Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save EitanBlumin/ed3bc163fbcfa6f9e13a486b685517ce to your computer and use it in GitHub Desktop.
Save EitanBlumin/ed3bc163fbcfa6f9e13a486b685517ce to your computer and use it in GitHub Desktop.
Parse JSON scan results file from a SQL Vulnerability Assessment Tool into a relational structure https://eitanblumin.com/sql-vulnerability-assessment-tool-rules-reference-list/
/******************************************************************
Parse SQL Vulnerability Assessment Tool Results
***********************************************
Author: Eitan Blumin | https://www.eitanblumin.com
Description:
Use this script to parse a Vulnerability Assessment Tool
results file into a relational structure.
This will output the T-SQL queries used by VAT behind the scenes
and their respective meta-data, as displayed in the VAT.
Also, if you uncomment two additional lines in the SQL
results below, then it will also output the results
saved in your specific results file.
Instructions:
1. Use SSMS to run a vulnerability check on your database.
2. Save the results file to a location accessible by a SQL Server.
3. Change the file path to the JSON file in the OPENROWSET command at line 55.
4. Run the script.
5. Copy the entirety of the "Contents" column into a text editor.
6. Find the line that says "Replace this line with the contents from the Nav column".
7. Copy the entirety of the "Nav" column and use it to replace the line found in step 6.
8. Save the text file as a web page with the "html" extension.
9. Open the web page with your favorite browser and review the results.
Change Log:
2020-11-11 - Added detailed instructions for saving results as a web page
2020-01-27 - Fixed severity anchor names and used textual anchors instead of meaningless numbers
2020-01-14 - Added Split_On_Upper_Case
2020-01-13 - Added comments, moved some columns around, added SINGLE_CLOB option
2019-07-21 - Initial version
*******************************************************************/
GO
USE tempdb
GO
IF OBJECT_ID('dbo.Split_On_Upper_Case') IS NOT NULL DROP FUNCTION dbo.Split_On_Upper_Case;
GO
-- Source: https://stackoverflow.com/questions/23470794/split-words-with-a-capital-letter-in-sql
Create Function dbo.Split_On_Upper_Case(@Temp VarChar(1000))
Returns VarChar(1000)
AS
Begin
Declare @KeepValues as varchar(50)
Set @KeepValues = '%[^ ][A-Z]%'
While PatIndex(@KeepValues collate Latin1_General_Bin, @Temp) > 0
Set @Temp = Stuff(@Temp, PatIndex(@KeepValues collate Latin1_General_Bin, @Temp) + 1, 0, ' ')
Return @Temp
End
GO
DECLARE @j NVARCHAR(MAX);
SELECT @j = BulkColumn
FROM OPENROWSET (
BULK 'C:\Temp\vat_example_results_file.json' -- enter the path to the json results file from the Vulnerability Assessment Tool
--, SINGLE_CLOB -- uncomment this if the file is ASCII
, SINGLE_NCLOB -- uncomment this if the file is Unicode
) [FileName]
SET NOCOUNT ON;
IF ISJSON(@j) = 1
PRINT N'Imported JSON is valid'
ELSE
BEGIN
RAISERROR(N'Imported JSON is invalid!', 16,1);
GOTO Quit
END
DECLARE
@HTMLHeader NVARCHAR(MAX)
, @HTMLFooter NVARCHAR(MAX)
, @HTMLTemplateCategoryStart NVARCHAR(MAX)
, @HTMLTemplateCategoryEnd NVARCHAR(MAX)
, @HTMLTemplateSeverityStart NVARCHAR(MAX)
, @HTMLTemplateSeverityEnd NVARCHAR(MAX)
, @HTMLTemplatePerRow NVARCHAR(MAX)
, @HTMLNavHeader NVARCHAR(MAX)
, @HTMLNavFooter NVARCHAR(MAX)
, @HTMLNavCategoryStart NVARCHAR(MAX)
, @HTMLNavCategoryEnd NVARCHAR(MAX)
, @HTMLNavSeverityStart NVARCHAR(MAX)
, @HTMLNavSeverityEnd NVARCHAR(MAX)
, @HTMLNavPerRow NVARCHAR(MAX)
SET @HTMLHeader = N'<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="stylesheet" href="assets/css/main.css" />
<title>Vulnerability Assessment Tool Rules</title>
<style>pre {
/*background-color: lightgray;*/
white-space: pre-wrap; /* css-3 */
white-space: -moz-pre-wrap; /* Mozilla, since 1999 */
white-space: -pre-wrap; /* Opera 4-6 */
white-space: -o-pre-wrap; /* Opera 7 */
word-wrap: break-word; /* Internet Explorer 5.5+ */
}</style>
</head>
<body>
<!-- Replace this line with the contents from the Nav column -->
<main>'
SET @HTMLFooter = N'
</main>
</body></html>'
SET @HTMLTemplateCategoryStart = N'<section><header><h1 align="left"><a id="{{CategoryId}}"></a>{{Category}} - {{RuleCount}} rule(s)</h1></header>'
SET @HTMLTemplateCategoryEnd = N'</section>'
SET @HTMLTemplateSeverityStart = N'<section><header><h3 align="left"><a id="{{CategoryId}}_{{Severity}}"></a>Severity: {{Severity}}</h3></header>
<table cellspacing="0" border="1" cellpadding="3">'
SET @HTMLTemplateSeverityEnd = N'</table><p style="font-size: 12px"><a href="#nav">☝ back to top</a></p><hr></section>'
SET @HTMLTemplatePerRow = N'<tr><td><article>
<header><h3><a id="Rule_{{RuleId}}"></a>{{RuleId}}: {{Title}}</h3></header>
<details>
<summary>{{Description}}</summary>
<h4>Rationale:</h4><p>{{Rationale}}</p>
<h4>Query:</h4><p><pre>{{Query}}</pre></p>
<h4>Remediation:</h4>
<p>{{RemediationDescription}}</p>
<p><pre>{{RemediationScript}}</pre></p>
</details>
</article></td></tr>'
SET @HTMLNavHeader = N'<aside id="nav"><header><h1>Navigation</h1></header><nav><ul>'
SET @HTMLNavFooter = N'</ul></nav></aside>'
SET @HTMLNavCategoryStart = N'<li><a href="#{{CategoryId}}">{{Category}}</a> - {{RuleCount}} rule(s)<ul>'
SET @HTMLNavCategoryEnd = N'</ul></li>'
SET @HTMLNavSeverityStart = N'<li><a href="#{{CategoryId}}_{{Severity}}">Severity: {{Severity}}</a> - {{RuleCount}} rule(s)<ol>'
SET @HTMLNavSeverityEnd = N'</ol></li>'
SET @HTMLNavPerRow = N'<li><a href="#Rule_{{RuleId}}">{{RuleId}}</a>: {{Title}}</li>'
--SET @HTMLNavSeverityStart = N'<li><a href="#{{CategoryId}}_{{Severity}}">Severity: {{Severity}}</a> - {{RuleCount}} rule(s)'
--SET @HTMLNavSeverityEnd = N'</li>'
--SET @HTMLNavPerRow = N''
IF OBJECT_ID('tempdb..#data') IS NOT NULL DROP TABLE #data;
SELECT
dbo.Split_On_Upper_Case(JSON_VALUE(b.[value], '$.Category')) COLLATE database_default AS [CategoryTitle]
, JSON_VALUE(b.[value], '$.Category') COLLATE database_default AS [Category]
, JSON_VALUE(b.[value], '$.Severity') COLLATE database_default AS [Severity]
, CASE JSON_VALUE(b.[value], '$.Severity') WHEN 'High' THEN 1 WHEN 'Medium' THEN 2 WHEN 'Low' THEN 3 ELSE 0 END AS [Severity_Num]
, b.[key] COLLATE database_default AS RuleId
, JSON_VALUE(b.[value], '$.Title') COLLATE database_default AS [Title]
, JSON_VALUE(b.[value], '$.Description') COLLATE database_default AS [Description]
, JSON_VALUE(b.[value], '$.Rationale') COLLATE database_default AS [Rationale]
, ISNULL(JSON_VALUE(b.[value], '$.QueryCheck.Query'), qc.[value]) COLLATE database_default AS [Query]
, JSON_VALUE(b.[value], '$.RuleType') COLLATE database_default AS [RuleType]
, JSON_QUERY(b.[value], '$.QueryCheck.ColumnNames') COLLATE database_default AS [ColumnNames]
, JSON_VALUE(r.[value], '$.Remediation.Script') COLLATE database_default AS [RemediationScript]
, JSON_VALUE(r.[value], '$.Remediation.Description') COLLATE database_default AS [RemediationDescription]
-- Uncomment the two lines below if you want to output the specific results for your server
--, JSON_VALUE(r.[value], '$.Status') COLLATE database_default AS [FindingStatus]
--, JSON_QUERY(r.[value], '$.QueryResults') COLLATE database_default AS [FindingQueryResults]
INTO #data
FROM OPENJSON(@j, '$.Scans') AS a
CROSS APPLY OPENJSON(a.[value], '$.Rules') AS b
CROSS APPLY OPENJSON(a.[value], '$.Results') AS r
OUTER APPLY (SELECT [value] FROM OPENJSON(b.[value], '$.QueryCheck') WHERE [key] = 'Query') AS qc
WHERE b.[key] = JSON_VALUE(r.[value], '$.RuleId')
SELECT
Contents =
CASE
WHEN [Severity] IS NULL THEN -- Category header
CASE WHEN [CategoryId] > 1 THEN @HTMLTemplateCategoryEnd ELSE @HTMLHeader END
+ REPLACE(REPLACE(REPLACE(
@HTMLTemplateCategoryStart
, N'{{Category}}', [CategoryTitle])
, N'{{RuleCount}}', CONVERT(nvarchar,COUNT(*)))
, N'{{CategoryId}}', [Category])
WHEN [Severity] IS NOT NULL AND [RuleId] IS NULL THEN -- Severity header
REPLACE(REPLACE(REPLACE(REPLACE(
@HTMLTemplateSeverityStart
, N'{{Severity}}', [Severity])
, N'{{RuleCount}}', CONVERT(nvarchar,COUNT(*)))
, N'{{SeverityNum}}', [Severity_Num])
, N'{{CategoryId}}', [Category])
ELSE -- Data Row
REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(
@HTMLTemplatePerRow
,N'{{RuleId}}',[RuleId])
,N'{{Title}}',[Title])
,N'{{Description}}',[Description])
,N'{{Rationale}}',[Rationale])
,N'{{Query}}',ISNULL([Query], N''))
,N'{{RemediationScript}}', ISNULL([RemediationScript],N''))
,N'{{RemediationDescription}}', [RemediationDescription])
,N'{{Severity}}', [Severity])
END
+ CASE WHEN [RuleId_Desc] = 1 THEN @HTMLTemplateSeverityEnd ELSE N'' END
+ CASE WHEN Everything_Desc = 1 THEN @HTMLFooter ELSE N'' END
, Nav =
CASE
WHEN [Severity] IS NULL THEN -- Category header
CASE WHEN [CategoryId] > 1 THEN @HTMLNavCategoryEnd ELSE @HTMLNavHeader END
+ REPLACE(REPLACE(REPLACE(
@HTMLNavCategoryStart
, N'{{Category}}', [CategoryTitle])
, N'{{RuleCount}}', CONVERT(nvarchar,COUNT(*)))
, N'{{CategoryId}}', [Category])
WHEN [Severity] IS NOT NULL AND [RuleId] IS NULL THEN -- Severity header
REPLACE(REPLACE(REPLACE(REPLACE(
@HTMLNavSeverityStart
, N'{{Severity}}', [Severity])
, N'{{RuleCount}}', CONVERT(nvarchar,COUNT(*)))
, N'{{SeverityNum}}', [Severity_Num])
, N'{{CategoryId}}', [Category])
ELSE -- Data Row
REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(
@HTMLNavPerRow
,N'{{RuleId}}',[RuleId])
,N'{{Title}}',[Title])
,N'{{Description}}',[Description])
,N'{{Rationale}}',[Rationale])
,N'{{Query}}',ISNULL([Query], N''))
,N'{{RemediationScript}}', ISNULL([RemediationScript],N''))
,N'{{RemediationDescription}}', [RemediationDescription])
,N'{{Severity}}', [Severity])
END
+ CASE WHEN [RuleId_Desc] = 1 THEN @HTMLNavSeverityEnd ELSE N'' END
+ CASE WHEN Everything_Desc = 1 THEN @HTMLNavFooter ELSE N'' END
,COUNT(*) AS RuleCount, *
FROM
(
SELECT
DENSE_RANK() OVER (ORDER BY [Category]) AS CategoryId
, DENSE_RANK() OVER (ORDER BY [Category] DESC) AS CategoryId_Desc
, DENSE_RANK() OVER (PARTITION BY [Category] ORDER BY [Severity_Num]) AS SeverityId
, RANK() OVER (PARTITION BY [Category], [Severity] ORDER BY [RuleId] DESC) AS RuleId_Desc
, RANK() OVER (ORDER BY [Category] DESC, [Severity_Num] DESC, [RuleId] DESC) AS Everything_Desc
, *
FROM #data
) AS q
GROUP BY GROUPING SETS
(
([Category],[CategoryTitle],[CategoryId],CategoryId_Desc)
,([Category],[CategoryTitle],[CategoryId],CategoryId_Desc,[Severity],[SeverityId],[Severity_Num])
,([Category],[CategoryTitle],[CategoryId],CategoryId_Desc,[Severity],[SeverityId],[Severity_Num],RuleId_Desc,Everything_Desc,[RuleId],[Title],[Description],[Rationale],[Query],[RuleType],[ColumnNames],[RemediationScript],[RemediationDescription])
)
ORDER BY CategoryId, ISNULL([SeverityId],0), RuleId
Quit:
/******************************************************************
Parse SQL Vulnerability Assessment Tool Results
***********************************************
Author: Eitan Blumin | https://www.eitanblumin.com
Description:
Use this script to parse a Vulnerability Assessment Tool
results file into a relational structure.
This will output the T-SQL queries used by VAT behind the scenes
and their respective meta-data, as displayed in the VAT.
Also, if you uncomment two additional lines in the SQL
results below, then it will also output the results
saved in your specific results file.
