsForUpgrade",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindObjectsNonRecursive",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindObjectsRecursive",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpgradeSharePointPaths",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindParents",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpgradeSharePointSchedulePaths",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindObjectsByLink",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetDataSets",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetIDPairsByLink",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddDataSet",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetChildrenBeforeDelete",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteDataSets",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetAllProperties",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetDataSetForExecution",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetParameters",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetObjectContent",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"LoadForDefinitionCheck",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdateSubscriptionResult",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"LoadForRepublishing",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindItemsToUpdateByDataSet",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetAllFavoriteItems",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RebindDataSource",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindFavoriteableItemsNonRecursive",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RebindDataSet",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindFavoriteableItemsRecursive",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetUserServiceToken",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"IsFavoriteItem",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetUserServiceToken",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"RemoveItemFromFavorites",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetUserSettings",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddItemToFavorites",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetUserSettings",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetDBVersion",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateOrUpdateContentCache",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetCompiledDefinition",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetContentCache",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetReportForExecution",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetContentCacheDetails",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetReportParametersForExecution",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CleanExpiredContentCache",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"MoveObject",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FlushContentCache",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ObjectExists",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetAllProperties",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FlushCacheByID",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FlushReportFromCache",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetParameters",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetObjectContent",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetLastModified",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetNameById",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddDataSource",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetDataSources",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetKeysForInstallation",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteDataSources",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetAnnouncedKey",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ChangeStateOfDataSource",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AnnounceOrGetKey",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindItemsByDataSource",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetMachineName",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindItemsByDataSet",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ListInstallations",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"FindItemsByDataSourceRecursive",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ListSubscriptionIDs",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateRole",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ListInfoForReencryption",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetRoles",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetDatasourceInfoForReencryption",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteRole",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetReencryptedDatasourceInfo",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ReadRoleProperties",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSubscriptionInfoForReencryption",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetRoleProperties",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetReencryptedSubscriptionInfo",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetPoliciesForRole",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetClientSecret",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdatePolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetUserServiceTokenForReencryption",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetPolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetReencryptedUserServiceToken",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetSystemPolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteEncryptedContent",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetModelItemPolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteKey",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdatePolicyPrincipal",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetAllConfigurationInfo",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"UpdatePolicyRole",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetOneConfigurationInfo",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetPolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetConfigurationInfo",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetSystemPolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddEvent",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeletePolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteEvent",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateSession",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CleanEventRecords",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteModelItemPolicy",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddExecutionLogEntry",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteAllModelItemPolicies",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"ExpireExecutionLogEntries",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetModelItemInfo",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetUserIDBySid",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetModelDefinition",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetUserIDByName",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"AddModelPerspective",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetUserID",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeleteModelPerspectives",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetUserIDWithNoCreate",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetModelsAndPerspectives",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetPrincipalID",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"GetModelPerspectives",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"CreateSubscription",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DereferenceSessionSnapshot",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"DeliveryRemovedInactivateSubscription",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[
"OBJECT_OR_COLUMN",
"dbo",
"SetSessionData",
"EXECUTE",
"DATABASE_ROLE",
"RSExecRole"
],
[