Instructions:
1. Use SSMS to run a vulnerability check on your database.
2. Save the results file to a location accessible by a SQL Server.
3. Change the file path to the JSON file in the OPENROWSET command below.
4. Run the script and review the results.
Change Log:
2020-01-13 - Added comments, moved some columns around, added SINGLE_CLOB option
2019-07-21 - Initial version
*******************************************************************/
DECLARE @j NVARCHAR(MAX);
SELECT @j = BulkColumn
FROM OPENROWSET (
BULK 'C:\Temp\vat_example_results_file.json' -- enter the path to the json results file from the Vulnerability Assessment Tool
, SINGLE_CLOB -- uncomment this if the file is ASCII
-- , SINGLE_NCLOB -- uncomment this if the file is Unicode
) [FileName]
SET NOCOUNT ON;
IF ISJSON(@j) = 1
PRINT N'Imported JSON is valid'
ELSE
BEGIN
RAISERROR(N'Imported JSON is invalid!', 16,1);
GOTO Quit
END
SELECT
JSON_VALUE(b.[value], '$.Category') AS [Category]
, JSON_VALUE(b.[value], '$.Severity') AS [Severity]
, b.[key] AS RuleId
, JSON_VALUE(b.[value], '$.Title') AS [Title]
, JSON_VALUE(b.[value], '$.Description') AS [Description]
, JSON_VALUE(b.[value], '$.Rationale') AS [Rationale]
, ISNULL(JSON_VALUE(b.[value], '$.QueryCheck.Query'), qc.[value]) AS [Query]
, JSON_VALUE(b.[value], '$.RuleType') AS [RuleType]
, JSON_QUERY(b.[value], '$.QueryCheck.ColumnNames') AS [ColumnNames]
, JSON_VALUE(r.[value], '$.Remediation.Script') AS [RemediationScript]
, JSON_VALUE(r.[value], '$.Remediation.Description') AS [RemediationDescription]
-- Uncomment the two lines below if you want to output the specific results for your server
--, JSON_VALUE(r.[value], '$.Status') AS [FindingStatus]
--, JSON_QUERY(r.[value], '$.QueryResults') AS [FindingQueryResults]
FROM OPENJSON(@j, '$.Scans') AS a
CROSS APPLY OPENJSON(a.[value], '$.Rules') AS b
CROSS APPLY OPENJSON(a.[value], '$.Results') AS r
OUTER APPLY (SELECT [value] FROM OPENJSON(b.[value], '$.QueryCheck') WHERE [key] = 'Query') AS qc
WHERE b.[key] = JSON_VALUE(r.[value], '$.RuleId')
ORDER BY 1, CASE JSON_VALUE(b.[value], '$.Severity') WHEN N'Low' THEN 1 WHEN N'Medium' THEN 2 WHEN N'High' THEN 3 END DESC, 3
Quit:
{
"Format": "VANative",
"Version": "1.0",
"Scans": [
{
"Id": "2020-11-11T09-01-38",
"Tool": {
"Name": "<Unknown>",
"Version": "x.x.xxx"
},
"ScanType": "BoxDatabase",
"ScanTriggerType": "OnDemand",
"Server": "DESKTOP-LOCAL",
"Database": "MyDatabaseName",
"Platform": "SqlServer2019",
"SqlVersion": "15.0.4073",
"StartTime": "2020-11-11T07:01:38.7467760Z",
"Results": [
{
"RuleId": "VA1020",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Remove the special user GUEST from all roles.",
"Script": "ALTER ROLE [$0] DROP MEMBER GUEST",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1043",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Remove all permissions granted to GUEST, especially the connect permission",
"Script": "REVOKE CONNECT FROM [GUEST]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1044",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Disable remote dedicated admin connections. A good alternative would be to access box directly and use DAC instead of RDAC.",
"Script": "EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;\nEXECUTE sp_configure 'remote admin connections', 0; RECONFIGURE;\nEXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1048",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Change the login associated with the offending user and investigate why this user exists.",
"Script": "DECLARE @newlogin sysname = 'investigate_VA1048_' + convert(nvarchar(50),newid()); DECLARE @cmd nvarchar(max); SET @cmd = 'CREATE LOGIN ' + quotename(@newlogin) + ' WITH PASSWORD = ''' + convert(nvarchar(50),newid()) + ''', CHECK_POLICY = OFF;'; SET @cmd = @cmd + 'ALTER LOGIN ' + quotename(@newlogin) + ' DISABLE;'; SET @cmd = @cmd + 'ALTER USER [$0] WITH LOGIN = ' + quotename(@newlogin) + ';' EXEC( @cmd )",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1051",
"Status": "NonFinding",
"QueryResults": [
[
"0",
"MyDatabaseName"
]
],
"Remediation": {
"Description": "Disable the AUTO_CLOSE option on the affected databases.",
"Script": "ALTER DATABASE [$1] SET AUTO_CLOSE OFF",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1054",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke unnecessary permissions granted to PUBLIC",
"Script": "REVOKE $0 ON [$1].[$2] FROM PUBLIC",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1070",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "You should rename the affected users or logins to avoid the confusion. This requires updating all applications which are using those as credentials as well.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1094",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions granted to users directly. Instead use Windows groups or server roles to grant permissions, and manage role memberships instead.",
"Script": "REVOKE $0 ON $1$2[$3] FROM [$4]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1095",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke any unnecessary permissions granted to PUBLIC, but avoid changing permissions granted out of the box.",
"Script": "REVOKE $2 ON $0::[$1] FROM PUBLIC",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1096",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke any unnecessary permissions granted to the special account GUEST",
"Script": "REVOKE $0 FROM GUEST",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1097",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke any unnecessary permissions granted to the special account GUEST",
"Script": "REVOKE $2 ON [$0].[$1] FROM GUEST",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1098",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Change the affected endpoints to accept only AES connections",
"Script": "ALTER ENDPOINT [$0] FOR $1 ( ENCRYPTION = REQUIRED ALGORITHM AES )",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1099",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke any unnecessary permissions granted to the special account GUEST",
"Script": "REVOKE $2 ON $0::[$1] FROM GUEST",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1102",
"Status": "NonFinding",
"QueryResults": [
[
"0",
"MyDatabaseName"
]
],
"Remediation": {
"Description": "Disable the trustworthy bit (TWbit) from all affected databases.\nIf you need to use functionality that is controlled by the TWbit, it is recommended to use digital signatures to enable the functionality instead of enabling the TWbit on the database.",
"Script": "ALTER DATABASE [$1] SET TRUSTWORTHY OFF",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1143",
"Status": "Finding",
"QueryResults": [
[
"1"
]
],
"Remediation": {
"Description": "Create users with low privileges to access the DB and any data stored in it with the appropriate set of permissions.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1219",
"Status": "Finding",
"QueryResults": [
[
"1"
]
],
"Remediation": {
"Description": "Enable TDE on the affected database. Please follow the instructions on https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1221",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Regenerate the DEK using AES",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1222",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Create AES keys, re-encrypt the data using the new key, and drop the affected keys.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1223",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Create new certificates, re-encrypt the data/sign-data using the new key, and drop the affected keys.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1244",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Drop the orphaned users or remap them to a different login.",
"Script": "DROP USER [$0]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1245",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Use ALTER AUTHORIZATION ON DATABASE DDL-command against the database to specify a new server principal that should be the owner of the database",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1246",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Remove the application roles. Use users without login as a permission-based replacement",
"Script": "DROP APPLICATION ROLE [$0]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1248",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Remove user defined roles from fixed-database roles",
"Script": "ALTER ROLE [$0] DROP MEMBER [$1]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1256",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Drop assemblies from the affected databases",
"Script": "DROP ASSEMBLY [$0]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1265",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Create and enable a new SERVER AUDIT SPECIFICATION that will audit FAILED_LOGIN_GROUP & SUCCESSFUL_LOGIN_GROUP events. This SERVER AUDIT SPECIFICATION must target a valid SERVER AUDIT object that is enabled.",
"Script": "CREATE DATABASE AUDIT SPECIFICATION [DbAuditSpec_db_logon_information_failed_succeessful]\n FOR SERVER AUDIT [<REPLACE WITH VALID AUDIT SPECIFICATION NAME>]\nADD (FAILED_DATABASE_AUTHENTICATION_GROUP),\nADD (SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP)\nWITH (STATE = ON)",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1267",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Remove all contained users with password.\nAll affected applications will have to switch to Windows authentication, or create logins with password policy enforcement in order to connect to the DB.",
"Script": "DROP USER [$0];",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1277",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Enable polybase network encryption (default)",
"Script": "EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;\nEXECUTE sp_configure 'polybase network encryption', 1; RECONFIGURE;\nEXECUTE sp_configure 'show advanced options', 0; RECONFIGURE;",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA1281",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Keep track of role membership and remove unnecessary members from roles to avoid granting excessive permissions or update baseline to comply with new changes",
"Script": "ALTER ROLE [$0] DROP MEMBER [$1]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA1282",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Drop the unnecessary database roles.",
"Script": "DROP ROLE [$0]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA2020",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $1 FROM [$3]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2033",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Revoke permissions from principals where not needed. It is recommended to have at most 1 principal granted a specific permission.",
"Script": "REVOKE $3 ON [$1].[$2] FROM [$5]",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2108",
"Status": "Finding",
"QueryResults": [
[
"dbo",
"db_owner",
"WINDOWS_USER"
]
],
"Remediation": {
"Description": "Remove members who should not have access to the database role",
"Script": "ALTER ROLE [$1] DROP MEMBER [$0]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA2109",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Remove members who should not have access to the database role",
"Script": "ALTER ROLE [$1] DROP MEMBER [$0]",
"Automated": true,
"PortalLink": ""
}
},
{
"RuleId": "VA2128",
"Status": "NonFinding",
"QueryResults": [
[
"0"
]
],
"Remediation": {
"Description": "Upgrade your SQL Server version to 2012 or higher.",
"Script": "",
"Automated": false,
"PortalLink": ""
}
},
{
"RuleId": "VA2129",
"Status": "NonFinding",
"QueryResults": [],
"Remediation": {
"Description": "Baseline or remove the signature from the modules ",
"Script": "DROP SIGNATURE FROM $0 BY $6 $1",
"Automated": false,
"PortalLink": ""
}
}
],
"Rules": {
"VA1020": {
"RuleId": "VA1020",
"Severity": "High",
"Category": "AuthenticationAndAuthorization",
"RuleType": "NegativeList",
"Title": "Database user GUEST should not be a member of any role",
"Description": "The guest user permits access to a database for any logins that are not mapped to a specific database user. This rule checks that no database roles are assigned to the Guest user.",
"Rationale": "Database Roles are the basic building block at the heart of separation of duties and the principle of least permission. Granting the Guest user membership to specific roles defeats this purpose.",
"QueryCheck": {
"Query": "SELECT name as [Role]\nFROM sys.database_role_members AS drms\nINNER JOIN sys.database_principals AS dps\n ON drms.role_principal_id = dps.principal_id\nWHERE member_principal_id = DATABASE_PRINCIPAL_ID('guest')",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Role"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1043": {
"RuleId": "VA1043",
"Severity": "Medium",
"Category": "AuthenticationAndAuthorization",
"RuleType": "Binary",
"Title": "Principal GUEST should not have access to any user database",
"Description": "The guest user permits access to a database for any logins that are not mapped to a specific database user. This rule checks that the guest user cannot connect to any database.",
"Rationale": "The special user GUEST is used to map any login that otherwise has no access to the database. This can result in principals gaining access to a database without having been explicitly granted permission to do so.",
"QueryCheck": {
"Query": "SELECT CASE\n WHEN EXISTS (\n SELECT *\n FROM sys.database_permissions AS perms\n INNER JOIN sys.database_principals AS usrs ON grantee_principal_id = principal_id\n WHERE grantee_principal_id = Database_principal_id('guest')\n AND perms.type = 'CO'\n AND [state] IN ('G', 'W')\n )\n THEN 1\n ELSE 0\n END AS Violation",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [
[
"0"
]
],
"ColumnNames": [
"Violation"
]
},
"BenchmarkReferences": [
{
"Benchmark": "CIS",
"Reference": "v1.0.0-08-11-2017:3.2"
},
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1044": {
"RuleId": "VA1044",
"Severity": "Medium",
"Category": "SurfaceAreaReduction",
"RuleType": "Binary",
"Title": "Remote Admin Connections should be disabled unless specifically required",
"Description": "This rule checks that remote dedicated admin connections are disabled if they are not being used for clustering to reduce attack surface area. SQL Server provides a dedicated administrator connection (DAC). The DAC lets an administrator access a running server to execute diagnostic functions or Transact-SQL statements, or to troubleshoot problems on the server and it becomes an attractive target to attack when it is enabled remotely.",
"Rationale": "The Dedicated Admin Connection (DAC) is intended to be used by administrators for troubleshooting in scenarios when normal connections are not available due to an abnormal state of the system. For scenarios, other than clusters, the DAC is intended to be used only on the same node, and not remotely, to prevent automated attacks against this entry point.",
"QueryCheck": {
"Query": "SELECT CASE\n WHEN EXISTS (SELECT *\n FROM sys.configurations\n WHERE NAME = 'remote admin connections'\n AND Cast(value AS INT) = 1\n AND ISNULL(SERVERPROPERTY('IsClustered'), 0) = 0) THEN 1\n ELSE 0\n END AS Violation",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [
[
"0"
]
],
"ColumnNames": [
"Violation"
]
},
"BenchmarkReferences": [
{
"Benchmark": "CIS",
"Reference": "v1.0.0-08-11-2017:2.7"
},
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1048": {
"RuleId": "VA1048",
"Severity": "High",
"Category": "AuthenticationAndAuthorization",
"RuleType": "NegativeList",
"Title": "Database principals should not be mapped to the sa account",
"Description": "A database principal that is mapped to the sa account can be exploited by an attacker to elevate permissions to sysadmin.",
"Rationale": "This enables privileged principals on a database to perform operations on other databases that have ownership chaining enabled - specifically msdb. An attacker can then exploit msdb to become sysadmin.",
"QueryCheck": {
"Query": "SELECT name AS Principal\n , SUSER_SNAME(sid) AS Login\nFROM sys.database_principals\nWHERE sid = 0x01\n AND principal_id != 1",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Principal",
"Login"
]
}
},
"VA1051": {
"RuleId": "VA1051",
"Severity": "Medium",
"Category": "SurfaceAreaReduction",
"RuleType": "Binary",
"Title": "AUTO_CLOSE should be disabled on all databases",
"Description": "The AUTO_CLOSE option specifies whether the database shuts down gracefully and frees resources after the last user disconnects. Regardless of its benefits it can cause denial of service by aggressively opening and closing the database, thus it is important to keep this feature disabled. This rule checks that this option is disabled on the current database.",
"Rationale": "Databases marked with AUTO_CLOSE allows the DB to be closed if there are no active connections.\nIn the case of partially contained databases, the authentication of users occurs within the database itself, so the database must be opened every time to authenticate a user.\nFrequent opening/closing of the database consumes additional resources and may contribute to a denial of service attack.",
"QueryCheck": {
"Query": "SELECT CASE\n WHEN EXISTS (SELECT *\n FROM sys.databases\n WHERE NAME = Db_name()\n AND is_auto_close_on = 1) THEN 1\n ELSE 0\n END AS Violation\n , Db_name() AS [Database]",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [
[
"0"
]
],
"ColumnNames": [
"Violation"
]
},
"BenchmarkReferences": [
{
"Benchmark": "CIS",
"Reference": "v1.0.0-08-11-2017:2.16"
},
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1054": {
"RuleId": "VA1054",
"Severity": "Low",
"Category": "AuthenticationAndAuthorization",
"RuleType": "NegativeList",
"Title": "Excessive permissions should not be granted to PUBLIC role on objects or columns",
"Description": "Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object. This rule displays a list of all securable objects or columns that are accessible to all users through the PUBLIC role.",
"Rationale": "Database Roles are the basic building block at the heart of separation of duties and the principle of least permission. Granting permissions to principals through the default PUBLIC role defeats this purpose.",
"QueryCheck": {
"Query": "SELECT permission_name\n ,schema_name\n ,object_name\nFROM (\n SELECT objs.TYPE COLLATE database_default AS object_type\n ,schema_name(schema_id) COLLATE database_default AS schema_name\n ,objs.name COLLATE database_default AS object_name\n ,user_name(grantor_principal_id) COLLATE database_default AS grantor_principal_name\n ,permission_name COLLATE database_default AS permission_name\n ,perms.TYPE COLLATE database_default AS TYPE\n ,STATE COLLATE database_default AS STATE\n FROM sys.database_permissions AS perms\n INNER JOIN sys.objects AS objs\n ON objs.object_id = perms.major_id\n WHERE perms.class = 1 -- objects or columns. Other cases are handled by VA1095 which has different remediation syntax\n AND grantee_principal_id = DATABASE_PRINCIPAL_ID('public')\n AND [state] IN (\n 'G'\n ,'W'\n )\n AND NOT (\n -- These permissions are granted by default to public\n permission_name = 'EXECUTE'\n AND schema_name(schema_id) = 'dbo'\n AND STATE = 'G'\n AND objs.name IN (\n 'fn_sysdac_is_dac_creator'\n ,'fn_sysdac_is_currentuser_sa'\n ,'fn_sysdac_is_login_creator'\n ,'fn_sysdac_get_username'\n ,'sp_sysdac_ensure_dac_creator'\n ,'sp_sysdac_add_instance'\n ,'sp_sysdac_add_history_entry'\n ,'sp_sysdac_delete_instance'\n ,'sp_sysdac_upgrade_instance'\n ,'sp_sysdac_drop_database'\n ,'sp_sysdac_rename_database'\n ,'sp_sysdac_setreadonly_database'\n ,'sp_sysdac_rollback_committed_step'\n ,'sp_sysdac_update_history_entry'\n ,'sp_sysdac_resolve_pending_entry'\n ,'sp_sysdac_rollback_pending_object'\n ,'sp_sysdac_rollback_all_pending_objects'\n ,'fn_sysdac_get_currentusername'\n )\n OR permission_name = 'SELECT'\n AND schema_name(schema_id) = 'sys'\n AND STATE = 'G'\n AND objs.name IN (\n 'firewall_rules'\n ,'database_firewall_rules'\n ,'bandwidth_usage'\n ,'database_usage'\n ,'external_library_setup_errors'\n ,'sql_feature_restrictions'\n ,'resource_stats'\n ,'elastic_pool_resource_stats'\n ,'dm_database_copies'\n ,'geo_replication_links'\n ,'database_error_stats'\n ,'event_log'\n ,'database_connection_stats'\n )\n OR permission_name = 'SELECT'\n AND schema_name(schema_id) = 'dbo'\n AND STATE = 'G'\n AND objs.name IN (\n 'sysdac_instances_internal'\n ,'sysdac_history_internal'\n ,'sysdac_instances'\n )\n )\n\n ) t\nORDER BY object_type\n ,schema_name\n ,object_name\n ,TYPE\n ,STATE",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Permission",
"Schema",
"Object"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1070": {
"RuleId": "VA1070",
"Severity": "Low",
"Category": "AuthenticationAndAuthorization",
"RuleType": "NegativeList",
"Title": "Database users shouldn't share the same name as a server login",
"Description": "Database users may share the same name as a server login. This rule validates that there are no such users to avoid confusion.",
"Rationale": "Logins are created at the server level, while users are created at the database level. There are different types of users. Users with login are mapped to server level logins. Users with passwords can be created on a specific database, but are not mapped to server logins. This rule checks that users with passwords do not have the same name as any SQL login, as that can lead to false assessments of access rights.",
"QueryCheck": {
"Query": "SELECT dp.NAME AS [Principal]\nFROM sys.database_principals AS dp\nJOIN sys.server_principals AS sp\n ON dp.NAME = sp.NAME COLLATE database_default\nWHERE dp.sid != sp.sid\n AND dp.authentication_type = 2\nORDER BY dp.NAME",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Principal"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1094": {
"RuleId": "VA1094",
"Severity": "Low",
"Category": "AuthenticationAndAuthorization",
"RuleType": "NegativeList",
"Title": "Database permissions shouldn't be granted directly to principals",
"Description": "Permissions are rules associated with a securable object to regulate which users can gain access to the object. This rule checks that there are no DB permissions granted directly to users.",
"Rationale": "Individuals change organizations & job descriptions over time. It is highly recommended to use a centralized access control management through AD group membership.",
"QueryCheck": {
"Query": "SELECT permission_name AS [Permission],\n ISNULL(Schema_name(objs.schema_id), Replace(dp.class_desc, '_', ' ')) AS [Permission Class],\n CASE \n WHEN Schema_name(objs.schema_id) IS NULL THEN '::' ELSE '.' End AS [Class Separator],\n CASE\n WHEN dp.class = 0 THEN Db_name() -- database\n WHEN dp.class = 1 THEN objs.NAME -- Object or Column (VA1286)\n WHEN dp.class = 3 THEN Schema_name(major_id) -- schema\n WHEN dp.class = 4 THEN printarget.NAME -- principal\n WHEN dp.class = 5 THEN asm.NAME -- assembly\n WHEN dp.class = 6 THEN Type_name(major_id) -- type\n WHEN dp.class = 10 THEN xmlsc.NAME -- xml schema\n WHEN dp.class = 15 THEN msgt.NAME COLLATE database_default -- message types\n WHEN dp.class = 16 THEN svcc.NAME COLLATE database_default -- service contracts\n WHEN dp.class = 17 THEN svcs.NAME COLLATE database_default -- services\n WHEN dp.class = 18 THEN rsb.NAME COLLATE database_default -- remote service bindings\n WHEN dp.class = 19 THEN rts.NAME COLLATE database_default -- routes\n WHEN dp.class = 23 THEN ftc.NAME -- full text catalog\n WHEN dp.class = 24 THEN sym.NAME -- symmetric key\n WHEN dp.class = 25 THEN crt.NAME -- certificate\n WHEN dp.class = 26 THEN asym.NAME -- assymetric key\n END AS [Object],\n prin.NAME AS [Principal]\nFROM sys.database_permissions AS dp\nLEFT JOIN sys.all_objects AS objs ON objs.object_id = dp.major_id\nLEFT JOIN sys.database_principals AS prin ON dp.grantee_principal_id = prin.principal_id\nLEFT JOIN sys.assemblies AS asm ON dp.major_id = asm.assembly_id\nLEFT JOIN sys.xml_schema_collections AS xmlsc ON dp.major_id = xmlsc.xml_collection_id\nLEFT JOIN sys.service_message_types AS msgt ON dp.major_id = msgt.message_type_id\nLEFT JOIN sys.service_contracts AS svcc ON dp.major_id = svcc.service_contract_id\nLEFT JOIN sys.services AS svcs ON dp.major_id = svcs.service_id\nLEFT JOIN sys.remote_service_bindings AS rsb ON dp.major_id = rsb.remote_service_binding_id\nLEFT JOIN sys.routes AS rts ON dp.major_id = rts.route_id\nLEFT JOIN sys.database_principals AS printarget ON dp.major_id = printarget.principal_id\nLEFT JOIN sys.symmetric_keys AS sym ON dp.major_id = sym.symmetric_key_id\nLEFT JOIN sys.asymmetric_keys AS asym ON dp.major_id = asym.asymmetric_key_id\nLEFT JOIN sys.certificates AS crt ON dp.major_id = crt.certificate_id\nLEFT JOIN sys.fulltext_catalogs AS ftc ON dp.major_id = ftc.fulltext_catalog_id\nWHERE (prin.type = 'S' OR prin.type = 'W')\nAND dp.type != 'CO'\nAND prin.NAME NOT IN ( '##MS_PolicyEventProcessingLogin##',\n '##MS_PolicyTsqlExecutionLogin##' )\nAND [state] IN ('G','W')\nORDER BY Permission, [Permission Class], Object, [Principal]",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Permission",
"Permission Class",
"Class Separator",
"Object",
"Principal"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1095": {
"RuleId": "VA1095",
"Severity": "Medium",
"Category": "AuthenticationAndAuthorization",
"RuleType": "NegativeList",
"Title": "Excessive permissions should not be granted to PUBLIC role",
"Description": "Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object. This displays a list of all permissions that are granted to the PUBLIC role.",
"Rationale": "Database Roles are the basic building block at the heart of separation of duties and the principle of least permission. Granting permissions to principals through the default PUBLIC role defeats this purpose.",
"QueryCheck": {
"Query": "SELECT REPLACE(perms.class_desc, '_', ' ') AS [Permission Class]\n ,CASE\n WHEN perms.class = 0\n THEN db_name() -- database\n WHEN perms.class = 3\n THEN schema_name(major_id) -- schema\n WHEN perms.class = 4\n THEN printarget.NAME -- principal\n WHEN perms.class = 5\n THEN asm.NAME -- assembly\n WHEN perms.class = 6\n THEN type_name(major_id) -- type\n WHEN perms.class = 10\n THEN xmlsc.NAME -- xml schema\n WHEN perms.class = 15\n THEN msgt.NAME COLLATE DATABASE_DEFAULT -- message types\n WHEN perms.class = 16\n THEN svcc.NAME COLLATE DATABASE_DEFAULT -- service contracts\n WHEN perms.class = 17\n THEN svcs.NAME COLLATE DATABASE_DEFAULT -- services\n WHEN perms.class = 18\n THEN rsb.NAME COLLATE DATABASE_DEFAULT -- remote service bindings\n WHEN perms.class = 19\n THEN rts.NAME COLLATE DATABASE_DEFAULT -- routes\n WHEN perms.class = 23\n THEN ftc.NAME -- full text catalog\n WHEN perms.class = 24\n THEN sym.NAME -- symmetric key\n WHEN perms.class = 25\n THEN crt.NAME -- certificate\n WHEN perms.class = 26\n THEN asym.NAME -- assymetric key\n END AS [Object]\n ,perms.permission_name AS Permission\nFROM sys.database_permissions AS perms\nLEFT JOIN sys.database_principals AS prin ON perms.grantee_principal_id = prin.principal_id\nLEFT JOIN sys.assemblies AS asm ON perms.major_id = asm.assembly_id\nLEFT JOIN sys.xml_schema_collections AS xmlsc ON perms.major_id = xmlsc.xml_collection_id\nLEFT JOIN sys.service_message_types AS msgt ON perms.major_id = msgt.message_type_id\nLEFT JOIN sys.service_contracts AS svcc ON perms.major_id = svcc.service_contract_id\nLEFT JOIN sys.services AS svcs ON perms.major_id = svcs.service_id\nLEFT JOIN sys.remote_service_bindings AS rsb ON perms.major_id = rsb.remote_service_binding_id\nLEFT JOIN sys.routes AS rts ON perms.major_id = rts.route_id\nLEFT JOIN sys.database_principals AS printarget ON perms.major_id = printarget.principal_id\nLEFT JOIN sys.symmetric_keys AS sym ON perms.major_id = sym.symmetric_key_id\nLEFT JOIN sys.asymmetric_keys AS asym ON perms.major_id = asym.asymmetric_key_id\nLEFT JOIN sys.certificates AS crt ON perms.major_id = crt.certificate_id\nLEFT JOIN sys.fulltext_catalogs AS ftc ON perms.major_id = ftc.fulltext_catalog_id\nWHERE perms.grantee_principal_id = DATABASE_PRINCIPAL_ID('public')\n AND class != 1 -- Object or Columns (class = 1) are handled by VA1054 and have different remediation syntax\n AND [state] IN ('G','W')\n AND NOT (\n perms.class = 0\n AND prin.NAME = 'public'\n AND perms.major_id = 0\n AND perms.minor_id = 0\n AND permission_name IN (\n 'VIEW ANY COLUMN ENCRYPTION KEY DEFINITION'\n ,'VIEW ANY COLUMN MASTER KEY DEFINITION'\n )\n )\nORDER BY perms.class\n ,object_name(perms.major_id)\n ,perms.grantor_principal_id\n ,perms.STATE",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Permission Class",
"Object",
"Permission"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1096": {
"RuleId": "VA1096",
"Severity": "Low",
"Category": "AuthenticationAndAuthorization",
"RuleType": "NegativeList",
"Title": "Principal GUEST should not be granted permissions in the database",
"Description": "Each database includes a user called GUEST. Permissions granted to GUEST are inherited by users who have access to the database, but who do not have a user account in the database. This rule checks that all permissions have been revoked from the GUEST user.",
"Rationale": "The special user GUEST is used to map any logins that are not mapped to a specific database user. This can result in principals gaining access to a database without having been explicitly granted permission to do so.",
"QueryCheck": {
"Query": "SELECT perms.permission_name AS Permission\nFROM sys.database_permissions AS perms\nINNER JOIN sys.database_principals AS prin ON perms.grantee_principal_id = prin.principal_id\nWHERE prin.[name] = 'guest'\n AND perms.class = 0\n AND [state] IN ('G', 'W')",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Permission"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1097": {
"RuleId": "VA1097",
"Severity": "Low",
"Category": "AuthenticationAndAuthorization",
"RuleType": "NegativeList",
"Title": "Principal GUEST should not be granted permissions on objects or columns",
"Description": "Each database includes a user called GUEST. Permissions granted to GUEST are inherited by users who have access to the database, but who do not have a user account in the database. This rule checks that all permissions have been revoked from the GUEST user.",
"Rationale": "The special user GUEST is used to map any logins that are not mapped to a specific database user. This can result in principals gaining access to a database without having been explicitly granted permission to do so.",
"QueryCheck": {
"Query": "SELECT object_schema_name(major_id) AS [Schema Name]\n ,object_name(major_id) AS [Object]\n ,perms.permission_name AS Permission\nFROM sys.database_permissions AS perms\nINNER JOIN sys.database_principals AS prin ON perms.grantee_principal_id = prin.principal_id\nWHERE grantee_principal_id = DATABASE_PRINCIPAL_ID('guest')\n AND perms.class = 1\n AND [state] IN ('G','W')",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Schema",
"Object",
"Permission"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1098": {
"RuleId": "VA1098",
"Severity": "High",
"Category": "DataProtection",
"RuleType": "NegativeList",
"Title": "Any Existing Mirroring or SSB endpoint should require AES encryption",
"Description": "Mirroring endpoints, which are used for Always On Synchronization, as well as Service Broker endpoints support different encryption algorithms, including no encryption. This rule checks that any existing endpoint requires AES encryption.",
"Rationale": "Using a weak encryption algorithm or plaintext in communication protocols can lead to data manipulation including data loss, and/or connection hijacking.",
"QueryCheck": {
"Query": "SELECT ep.NAME AS [Name],\n ep.type_desc AS [Type]\nFROM sys.database_mirroring_endpoints AS dme\nJOIN sys.endpoints AS ep\n ON dme.endpoint_id = ep.endpoint_id\nWHERE dme.encryption_algorithm <> 2\n AND ep.type BETWEEN 3 AND 4\nUNION\nSELECT ep.NAME AS [Name],\n ep.type_desc AS [Type]\nFROM sys.service_broker_endpoints AS sbe\nJOIN sys.endpoints AS ep \n ON sbe.endpoint_id = ep.endpoint_id\nWHERE sbe.encryption_algorithm <> 2\n AND ep.type BETWEEN 3 AND 4",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Endpoint Name",
"Endpoint Type"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1099": {
"RuleId": "VA1099",
"Severity": "Low",
"Category": "AuthenticationAndAuthorization",
"RuleType": "NegativeList",
"Title": "GUEST user should not be granted permissions on database securables",
"Description": "Each database includes a user called GUEST. Permissions granted to GUEST are inherited by users who have access to the database, but who do not have a user account in the database. This rule checks that all permissions have been revoked from the GUEST user.",
"Rationale": "The special user GUEST is used to map any logins that are not mapped to a specific database user. This can result in principals gaining access to a database without having been explicitly granted permission to do so.",
"QueryCheck": {
"Query": "SELECT REPLACE(perms.class_desc, '_', ' ') AS [Permission Class],\n CASE\n WHEN perms.class=3 THEN schema_name(major_id) -- schema\n WHEN perms.class=4 THEN printarget.name -- principal\n WHEN perms.class=5 THEN asm.name -- assembly\n WHEN perms.class=6 THEN type_name(major_id) -- type\n WHEN perms.class=10 THEN xmlsc.name -- xml schema\n WHEN perms.class=15 THEN msgt.name COLLATE DATABASE_DEFAULT -- message types\n WHEN perms.class=16 THEN svcc.name COLLATE DATABASE_DEFAULT -- service contracts\n WHEN perms.class=17 THEN svcs.name COLLATE DATABASE_DEFAULT -- services\n WHEN perms.class=18 THEN rsb.name COLLATE DATABASE_DEFAULT -- remote service bindings\n WHEN perms.class=19 THEN rts.name COLLATE DATABASE_DEFAULT -- routes\n WHEN perms.class=23 THEN ftc.name -- full text catalog\n WHEN perms.class=24 then sym.name -- symmetric key\n WHEN perms.class=25 then crt.name -- certificate\n WHEN perms.class=26 then asym.name -- assymetric key\n END AS [Object],\n perms.permission_name AS Permission\nFROM sys.database_permissions AS perms\nLEFT JOIN\n sys.database_principals AS prin\n ON perms.grantee_principal_id = prin.principal_id\nLEFT JOIN\n sys.assemblies AS asm\n ON perms.major_id = asm.assembly_id\nLEFT JOIN\n sys.xml_schema_collections AS xmlsc\n ON perms.major_id = xmlsc.xml_collection_id\nLEFT JOIN\n sys.service_message_types AS msgt\n ON perms.major_id = msgt.message_type_id\nLEFT JOIN\n sys.service_contracts AS svcc\n ON perms.major_id = svcc.service_contract_id\nLEFT JOIN\n sys.services AS svcs\n ON perms.major_id = svcs.service_id\nLEFT JOIN\n sys.remote_service_bindings AS rsb\n ON perms.major_id = rsb.remote_service_binding_id\nLEFT JOIN\n sys.routes AS rts\n ON perms.major_id = rts.route_id\nLEFT JOIN\n sys.database_principals AS printarget\n ON perms.major_id = printarget.principal_id\nLEFT JOIN\n sys.symmetric_keys AS sym\n On perms.major_id = sym.symmetric_key_id\nLEFT JOIN\n sys.asymmetric_keys AS asym\n ON perms.major_id = asym.asymmetric_key_id\n LEFT JOIN\n sys.certificates AS crt\n ON perms.major_id = crt.certificate_id\nLEFT JOIN\n sys.fulltext_catalogs AS ftc\n ON perms.major_id = ftc.fulltext_catalog_id\nWHERE\n grantee_principal_id = DATABASE_PRINCIPAL_ID('guest')\n AND class in (3,4,5,6,10,15,16,17,18,19,23,24,25,26)\n AND [state] IN ('G','W')",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Permission Class",
"Object",
"Permission"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1102": {
"RuleId": "VA1102",
"Severity": "High",
"Category": "SurfaceAreaReduction",
"RuleType": "Binary",
"Title": "The Trustworthy bit should be disabled on all databases except MSDB",
"Description": "The TRUSTWORTHY database property is used to indicate whether the instance of SQL Server trusts the database and the contents within it. If this option is enabled, database modules (for example, user-defined functions or stored procedures) that use an impersonation context can access resources outside the database. This rule verifies that the TRUSTWORTHY bit is disabled on all databases, except MSDB.",
"Rationale": "The trustworthy bit (TWbit) is an access control mechanism that enables features that can lead to an elevation of privilege such as CLR and server-scope impersonation.\nFor more information: http://support.microsoft.com/kb/2183687",
"QueryCheck": {
"Query": "SELECT CASE\n WHEN EXISTS (SELECT *\n FROM sys.databases\n WHERE NAME = Db_name()\n AND is_trustworthy_on = 1) THEN 1\n ELSE 0\n END AS Violation,\n Db_name() AS [Database]",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [
[
"0"
]
],
"ColumnNames": [
"Violation"
]
},
"BenchmarkReferences": [
{
"Benchmark": "CIS",
"Reference": "v1.0.0-08-11-2017:2.9"
},
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1143": {
"RuleId": "VA1143",
"Severity": "Medium",
"Category": "SurfaceAreaReduction",
"RuleType": "Binary",
"Title": "'dbo' user should not be used for normal service operation",
"Description": "The 'dbo', or database owner, is a user account that has implied permissions to perform all activities in the database. Members of the sysadmin fixed server role are automatically mapped to dbo. This rule checks that dbo is not the only account allowed to access this database. Please note that on a newly created clean database this rule will fail until additional roles are created.",
"Rationale": "A compromised service that accesses the database with the 'dbo' user account will have full control of the database. To avoid this situation, lower privileged users should be defined for normal service operation, while the 'dbo' account should only be used for administrative tasks that require this privilege.",
"QueryCheck": {
"Query": "IF((SELECT count(*) from sys.database_principals WHERE principal_id >= 5 AND principal_id < 16384 ) > 0) SELECT 0 AS Violation\nELSE SELECT 1 AS Violation",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [
[
"0"
]
],
"ColumnNames": [
"Violation"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1219": {
"RuleId": "VA1219",
"Severity": "Medium",
"Category": "DataProtection",
"RuleType": "Binary",
"Title": "Transparent data encryption should be enabled",
"Description": "Transparent data encryption (TDE) helps to protect the database files against information disclosure by performing real-time encryption and decryption of the database, associated backups, and transaction log files 'at rest', without requiring changes to the application. This rule checks that TDE is enabled on the database.",
"Rationale": "Transparent Data Encryption (TDE) protects data 'at rest', meaning the data and log files are encrypted when stored on disk.",
"QueryCheck": {
"Query": "SELECT CASE WHEN EXISTS\n( SELECT *\n FROM sys.databases\n WHERE name = db_name()\n AND is_encrypted = 0)\nTHEN 1\nELSE 0\nEND AS [Violation]",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [
[
"0"
]
],
"ColumnNames": [
"Violation"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1221": {
"RuleId": "VA1221",
"Severity": "High",
"Category": "DataProtection",
"RuleType": "NegativeList",
"Title": "Database Encryption Symmetric Keys should use AES algorithm",
"Description": "SQL Server uses encryption keys to help secure data, credentials, and connection information that is stored in a server database. SQL Server has two kinds of keys: symmetric and asymmetric. This rule checks that Database Encryption Symmetric Keys use AES algorithm.",
"Rationale": "Weak encryption algorithms may lead to weaknesses in the data-at-rest protection.",
"QueryCheck": {
"Query": "SELECT db_name(database_id) as db_name, encryption_state, key_algorithm, key_length, encryptor_type\nFROM sys.dm_database_encryption_keys\nWHERE key_algorithm != 'AES'\nORDER BY db_name(database_id), encryption_state, key_algorithm, key_length, encryptor_type",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Database",
"Encryption State",
"Key Algorithm",
"Key Length",
"Encryptor Type"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1222": {
"RuleId": "VA1222",
"Severity": "High",
"Category": "DataProtection",
"RuleType": "NegativeList",
"Title": "Cell-Level Encryption keys should use AES algorithm",
"Description": "Cell-Level Encryption (CLE) allows you to encrypt your data using symmetric and asymmetric keys. This rule checks that Cell-Level Encryption symmetric keys use AES algorithm.",
"Rationale": "Weak encryption algorithms may lead to weaknesses in the data-at-rest protection",
"QueryCheck": {
"Query": "SELECT NAME AS [Name],\n algorithm_desc AS [Algorithm]\nFROM sys.symmetric_keys\nWHERE key_algorithm NOT IN ( 'A1', 'A2', 'A3' )\nORDER BY NAME,\n algorithm_desc",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Key Name",
"Key Algorithm"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1223": {
"RuleId": "VA1223",
"Severity": "High",
"Category": "DataProtection",
"RuleType": "NegativeList",
"Title": "Certificate keys should use at least 2048 bits",
"Description": "Certificate keys are used in RSA and other encryption algorithms to protect data. These keys need to be of enough length to secure the user's data. This rule checks that the key's length is at least 2048 bits for all certificates.",
"Rationale": "Key length defines the upper-bound on the encryption algorithm's security. Using short keys in encryption algorithms may lead to weaknesses in data-at-rest protection.",
"QueryCheck": {
"Query": "SELECT name, issuer_name, cert_serial_number, subject, thumbprint\nFROM sys.certificates\nWHERE key_length < 2048",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Certificate Name",
"Issuer",
"Serial Number",
"Subject",
"Thumbprint"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1244": {
"RuleId": "VA1244",
"Severity": "Medium",
"Category": "SurfaceAreaReduction",
"RuleType": "NegativeList",
"Title": "Orphaned users should be removed from SQL server databases",
"Description": "A database user that exists on a database, but has no corresponding login in master database or as an external resource (i.e. Windows user) is referred to as an orphaned user and it should either be removed or remapped to a valid login. This rule checks that there are no orphaned users.",
"Rationale": "Orphaned users are typically signs of a misconfiguration. These users create a risk because potential attackers might get access to them and inherit their permissions on the database.",
"QueryCheck": {
"Query": "SELECT NAME AS Principal\nFROM sys.database_principals\nWHERE sid NOT IN (\n SELECT sid\n FROM sys.server_principals\n )\n AND authentication_type_desc = 'INSTANCE'\n AND type = 'S'\n AND principal_id != 2\n AND DATALENGTH(sid) <= 28\nORDER BY NAME",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Principal"
]
},
"BenchmarkReferences": [
{
"Benchmark": "CIS",
"Reference": "v1.0.0-08-11-2017:3.3"
},
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1245": {
"RuleId": "VA1245",
"Severity": "High",
"Category": "SurfaceAreaReduction",
"RuleType": "Binary",
"Title": "The database owner information in the database should match the respective database owner information in the master database",
"Description": "Database ownership metadata is stored in two locations - in the master database and in the database itself. This stored metadata can sometimes become out of sync. For instance, when a database has been restored from a different server, or when the server principal stored as dbo no longer exists for some reason, the data stored in the database and the data stored in the master database will be out of sync.",
"Rationale": "The metadata about the database owner stored inside the database should match that stored in the master database. This helps avoid potential system problems, for instance permission problems when using some features such as CLR.",
"QueryCheck": {
"Query": "SELECT CASE\n WHEN EXISTS (\n SELECT *\n FROM sys.database_principals AS dbprs\n INNER JOIN sys.databases AS dbs\n ON dbprs.sid != dbs.owner_sid\n WHERE dbs.database_id = Db_id()\n AND dbprs.principal_id = 1\n )\n THEN 1\n ELSE 0\n END AS [Violation]",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [
[
"0"
]
],
"ColumnNames": [
"Violation"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1246": {
"RuleId": "VA1246",
"Severity": "Low",
"Category": "AuthenticationAndAuthorization",
"RuleType": "NegativeList",
"Title": "Application roles should not be used",
"Description": "An application role is a database principal that enables an application to run with its own user-like permissions. Application roles enable that only users connecting through a particular application can access specific data. Application roles are password-based (which applications typically hardcode) and not permission based, which exposes the database to approle impersonation by password-guessing. This rule checks that no application roles are defined in the database.",
"Rationale": "It is important to limit the possibility of acquiring user-like permissions to the database, and since application roles are password based, they can lead to impersonation of the application role via password-guessing.",
"QueryCheck": {
"Query": "SELECT name\nFROM sys.database_principals\nWHERE type = 'A'\nORDER BY name",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Role"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1248": {
"RuleId": "VA1248",
"Severity": "Medium",
"Category": "AuthenticationAndAuthorization",
"RuleType": "NegativeList",
"Title": "User-defined database roles should not be members of fixed roles",
"Description": "To easily manage the permissions in your databases, SQL Server provides several roles which are security principals that group other principals. They are like groups in the Microsoft Windows operating system. Database accounts and other SQL Server roles can be added into database-level roles. Each member of a fixed-database role can add other users to that same role. This rule checks that no user-defined roles are members of fixed roles",
"Rationale": "Adding user defined database roles as members of fixed roles could enable unintended privilege escalation, also finding any metadata indicating that the fixed roles have been modified is typically a sign of data corruption or signs of somebody corrupting the metadata in order to hide unusual activity.",
"QueryCheck": {
"Query": "SELECT user_name(roles.role_principal_id) as role, user_name(roles.member_principal_id) as member\nFROM sys.database_role_members AS roles, sys.database_principals users\nWHERE roles.member_principal_id = users.principal_id\nAND ( roles.role_principal_id >= 16384 AND roles.role_principal_id <= 16393)\nAND users.type = 'R'\nORDER BY user_name(roles.role_principal_id), user_name(roles.member_principal_id)",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Role",
"Member"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1256": {
"RuleId": "VA1256",
"Severity": "High",
"Category": "SurfaceAreaReduction",
"RuleType": "NegativeList",
"Title": "User CLR assemblies should not be defined in the database",
"Description": "CLR assemblies can be used to execute arbitrary code on SQL Server process. This rule checks that there are no user-defined CLR assemblies in the database",
"Rationale": "Using CLR assemblies can bring a security flaw to the SQL Server instance and to all other network resources accessible from it",
"MitigatedBy": "VA1023",
"QueryCheck": {
"Query": "SELECT name FROM sys.assemblies WHERE is_user_defined != 0",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Assembly"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1265": {
"RuleId": "VA1265",
"Severity": "Medium",
"Category": "AuditingAndLogging",
"RuleType": "Binary",
"Title": "Auditing of both successful and failed login attempts for contained DB authentication should be enabled",
"Description": "SQL Server auditing configuration enables adminstrators to track users logging to SQL Server instances that they're responsible for. This rules checks that auditing is enabled for both successful and failed login attempts for contained DB authentication.",
"Rationale": "Logging successful & failed login attempts provides information that can be used to detect brute-force based password attacks against the system as well as forensic information.",
"QueryCheck": {
"Query": "DECLARE @check_results INT = 0;\nDECLARE @violation INT = 1;\n\nSELECT @check_results = containment\nFROM sys.databases\nWHERE name = db_name();\n\nPRINT @check_results\n\nIF( @check_results != 0 )\n BEGIN\n DECLARE @success_logon_event INT = 0;\n DECLARE @fail_logon_event INT = 0;\n\n SELECT @success_logon_event = Count(*)\n FROM sys.server_audits adts,\n sys.server_audit_specifications srvadtspecs,\n sys.server_audit_specification_details srvadtspecdtls\n WHERE adts.audit_guid = srvadtspecs.audit_guid\n AND adts.is_state_enabled = 1\n AND srvadtspecs.is_state_enabled = 1\n AND srvadtspecdtls.audited_result = 'SUCCESS AND FAILURE'\n AND srvadtspecdtls.audit_action_id = 'DAGS';\n\n SELECT @fail_logon_event = Count(*)\n FROM sys.server_audits adts,\n sys.server_audit_specifications srvadtspecs,\n sys.server_audit_specification_details srvadtspecdtls\n WHERE adts.audit_guid = srvadtspecs.audit_guid\n AND adts.is_state_enabled = 1\n AND srvadtspecs.is_state_enabled = 1\n AND srvadtspecdtls.audited_result = 'SUCCESS AND FAILURE'\n AND srvadtspecdtls.audit_action_id = 'DAGF';\n\n DECLARE @db_success_logon_event INT = 0;\n DECLARE @db_fail_logon_event INT = 0;\n\n SELECT @db_success_logon_event = Count(*)\n FROM sys.server_audits adts,\n sys.database_audit_specifications dbadtspecs,\n sys.database_audit_specification_details dbadtspecdtls\n WHERE adts.audit_guid = dbadtspecs.audit_guid\n AND adts.is_state_enabled = 1\n AND dbadtspecs.is_state_enabled = 1\n AND dbadtspecdtls.audited_result = 'SUCCESS AND FAILURE'\n AND dbadtspecdtls.audit_action_id = 'DAGS';\n\n SELECT @db_fail_logon_event = Count(*)\n FROM sys.server_audits adts,\n sys.database_audit_specifications dbadtspecs,\n sys.database_audit_specification_details dbadtspecdtls\n WHERE adts.audit_guid = dbadtspecs.audit_guid\n AND adts.is_state_enabled = 1\n AND dbadtspecs.is_state_enabled = 1\n AND dbadtspecdtls.audited_result = 'SUCCESS AND FAILURE'\n AND dbadtspecdtls.audit_action_id = 'DAGF';\n\n IF( ( @success_logon_event\n + @db_success_logon_event ) > 0\n AND ( @fail_logon_event + @db_fail_logon_event ) > 0 )\n SET @violation = 0;\n END\nELSE\n BEGIN\n SET @violation = 0; -- ignore if DB is not contained\n END\n\nSELECT @violation AS [Violation];",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [
[
"0"
]
],
"ColumnNames": [
"Violation"
]
},
"BenchmarkReferences": [
{
"Benchmark": "CIS",
"Reference": "v1.0.0-08-11-2017:5.3"
},
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1267": {
"RuleId": "VA1267",
"Severity": "Medium",
"Category": "AuthenticationAndAuthorization",
"RuleType": "NegativeList",
"Title": "Contained users should use Windows Authentication",
"Description": "Contained users are users that exist within the database, and do not require a login mapping. This rule checks that contained users use Windows Authentication.",
"Rationale": "Authentication must be centrally managed in order to enforce the domain password policies.",
"QueryCheck": {
"Query": "SELECT NAME AS [Principal]\nFROM sys.database_principals\nWHERE authentication_type = 2\nORDER BY NAME,\n type_desc,\n authentication_type",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Principal"
]
},
"BenchmarkReferences": [
{
"Benchmark": "CIS",
"Reference": "v1.0.0-08-11-2017:3.4"
},
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1277": {
"RuleId": "VA1277",
"Severity": "High",
"Category": "SurfaceAreaReduction",
"RuleType": "Binary",
"Title": "Polybase network encryption should be enabled",
"Description": "PolyBase is a technology that accesses and combines both non-relational and relational data, all from within SQL Server. Polybase network encryption option configures SQL Server to encrypt control and data channels when using Polybase. This rule verifies that this option is enabled.",
"Rationale": "Having any communication protocol without encryption can lead to multiple security problems, including data loss, data tampering & leak of authentication credentials.",
"MitigatedBy": "VA2126",
"QueryCheck": {
"Query": "SELECT CASE\n WHEN EXISTS (SELECT *\n FROM sys.configurations\n WHERE NAME = 'polybase network encryption'\n AND Cast(value AS INT) = 0) THEN 1\n ELSE 0\n END AS Violation",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [
[
"0"
]
],
"ColumnNames": [
"Violation"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1281": {
"RuleId": "VA1281",
"Severity": "Medium",
"Category": "AuditingAndLogging",
"RuleType": "BaselineExpected",
"Title": "All memberships for user-defined roles should be intended",
"Description": "User-defined roles are security principals defined by the user to group principals to easily manage permissions. Monitoring these roles is important to avoid having excessive permissions. Create a baseline which defines expected membership for each user-defined role. This rule checks whether all memberships for user-defined roles are as defined in the baseline",
"Rationale": "Keeping track of role memberships is important to avoid granting excessive permissions",
"QueryCheck": {
"Query": "SELECT user_name(role_principal_id) as role_name, user_name(member_principal_id) as member_name\nFROM sys.database_role_members\nWHERE role_principal_id NOT IN (16384,16385,16386,16387,16389,16390,16391,16392,16393)\nORDER BY role_principal_id, member_principal_id",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Role",
"Member"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA1282": {
"RuleId": "VA1282",
"Severity": "Low",
"Category": "AuthenticationAndAuthorization",
"RuleType": "NegativeList",
"Title": "Orphan database roles should be removed",
"Description": "Orphan database roles are user-defined roles that have no members. It is recommended to eliminate orphaned roles as they are not needed on the system. This rule checks whether there are any orphan roles",
"Rationale": "Reduce the attack surface area by eliminating unnecessary database roles in the system.",
"QueryCheck": {
"Query": "SELECT name FROM sys.database_principals\nWHERE type = 'R'\nAND principal_id not in (0,16384,16385,16386,16387,16389,16390,16391,16392,16393)\nAND principal_id not in ( SELECT distinct role_principal_id\nFROM sys.database_role_members )",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Role"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA2020": {
"RuleId": "VA2020",
"Severity": "High",
"Category": "AuthenticationAndAuthorization",
"RuleType": "BaselineExpected",
"Title": "Minimal set of principals should be granted ALTER or ALTER ANY USER database-scoped permissions",
"Description": "Every SQL Server securable has permissions associated with it that can be granted to principals. Permissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users and database roles). These rules check that only a minimal set of principals are granted ALTER or ALTER ANY USER database-scoped permissions.",
"Rationale": "Developing an application using a least-privileged user account (LUA) approach is an important part of a defensive, in-depth strategy for countering security threats. The LUA approach ensures that users follow the principle of least privilege and always log on with limited user accounts. Administrative tasks are broken out using fixed server roles, and the use of the sysadmin fixed server role is severely restricted. Always follow the principle of least privilege when granting permissions to database users. Grant the minimum permissions necessary to a user or role to accomplish a given task. See https://msdn.microsoft.com/en-us/library/bb669084(v=vs.110).aspx.",
"QueryCheck": {
"Query": "SELECT perms.class_desc AS [Permission Class]\n ,perms.permission_name AS Permission\n ,type_desc AS [Principal Type]\n ,prin.name AS Principal\nFROM sys.database_permissions AS perms\nINNER JOIN sys.database_principals AS prin ON perms.grantee_principal_id = prin.principal_id\nWHERE permission_name IN (\n 'ALTER'\n ,'ALTER ANY USER'\n )\n AND user_name(grantee_principal_id) NOT IN (\n 'guest'\n ,'public'\n )\n AND perms.class = 0\n AND [state] IN ('G','W')\n AND NOT (\n prin.type = 'S'\n AND prin.name = 'dbo'\n AND prin.authentication_type = 1\n AND prin.owning_principal_id IS NULL\n )",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Permission Class",
"Permission",
"Principal Type",
"Principal"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA2033": {
"RuleId": "VA2033",
"Severity": "Low",
"Category": "AuthenticationAndAuthorization",
"RuleType": "BaselineExpected",
"Title": "Minimal set of principals should be granted EXECUTE permission on objects or columns",
"Description": "This rule checks which principals are granted EXECUTE permission on objects or columns to ensure this permission is granted to a minimal set of principals. Every SQL Server securable has permissions associated with it that can be granted to principals.\nPermissions can be scoped at the server level (assigned to logins and server roles) or at the database level (assigned to database users, database roles or application roles). The EXECUTE permission applies to both stored procedures and scalar functions, which can be used in computed columns.",
"Rationale": "Developing an application using a least-privileged user account (LUA) approach is an important part of a defensive, in-depth strategy for countering security threats. The LUA approach ensures that users follow the principle of least privilege and always log on with limited user accounts. Administrative tasks are broken out using fixed server roles, and the use of the sysadmin fixed server role is severely restricted. Always follow the principle of least privilege when granting permissions to database users. Grant the minimum permissions necessary to a user or role to accomplish a given task. See https://msdn.microsoft.com/en-us/library/bb669084(v=vs.110).aspx.",
"QueryCheck": {
"Query": "IF object_id('tempdb.dbo.#entries_to_exclude', 'U') IS NOT NULL\n DROP TABLE #entries_to_exclude;\n\nCREATE TABLE #entries_to_exclude (\n object_name VARCHAR(64),\n state_desc VARCHAR(24),\n prin_name VARCHAR(64),\n user_name VARCHAR(20),\n prin_type CHAR(1)\n )\n \nINSERT INTO #entries_to_exclude (object_name, state_desc, prin_name, user_name, prin_type)\n VALUES ('sp_add_job', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_add_jobschedule', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_add_jobserver', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_add_jobstep', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_addtask', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_delete_job', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_delete_jobschedule', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_delete_jobserver', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_delete_jobstep', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_droptask', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_post_msx_operation', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_start_job', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_stop_job', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_update_job', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_update_jobschedule', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_update_jobstep', 'DENY', 'TargetServersRole', 'dbo', 'R')\n ,('sp_syspolicy_events_reader', 'GRANT', '##MS_PolicyEventProcessingLogin##', 'dbo', 'S')\n ,('sp_syspolicy_execute_policy', 'GRANT', '##MS_PolicyEventProcessingLogin##', 'dbo', 'S')\n ,('fn_cColvEntries_80', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_cdc_check_parameters', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_cdc_decrement_lsn', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_cdc_get_column_ordinal', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_cdc_get_max_lsn', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_cdc_get_min_lsn', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_cdc_has_column_changed', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_cdc_hexstrtobin', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_cdc_increment_lsn', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_cdc_is_bit_set', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_cdc_map_lsn_to_time', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_cdc_map_time_to_lsn', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_fIsColTracked', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_GetCurrentPrincipal', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_GetRowsetIdFromRowDump', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_hadr_backup_is_preferred_replica', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_hadr_is_primary_replica', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_hadr_is_same_replica', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_IsBitSetInBitmask', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_isrolemember', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_MapSchemaType', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_MSdayasnumber', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_MSgeneration_downloadonly', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_MSget_dynamic_filter_login', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_MSorbitmaps', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_MSrepl_map_resolver_clsid', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_MStestbit', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_MSvector_downloadonly', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_numberOf1InBinaryAfterLoc', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_numberOf1InVarBinary', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_PhysLocFormatter', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_repl_hash_binary', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_repladjustcolumnmap', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_repldecryptver4', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_replformatdatetime', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_replgetparsedddlcmd', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_replp2pversiontotranid', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_replreplacesinglequote', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_replreplacesinglequoteplusprotectstring', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_repluniquename', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_replvarbintoint', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_sqlvarbasetostr', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_sysdac_get_currentusername', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_sysdac_get_username', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_sysdac_is_currentuser_sa', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_sysdac_is_dac_creator', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_sysdac_is_login_creator', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_syspolicy_is_automation_enabled', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_varbintohexstr', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_varbintohexsubstring', 'GRANT', 'public', 'dbo', 'R')\n ,('fn_yukonsecuritymodelrequired', 'GRANT', 'public', 'dbo', 'R')\n ,('GeographyCollectionAggregate', 'GRANT', 'public', 'dbo', 'R')\n ,('GeographyConvexHullAggregate', 'GRANT', 'public', 'dbo', 'R')\n ,('GeographyEnvelopeAggregate', 'GRANT', 'public', 'dbo', 'R')\n ,('GeographyUnionAggregate', 'GRANT', 'public', 'dbo', 'R')\n ,('GeometryCollectionAggregate', 'GRANT', 'public', 'dbo', 'R')\n ,('GeometryConvexHullAggregate', 'GRANT', 'public', 'dbo', 'R')\n ,('GeometryEnvelopeAggregate', 'GRANT', 'public', 'dbo', 'R')\n ,('GeometryUnionAggregate', 'GRANT', 'public', 'dbo', 'R')\n ,('ORMask', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_add_agent_parameter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_add_agent_profile', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_add_log_shipping_alert_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_add_log_shipping_primary_database', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_add_log_shipping_primary_secondary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_add_log_shipping_secondary_database', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_add_log_shipping_secondary_primary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addapprole', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addarticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_adddatatype', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_adddatatypemapping', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_adddistpublisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_adddistributiondb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_adddistributor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_adddynamicsnapshot_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addextendedproperty', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_AddFunctionalUnitToComponent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addlinkedserver', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addlinkedsrvlogin', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addlogin', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addlogreader_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addmergealternatepublisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addmergearticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addmergefilter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addmergelogsettings', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addmergepartition', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addmergepublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addmergepullsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addmergepullsubscription_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addmergepushsubscription_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addmergesubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addmessage', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addpublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addpublication_snapshot', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addpullsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addpullsubscription_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addpushsubscription_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addqreader_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addqueued_artinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addremotelogin', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addrole', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addrolemember', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addscriptexec', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addserver', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addsrvrolemember', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addsubscriber', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addsubscriber_schedule', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addsynctriggers', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addsynctriggerscore', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addtabletocontents', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addtype', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_addumpdevice', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_adduser', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_adjustpublisheridentityrange', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_altermessage', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_approlepassword', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_article_validation', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_articlecolumn', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_articlefilter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_articleview', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_assemblies_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_assemblies_rowset_rmt', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_assemblies_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_assembly_dependencies_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_assembly_dependencies_rowset_rmt', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_assembly_dependencies_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_attach_db', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_attach_single_file_db', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_attachsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_audit_write', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_autostats', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_availability_group_command_internal', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_bcp_dbcmptlevel', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_begin_parallel_nested_tran', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_bindefault', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_bindrule', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_bindsession', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_browsemergesnapshotfolder', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_browsereplcmds', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_browsesnapshotfolder', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_can_tlog_be_applied', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_catalogs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_catalogs_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_catalogs_rowset_rmt', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_catalogs_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_add_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_change_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_cleanup_change_table', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_dbsnapshotLSN', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_disable_db', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_disable_table', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_drop_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_enable_db', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_enable_table', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_generate_wrapper_function', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_get_captured_columns', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_get_ddl_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_help_change_data_capture', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_help_jobs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_restoredb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_scan', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_start_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_stop_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_vupgrade', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cdc_vupgrade_databases', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_change_agent_parameter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_change_agent_profile', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_change_log_shipping_primary_database', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_change_log_shipping_secondary_database', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_change_log_shipping_secondary_primary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_change_subscription_properties', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_change_tracking_waitforchanges', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_change_users_login', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changearticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changearticlecolumndatatype', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changedbowner', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changedistpublisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changedistributiondb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changedistributor_password', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changedistributor_property', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changedynamicsnapshot_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changelogreader_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changemergearticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changemergefilter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changemergelogsettings', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changemergepublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changemergepullsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changemergesubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changeobjectowner', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changepublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changepublication_snapshot', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changeqreader_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changereplicationserverpasswords', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changesubscriber', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changesubscriber_schedule', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changesubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changesubscriptiondtsinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_changesubstatus', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_check_constbytable_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_check_constbytable_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_check_constraints_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_check_constraints_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_check_dynamic_filters', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_check_for_sync_trigger', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_check_join_filter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_check_log_shipping_monitor_alert', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_check_publication_access', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_check_subset_filter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_check_sync_trigger', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_checkinvalidivarticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_checkOraclepackageversion', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_clean_db_file_free_space', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_clean_db_free_space', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cleanmergelogfiles', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cleanup_log_shipping_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cleanup_temporal_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cleanupdbreplication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_column_privileges', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_column_privileges_ex', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_column_privileges_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_column_privileges_rowset_rmt', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_column_privileges_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns_100', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns_100_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns_100_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns_90', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns_90_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns_90_rowset_rmt', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns_90_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns_ex', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns_ex_100', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns_ex_90', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns_managed', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns_rowset_rmt', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_columns_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_commit_parallel_nested_tran', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_configure', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_configure_peerconflictdetection', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_constr_col_usage_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_constr_col_usage_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_control_dbmasterkey_password', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_control_plan_guide', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_copymergesnapshot', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_copysnapshot', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_copysubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_create_plan_guide', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_create_plan_guide_from_handle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_createmergepalrole', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_createorphan', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_createstats', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_createtranpalrole', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cursor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cursor_list', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cursorclose', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cursorexecute', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cursorfetch', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cursoropen', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cursoroption', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cursorprepare', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cursorprepexec', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_cursorunprepare', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_databases', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_datatype_info', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_datatype_info_100', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_datatype_info_90', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_db_ebcdic277_2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_db_increased_partitions', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_db_selective_xml_index', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_db_vardecimal_storage_format', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dbcmptlevel', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dbfixedrolepermission', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dbmmonitoraddmonitoring', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dbmmonitorchangealert', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dbmmonitorchangemonitoring', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dbmmonitordropalert', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dbmmonitordropmonitoring', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dbmmonitorhelpalert', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dbmmonitorhelpmonitoring', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dbmmonitorresults', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dbmmonitorupdate', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_ddopen', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_defaultdb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_defaultlanguage', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_delete_backup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_delete_backup_file_snapshot', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_delete_http_namespace_reservation', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_delete_log_shipping_alert_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_delete_log_shipping_primary_database', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_delete_log_shipping_primary_secondary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_delete_log_shipping_secondary_database', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_delete_log_shipping_secondary_primary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_deletemergeconflictrow', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_deletepeerrequesthistory', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_deletetracertokenhistory', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_denylogin', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_depends', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_describe_cursor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_describe_cursor_columns', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_describe_cursor_tables', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_describe_first_result_set', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_describe_parameter_encryption', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_describe_undeclared_parameters', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_detach_db', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_disableagentoffload', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_distcounters', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_drop_agent_parameter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_drop_agent_profile', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropanonymousagent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropanonymoussubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropapprole', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_droparticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropdatatypemapping', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropdevice', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropdistpublisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropdistributiondb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropdistributor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropdynamicsnapshot_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropextendedproperty', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_droplinkedsrvlogin', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_droplogin', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropmergealternatepublisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropmergearticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropmergefilter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropmergelogsettings', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropmergepartition', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropmergepublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropmergepullsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropmergesubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropmessage', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_droporphans', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_droppublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_droppublisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_droppullsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropremotelogin', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropreplsymmetrickey', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_droprole', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_droprolemember', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropserver', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropsrvrolemember', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropsubscriber', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_droptype', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dropuser', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_dsninfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_enable_heterogeneous_subscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_enableagentoffload', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_enum_oledb_providers', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_enumcustomresolvers', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_enumdsn', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_enumeratependingschemachanges', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_enumerrorlogs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_enumfullsubscribers', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_enumoledbdatasources', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_estimate_data_compression_savings', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_estimated_rowsize_reduction_for_vardecimal', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_execute', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_execute_external_script', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_executesql', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_expired_subscription_cleanup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_filestream_force_garbage_collection', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_filestream_recalculate_container_size', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_firstonly_bitmap', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_fkeys', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_flush_commit_table', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_flush_commit_table_on_demand', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_flush_CT_internal_table_on_demand', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_flush_log', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_foreign_keys_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_foreign_keys_rowset_rmt', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_foreign_keys_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_foreign_keys_rowset3', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_foreignkeys', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_fulltext_catalog', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_fulltext_column', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_fulltext_database', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_fulltext_keymappings', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_fulltext_load_thesaurus_file', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_fulltext_pendingchanges', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_fulltext_recycle_crawl_log', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_fulltext_semantic_register_language_statistics_db', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_fulltext_semantic_unregister_language_statistics_db', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_fulltext_service', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_fulltext_table', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_FuzzyLookupTableMaintenanceInstall', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_FuzzyLookupTableMaintenanceInvoke', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_FuzzyLookupTableMaintenanceUninstall', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_generate_agent_parameter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_generatefilters', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_get_database_scoped_credential', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_get_distributor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_get_job_status_mergesubscription_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_get_mergepublishedarticleproperties', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_get_Oracle_publisher_metadata', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_get_query_template', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_get_redirected_publisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_getagentparameterlist', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_getapplock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_getbindtoken', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_getdefaultdatatypemapping', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_getmergedeletetype', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_getProcessorUsage', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_getpublisherlink', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_getqueuedarticlesynctraninfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_getqueuedrows', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_getschemalock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_getsqlqueueversion', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_getsubscription_status_hsnapshot', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_getsubscriptiondtspackagename', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_gettopologyinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_getVolumeFreeSpace', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_grant_publication_access', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_grantdbaccess', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_grantlogin', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_agent_default', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_agent_parameter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_agent_profile', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_datatype_mapping', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_fulltext_catalog_components', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_fulltext_catalogs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_fulltext_catalogs_cursor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_fulltext_columns', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_fulltext_columns_cursor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_fulltext_system_components', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_fulltext_tables', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_fulltext_tables_cursor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_log_shipping_alert_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_log_shipping_monitor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_log_shipping_monitor_primary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_log_shipping_monitor_secondary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_log_shipping_primary_database', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_log_shipping_primary_secondary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_log_shipping_secondary_database', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_log_shipping_secondary_primary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_peerconflictdetection', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_publication_access', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_spatial_geography_histogram', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_spatial_geography_index', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_spatial_geography_index_xml', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_spatial_geometry_histogram', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_spatial_geometry_index', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_help_spatial_geometry_index_xml', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpallowmerge_publication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helparticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helparticlecolumns', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helparticledts', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpconstraint', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpdatatypemap', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpdb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpdbfixedrole', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpdevice', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpdistpublisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpdistributiondb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpdistributor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpdistributor_properties', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpdynamicsnapshot_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpextendedproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpfile', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpfilegroup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpindex', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helplanguage', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helplinkedsrvlogin', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helplogins', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helplogreader_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpmergealternatepublisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpmergearticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpmergearticlecolumn', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpmergearticleconflicts', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpmergeconflictrows', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpmergedeleteconflictrows', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpmergefilter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpmergelogfiles', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpmergelogfileswithdata', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpmergelogsettings', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpmergepartition', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpmergepublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpmergepullsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpmergesubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpntgroup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helppeerrequests', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helppeerresponses', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helppublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helppublication_snapshot', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helppublicationsync', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helppullsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpqreader_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpremotelogin', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpreplfailovermode', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpreplicationdb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpreplicationdboption', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpreplicationoption', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helprole', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helprolemember', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helprotect', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpserver', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpsort', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpsrvrole', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpsrvrolemember', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpstats', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpsubscriberinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpsubscription_properties', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpsubscriptionerrors', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helptext', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helptracertokenhistory', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helptracertokens', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helptrigger', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpuser', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_helpxactsetjob', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_http_generate_wsdl_complex', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_http_generate_wsdl_defaultcomplexorsimple', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_http_generate_wsdl_defaultsimpleorcomplex', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_http_generate_wsdl_simple', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_identitycolumnforreplication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_IH_LR_GetCacheData', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_IHadd_sync_command', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_IHarticlecolumn', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_IHget_loopback_detection', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_IHScriptIdxFile', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_IHScriptSchFile', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_IHValidateRowFilter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_IHXactSetJob', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_indexcolumns_managed', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_indexes', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_indexes_100_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_indexes_100_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_indexes_90_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_indexes_90_rowset_rmt', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_indexes_90_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_indexes_managed', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_indexes_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_indexes_rowset_rmt', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_indexes_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_indexoption', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_invalidate_textptr', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_is_makegeneration_needed', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_ivindexhasnullcols', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_kill_filestream_non_transacted_handles', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_kill_oldest_transaction_on_secondary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_lightweightmergemetadataretentioncleanup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_link_publication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_linkedservers', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_linkedservers_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_linkedservers_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_lock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_logshippinginstallmetadata', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_lookupcustomresolver', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_mapdown_bitmap', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_markpendingschemachange', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_marksubscriptionvalidation', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_memory_optimized_cs_migration', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_mergearticlecolumn', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_mergecleanupmetadata', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_mergedummyupdate', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_mergemetadataretentioncleanup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_mergesubscription_cleanup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_mergesubscriptionsummary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_migrate_user_to_contained', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MS_replication_installed', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSacquireHeadofQueueLock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSacquireserverresourcefordynamicsnapshot', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSacquireSlotLock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSacquiresnapshotdeliverysessionlock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSactivate_auto_sub', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSactivatelogbasedarticleobject', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSactivateprocedureexecutionarticleobject', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_anonymous_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_article', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_compensating_cmd', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_distribution_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_distribution_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_dynamic_snapshot_location', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_filteringcolumn', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_log_shipping_error_detail', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_log_shipping_history_detail', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_logreader_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_logreader_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_merge_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_merge_anonymous_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_merge_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_merge_history90', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_merge_subscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_mergereplcommand', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_mergesubentry_indistdb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_publication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_qreader_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_qreader_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_repl_alert', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_repl_command', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_repl_commands27hp', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_repl_error', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_replcmds_mcit', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_replmergealert', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_snapshot_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_snapshot_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_subscriber_info', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_subscriber_schedule', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_subscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_subscription_3rd', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_tracer_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadd_tracer_token', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSaddanonymousreplica', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadddynamicsnapshotjobatdistributor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSaddguidcolumn', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSaddguidindex', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSaddinitialarticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSaddinitialpublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSaddinitialschemaarticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSaddinitialsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSaddlightweightmergearticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSaddmergedynamicsnapshotjob', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSaddmergetriggers', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSaddmergetriggers_from_template', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSaddmergetriggers_internal', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSaddpeerlsn', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSaddsubscriptionarticles', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSadjust_pub_identity', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSagent_retry_stethoscope', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSagent_stethoscope', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSallocate_new_identity_range', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSalreadyhavegeneration', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSanonymous_status', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSarticlecleanup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSbrowsesnapshotfolder', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScache_agent_parameter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScdc_capture_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScdc_cleanup_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScdc_db_ddl_event', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScdc_ddl_event', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScdc_logddl', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchange_article', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchange_distribution_agent_properties', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchange_logreader_agent_properties', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchange_merge_agent_properties', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchange_mergearticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchange_mergepublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchange_originatorid', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchange_priority', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchange_publication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchange_retention', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchange_retention_period_unit', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchange_snapshot_agent_properties', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchange_subscription_dts_info', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchangearticleresolver', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchangedynamicsnapshotjobatdistributor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchangedynsnaplocationatdistributor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchangeobjectowner', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheck_agent_instance', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheck_dropobject', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheck_Jet_Subscriber', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheck_logicalrecord_metadatamatch', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheck_merge_subscription_count', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheck_pub_identity', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheck_pull_access', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheck_snapshot_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheck_subscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheck_subscription_expiry', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheck_subscription_partition', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheck_tran_retention', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheckexistsgeneration', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheckexistsrecguid', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheckfailedprevioussync', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheckidentityrange', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScheckIsPubOfSub', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchecksharedagentforpublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSchecksnapshotstatus', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScleanup_agent_entry', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScleanup_conflict', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScleanup_publication_ADinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScleanup_subscription_distside_entry', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScleanupdynamicsnapshotfolder', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScleanupdynsnapshotvws', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSCleanupForPullReinit', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScleanupmergepublisher_internal', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSclear_dynamic_snapshot_location', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSclearresetpartialsnapshotprogressbit', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScomputelastsentgen', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScomputemergearticlescreationorder', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScomputemergeunresolvedrefs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSconflicttableexists', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreate_all_article_repl_views', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreate_article_repl_views', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreate_dist_tables', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreate_logical_record_views', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreate_sub_tables', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreate_tempgenhistorytable', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreatedisabledmltrigger', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreatedummygeneration', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreateglobalreplica', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreatelightweightinsertproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreatelightweightmultipurposeproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreatelightweightprocstriggersconstraints', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreatelightweightupdateproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreatemergedynamicsnapshot', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MScreateretry', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdbuseraccess', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdbuserpriv', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdefer_check', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdelete_tracer_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdeletefoldercontents', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdeletemetadataactionrequest', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdeletepeerconflictrow', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdeleteretry', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdeletetranconflictrow', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdelgenzero', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdelrow', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdelrowsbatch', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdelrowsbatch_downloadonly', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdelsubrows', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdelsubrowsbatch', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdependencies', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdetect_nonlogged_shutdown', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdetectinvalidpeerconfiguration', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdetectinvalidpeersubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdist_activate_auto_sub', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdist_adjust_identity', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdistpublisher_cleanup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdistribution_counters', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdistributoravailable', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdodatabasesnapshotinitiation', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdopartialdatabasesnapshotinitiation', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_6x_publication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_6x_replication_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_anonymous_entry', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_article', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_distribution_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_distribution_agentid_dbowner_proxy', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_dynamic_snapshot_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_logreader_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_merge_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_merge_subscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_publication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_qreader_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_snapshot_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_snapshot_dirs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_subscriber_info', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_subscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_subscription_3rd', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdrop_tempgenhistorytable', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdroparticleconstraints', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdroparticletombstones', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdropconstraints', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdropdynsnapshotvws', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdropfkreferencingarticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdropmergearticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdropmergedynamicsnapshotjob', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdropobsoletearticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdropretry', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdroptemptable', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdummyupdate', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdummyupdate_logicalrecord', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdummyupdate90', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdummyupdatelightweight', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSdynamicsnapshotjobexistsatdistributor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenable_publication_for_het_sub', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSensure_single_instance', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_distribution', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_distribution_s', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_distribution_sd', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_logicalrecord_changes', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_logreader', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_logreader_s', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_logreader_sd', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_merge', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_merge_agent_properties', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_merge_s', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_merge_sd', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_merge_subscriptions', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_merge_subscriptions_90_publication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_merge_subscriptions_90_publisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_metadataaction_requests', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_qreader', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_qreader_s', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_qreader_sd', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_replication_agents', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_replication_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_replqueues', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_replsqlqueues', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_snapshot', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_snapshot_s', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_snapshot_sd', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenum_subscriptions', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumallpublications', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumallsubscriptions', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumarticleslightweight', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumchanges', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumchanges_belongtopartition', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumchanges_notbelongtopartition', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumchangesdirect', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumchangeslightweight', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumcolumns', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumcolumnslightweight', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumdeletes_forpartition', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumdeleteslightweight', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumdeletesmetadata', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumdistributionagentproperties', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumerate_PAL', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumgenerations', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumgenerations90', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumpartialchanges', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumpartialchangesdirect', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumpartialdeletes', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumpubreferences', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumreplicas', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumreplicas90', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumretries', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumschemachange', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumsubscriptions', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSenumthirdpartypublicationvendornames', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSestimatemergesnapshotworkload', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSestimatesnapshotworkload', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSevalsubscriberinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSevaluate_change_membership_for_all_articles_in_pubid', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSevaluate_change_membership_for_pubid', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSevaluate_change_membership_for_row', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSexecwithlsnoutput', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSfast_delete_trans', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSfetchAdjustidentityrange', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSfetchidentityrange', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSfillupmissingcols', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSfilterclause', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSfix_6x_tasks', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSfixlineageversions', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSFixSubColumnBitmaps', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSfixupbeforeimagetables', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSflush_access_cache', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSforce_drop_distribution_jobs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSforcereenumeration', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSforeach_worker', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSforeachdb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSforeachtable', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgenerateexpandproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_agent_names', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_attach_state', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_DDL_after_regular_snapshot', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_dynamic_snapshot_location', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_identity_range_info', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_jobstate', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_last_transaction', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_latest_peerlsn', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_load_hint', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_log_shipping_new_sessionid', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_logicalrecord_lineage', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_max_used_identity', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_min_seqno', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_MSmerge_rowtrack_colinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_new_xact_seqno', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_oledbinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_partitionid_eval_proc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_publication_from_taskname', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_publisher_rpc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_repl_cmds_anonymous', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_repl_commands', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_repl_error', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_session_statistics', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_shared_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_snapshot_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_subscriber_partition_id', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_subscription_dts_info', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_subscription_guid', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_synctran_commands', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSget_type_wrapper', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetagentoffloadinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetalternaterecgens', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetarticlereinitvalue', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetchangecount', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetconflictinsertproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetconflicttablename', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSGetCurrentPrincipal', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetdatametadatabatch', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetdbversion', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetdynamicsnapshotapplock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetdynsnapvalidationtoken', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetgenstatus4rows', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetisvalidwindowsloginfromdistributor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetlastrecgen', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetlastsentgen', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetlastsentrecgens', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetlastupdatedtime', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetlightweightmetadatabatch', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetmakegenerationapplock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetmakegenerationapplock_90', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetmaxbcpgen', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetmaxsnapshottimestamp', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetmergeadminapplock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetmetadata_changedlogicalrecordmembers', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetmetadatabatch', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetmetadatabatch90', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetmetadatabatch90new', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetonerow', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetonerowlightweight', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetpeerconflictrow', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetpeerlsns', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetpeertopeercommands', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetpeerwinnerrow', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetpubinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetreplicainfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetreplicastate', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetrowmetadata', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetrowmetadatalightweight', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSGetServerProperties', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetsetupbelong_cost', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetsubscriberinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetsupportabilitysettings', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgettrancftsrcrow', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgettranconflictrow', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgetversion', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSgrantconnectreplication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShaschangeslightweight', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShasdbaccess', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_article', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_distdb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_distribution_agentid', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_identity_property', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_logreader_agentid', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_merge_agentid', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_profile', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_profilecache', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_publication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_repl_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_replication_status', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_replication_table', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_snapshot_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_snapshot_agentid', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_subscriber_info', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_subscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelp_subscription_status', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpcolumns', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpconflictpublications', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpcreatebeforetable', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpdestowner', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpdynamicsnapshotjobatdistributor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpfulltextindex', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpfulltextscript', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpindex', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelplogreader_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpmergearticles', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpmergeconflictcounts', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpmergedynamicsnapshotjob', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpmergeidentity', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpmergeschemaarticles', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpobjectpublications', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpreplicationtriggers', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpsnapshot_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpsummarypublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelptracertokenhistory', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelptracertokens', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelptranconflictcounts', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelptype', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MShelpvalidationdate', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSIfExistsSubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSindexspace', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSinit_publication_access', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSinit_subscription_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSinitdynamicsubscriber', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSinsert_identity', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSinsertdeleteconflict', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSinserterrorlineage', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSinsertgenerationschemachanges', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSinsertgenhistory', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSinsertlightweightschemachange', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSinsertschemachange', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSinvalidate_snapshot', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSisnonpkukupdateinconflict', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSispeertopeeragent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSispkupdateinconflict', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSispublicationqueued', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSisreplmergeagent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSissnapshotitemapplied', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSkilldb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSlock_auto_sub', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSlock_distribution_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSlocktable', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSloginmappings', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmakearticleprocs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmakebatchinsertproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmakebatchupdateproc', 'GRANT', 'public', 'dbo', 'R')\n \nINSERT INTO #entries_to_exclude (object_name, state_desc, prin_name, user_name, prin_type)\n VALUES ('sp_MSmakeconflictinsertproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmakectsview', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmakedeleteproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmakedynsnapshotvws', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmakeexpandproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmakegeneration', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmakeinsertproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmakemetadataselectproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmakeselectproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmakesystableviews', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmakeupdateproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmap_partitionid_to_generations', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmarkreinit', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmatchkey', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmerge_alterschemaonly', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmerge_altertrigger', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmerge_alterview', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmerge_ddldispatcher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmerge_getgencount', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmerge_getgencur_public', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmerge_is_snapshot_required', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmerge_log_identity_range_allocations', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmerge_parsegenlist', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmerge_upgrade_subscriber', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmergesubscribedb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSmergeupdatelastsyncinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSneedmergemetadataretentioncleanup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSNonSQLDDL', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSNonSQLDDLForSchemaDDL', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSobjectprivs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpeerapplyresponse', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpeerapplytopologyinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpeerconflictdetection_statuscollection_applyresponse', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpeerconflictdetection_statuscollection_sendresponse', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpeerconflictdetection_topology_applyresponse', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpeerdbinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpeersendresponse', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpeersendtopologyinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpeertopeerfwdingexec', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpost_auto_proc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpostapplyscript_forsubscriberprocs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSprep_exclusive', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSprepare_mergearticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSprofile_in_use', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSproxiedmetadata', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSproxiedmetadatabatch', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSproxiedmetadatalightweight', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpub_adjust_identity', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpublication_access', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpublicationcleanup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSpublicationview', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSquery_syncstates', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSquerysubtype', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrecordsnapshotdeliveryprogress', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreenable_check', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrefresh_anonymous', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrefresh_publisher_idrange', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSregenerate_mergetriggersprocs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSregisterdynsnapseqno', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSregistermergesnappubid', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSregistersubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreinit_failed_subscriptions', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreinit_hub', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreinit_subscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreinitoverlappingmergepublications', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreleasedynamicsnapshotapplock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreleasemakegenerationapplock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreleasemergeadminapplock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreleaseSlotLock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreleasesnapshotdeliverysessionlock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSremove_mergereplcommand', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSremoveoffloadparameter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_agentstatussummary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_backup_complete', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_backup_start', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_check_publisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_createdatatypemappings', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_distributionagentstatussummary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_dropdatatypemappings', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_enumarticlecolumninfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_enumpublications', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_enumpublishertables', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_enumsubscriptions', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_enumtablecolumninfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_FixPALRole', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_getdistributorinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_getpkfkrelation', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_gettype_mappings', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_helparticlermo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_init_backup_lsns', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_isdbowner', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_IsLastPubInSharedSubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_IsUserInAnyPAL', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_linkedservers_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_mergeagentstatussummary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_PAL_rolecheck', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_raiserror', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_schema', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_setNFR', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_snapshot_helparticlecolumns', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_snapshot_helppublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_startup_internal', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_subscription_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_testadminconnection', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrepl_testconnection', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreplagentjobexists', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreplcheck_permission', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreplcheck_pull', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreplcheck_subscribe', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreplcheck_subscribe_withddladmin', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreplcheckoffloadserver', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreplcopyscriptfile', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreplraiserror', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreplremoveuncdir', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreplupdateschema', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrequestreenumeration', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrequestreenumeration_lightweight', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreset_attach_state', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreset_queued_reinit', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreset_subscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreset_subscription_seqno', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreset_synctran_bit', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSreset_transaction', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSresetsnapshotdeliveryprogress', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSrestoresavedforeignkeys', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSretrieve_publication_attributes', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscript_article_view', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscript_dri', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscript_pub_upd_trig', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscript_sync_del_proc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscript_sync_del_trig', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscript_sync_ins_proc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscript_sync_ins_trig', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscript_sync_upd_proc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscript_sync_upd_trig', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscriptcustomdelproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscriptcustominsproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscriptcustomupdproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscriptdatabase', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscriptdb_worker', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscriptforeignkeyrestore', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscriptsubscriberprocs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSscriptviewproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsendtosqlqueue', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSset_dynamic_filter_options', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSset_logicalrecord_metadata', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSset_new_identity_range', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSset_oledb_prop', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSset_snapshot_xact_seqno', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSset_sub_guid', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSset_subscription_properties', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetaccesslist', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetartprocs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetbit', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetconflictscript', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetconflicttable', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetcontext_bypasswholeddleventbit', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetcontext_replagent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetgentozero', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetlastrecgen', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetlastsentgen', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetreplicainfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetreplicaschemaversion', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetreplicastatus', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetrowmetadata', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetsubscriberinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetup_identity_range', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetup_partition_groups', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetup_use_partition_groups', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetupbelongs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetupnosyncsubwithlsnatdist', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetupnosyncsubwithlsnatdist_cleanup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsetupnosyncsubwithlsnatdist_helper', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSSharedFixedDisk', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSSQLDMO70_version', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSSQLDMO80_version', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSSQLDMO90_version', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSSQLOLE_version', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSSQLOLE65_version', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSstartdistribution_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSstartmerge_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSstartsnapshot_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSstopdistribution_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSstopmerge_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSstopsnapshot_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsub_check_identity', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsub_set_identity', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsubscription_status', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSsubscriptionvalidated', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MStablechecks', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MStablekeys', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MStablerefs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MStablespace', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MStestbit', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MStran_ddlrepl', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MStran_is_snapshot_required', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MStrypurgingoldsnapshotdeliveryprogress', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSuniquename', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSunmarkifneeded', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSunmarkreplinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSunmarkschemaobject', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSunregistersubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdate_agenttype_default', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdate_singlelogicalrecordmetadata', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdate_subscriber_info', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdate_subscriber_schedule', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdate_subscriber_tracer_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdate_subscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdate_tracer_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdatecachedpeerlsn', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdategenerations_afterbcp', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdategenhistory', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdateinitiallightweightsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdatelastsyncinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdatepeerlsn', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdaterecgen', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdatereplicastate', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSupdatesysmergearticles', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSuplineageversion', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSuploadsupportabilitydata', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSuselightweightreplication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSvalidate_dest_recgen', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSvalidate_subscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSvalidate_wellpartitioned_articles', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSvalidatearticle', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_MSwritemergeperfcounter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_new_parallel_nested_tran_id', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_objectfilegroup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_oledb_database', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_oledb_defdb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_oledb_deflang', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_oledb_language', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_oledb_ro_usrname', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_oledbinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_ORbitmap', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_password', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_peerconflictdetection_tableaug', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_pkeys', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_polybase_join_group', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_polybase_leave_group', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_posttracertoken', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_prepare', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_prepexec', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_prepexecrpc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_primary_keys_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_primary_keys_rowset_rmt', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_primary_keys_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_primarykeys', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_procedure_params_100_managed', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_procedure_params_100_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_procedure_params_100_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_procedure_params_90_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_procedure_params_90_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_procedure_params_managed', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_procedure_params_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_procedure_params_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_procedures_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_procedures_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_processlogshippingmonitorhistory', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_processlogshippingmonitorprimary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_processlogshippingmonitorsecondary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_processlogshippingretentioncleanup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_procoption', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_prop_oledb_provider', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_provider_types_100_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_provider_types_90_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_provider_types_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_publication_validation', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_publicationsummary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_publishdb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_publisherproperty', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_query_store_flush_db', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_query_store_force_plan', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_query_store_remove_plan', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_query_store_remove_query', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_query_store_reset_exec_stats', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_query_store_unforce_plan', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_rda_deauthorize_db', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_rda_get_rpo_duration', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_rda_reauthorize_db', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_rda_reconcile_batch', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_rda_reconcile_columns', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_rda_reconcile_indexes', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_rda_set_query_mode', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_rda_set_rpo_duration', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_rda_test_connection', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_readerrorlog', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_recompile', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_redirect_publisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_refresh_heterogeneous_publisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_refresh_log_shipping_monitor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_refresh_parameter_encryption', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_refreshsqlmodule', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_refreshsubscriptions', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_refreshview', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_register_custom_scripting', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_registercustomresolver', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_reinitmergepullsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_reinitmergesubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_reinitpullsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_reinitsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_releaseapplock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_releaseschemalock', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_remote_data_archive_event', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_remoteoption', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_removedbreplication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_removedistpublisherdbreplication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_removesrvreplication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_rename', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_renamedb', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_repl_generate_subscriber_event', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_repl_generateevent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_repladdcolumn', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replcleanupccsprocs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replcmds', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replcounters', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replddlparser', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_repldeletequeuedtran', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_repldone', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_repldropcolumn', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replflush', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replgetparsedddlcmd', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replhelp', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replica', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replication_agent_checkup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replicationdboption', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replincrementlsn', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replmonitorchangepublicationthreshold', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replmonitorhelpmergesession', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replmonitorhelpmergesessiondetail', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replmonitorhelpmergesubscriptionmoreinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replmonitorhelppublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replmonitorhelppublicationthresholds', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replmonitorhelppublisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replmonitorhelpsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replmonitorrefreshjob', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replmonitorsubscriptionpendingcmds', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replpostsyncstatus', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replqueuemonitor', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replrestart', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replrethrow', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replsendtoqueue', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replsetoriginator', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replsetsyncstatus', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replshowcmds', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replsqlqgetrows', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replsync', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_repltrans', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_replwritetovarbin', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_requestpeerresponse', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_requestpeertopologyinfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_reserve_http_namespace', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_reset_connection', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_reset_session_context', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_resetsnapshotdeliveryprogress', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_resign_database', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_restoredbreplication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_restoremergeidentityrange', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_resyncexecute', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_resyncexecutesql', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_resyncmergesubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_resyncprepare', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_resyncuniquetable', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_revoke_publication_access', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_revokedbaccess', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_revokelogin', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_rollback_parallel_nested_tran', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_schemafilter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_schemata_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_script_reconciliation_delproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_script_reconciliation_insproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_script_reconciliation_sinsproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_script_reconciliation_vdelproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_script_reconciliation_xdelproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_script_synctran_commands', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_scriptdelproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_scriptdynamicupdproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_scriptinsproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_scriptmappedupdproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_scriptpublicationcustomprocs', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_scriptsinsproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_scriptsubconflicttable', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_scriptsupdproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_scriptupdproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_scriptvdelproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_scriptvupdproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_scriptxdelproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_scriptxupdproc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sequence_get_range', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_server_diagnostics', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_server_info', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_serveroption', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_set_session_context', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_setapprole', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_SetAutoSAPasswordAndDisable', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_setdefaultdatatypemapping', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_setnetname', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_SetOBDCertificate', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_setOraclepackageversion', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_setreplfailovermode', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_setsubscriptionxactseqno', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_settriggerorder', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_setuserbylogin', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_showcolv', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_showlineage', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_showmemo_xml', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_showpendingchanges', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_showrowreplicainfo', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sm_detach', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_spaceused', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_spaceused_remote_data_archive', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sparse_columns_100_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_special_columns', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_special_columns_100', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_special_columns_90', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sproc_columns', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sproc_columns_100', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sproc_columns_90', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sqlagent_add_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sqlagent_add_jobstep', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sqlagent_delete_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sqlagent_help_jobstep', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sqlagent_log_job_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sqlagent_start_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sqlagent_stop_job', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sqlagent_verify_database_context', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sqlagent_write_jobstep_log', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sqlexec', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_srvrolepermission', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_start_user_instance', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_startmergepullsubscription_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_startmergepushsubscription_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_startpublication_snapshot', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_startpullsubscription_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_startpushsubscription_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_statistics', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_statistics_100', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_statistics_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_statistics_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_stopmergepullsubscription_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_stopmergepushsubscription_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_stoppublication_snapshot', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_stoppullsubscription_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_stoppushsubscription_agent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_stored_procedures', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_subscribe', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_subscription_cleanup', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_subscriptionsummary', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_add_history_entry', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_add_instance', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_delete_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_delete_instance', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_drop_database', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_ensure_dac_creator', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_rename_database', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_resolve_pending_entry', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_rollback_all_pending_objects', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_rollback_committed_step', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_rollback_pending_object', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_setreadonly_database', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_update_history_entry', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_upgrade_instance', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_syspolicy_subscribe_to_policy_category', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_syspolicy_unsubscribe_from_policy_category', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_syspolicy_update_ddl_trigger', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_syspolicy_update_event_notification', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_sysdac_update_instance', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_constraints_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_constraints_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_privileges', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_privileges_ex', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_privileges_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_privileges_rowset_rmt', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_privileges_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_statistics_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_statistics2_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_type_columns_100', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_type_columns_100_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_type_pkeys', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_type_primary_keys_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_types', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_types_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_table_validation', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tablecollations', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tablecollations_100', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tablecollations_90', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tableoption', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tables', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tables_ex', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tables_info_90_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tables_info_90_rowset_64', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tables_info_90_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tables_info_90_rowset2_64', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tables_info_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tables_info_rowset_64', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tables_info_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tables_info_rowset2_64', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tables_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tables_rowset_rmt', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tables_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_tableswc', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_testlinkedserver', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_trace_create', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_trace_generateevent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_trace_getdata', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_trace_setevent', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_trace_setfilter', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_trace_setstatus', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_try_set_session_context', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_unbindefault', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_unbindrule', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_unprepare', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_unregister_custom_scripting', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_unregistercustomresolver', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_unsetapprole', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_unsubscribe', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_update_agent_profile', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_update_user_instance', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_updateextendedproperty', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_updatestats', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_upgrade_log_shipping', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_user_counter1', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_user_counter10', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_user_counter2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_user_counter3', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_user_counter4', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_user_counter5', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_user_counter6', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_user_counter7', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_user_counter8', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_user_counter9', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_usertypes_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_usertypes_rowset_rmt', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_usertypes_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_validate_redirected_publisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_validate_replica_hosts_as_publishers', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_validatecache', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_validatelogins', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_validatemergepublication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_validatemergepullsubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_validatemergesubscription', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_validlang', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_validname', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_verifypublisher', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_views_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_views_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_vupgrade_mergeobjects', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_vupgrade_mergetables', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_vupgrade_replication', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_vupgrade_replsecurity_metadata', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_who', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_who2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xml_preparedocument', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xml_removedocument', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xml_schema_rowset', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xml_schema_rowset2', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xtp_bind_db_resource_pool', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xtp_checkpoint_force_garbage_collection', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xtp_control_proc_exec_stats', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xtp_control_query_exec_stats', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xtp_flush_temporal_history', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xtp_kill_active_transactions', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xtp_merge_checkpoint_files', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xtp_objects_present', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xtp_set_memory_quota', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xtp_slo_can_downgrade', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xtp_slo_downgrade_finished', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xtp_slo_prepare_to_downgrade', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_xtp_unbind_db_resource_pool', 'GRANT', 'public', 'dbo', 'R')\n ,('xp_dirtree', 'GRANT', 'public', 'dbo', 'R')\n ,('xp_fileexist', 'GRANT', 'public', 'dbo', 'R')\n ,('xp_fixeddrives', 'GRANT', 'public', 'dbo', 'R')\n ,('xp_getnetname', 'GRANT', 'public', 'dbo', 'R')\n ,('xp_grantlogin', 'GRANT', 'public', 'dbo', 'R')\n ,('xp_instance_regread', 'GRANT', 'public', 'dbo', 'R')\n ,('xp_msver', 'GRANT', 'public', 'dbo', 'R')\n ,('xp_qv', 'GRANT', 'public', 'dbo', 'R')\n ,('xp_regread', 'GRANT', 'public', 'dbo', 'R')\n ,('xp_repl_convert_encrypt_sysadmin_wrapper', 'GRANT', 'public', 'dbo', 'R')\n ,('xp_replposteor', 'GRANT', 'public', 'dbo', 'R')\n ,('xp_revokelogin', 'GRANT', 'public', 'dbo', 'R')\n ,('xp_sprintf', 'GRANT', 'public', 'dbo', 'R')\n ,('xp_sscanf', 'GRANT', 'public', 'dbo', 'R')\n ,('sp_send_dbmail', 'GRANT', 'DatabaseMailUserRole', 'dbo', 'R')\n ,('sysmail_delete_mailitems_sp', 'GRANT', 'DatabaseMailUserRole', 'dbo', 'R')\n ,('sysmail_help_status_sp', 'GRANT', 'DatabaseMailUserRole', 'dbo', 'R')\n ,('sp_ssis_addfolder', 'GRANT', 'db_ssisadmin', 'dbo', 'R')\n ,('sp_ssis_addlogentry', 'GRANT', 'db_ssisadmin', 'dbo', 'R')\n ,('sp_ssis_checkexists', 'GRANT', 'db_ssisadmin', 'dbo', 'R')\n ,('sp_ssis_deletefolder', 'GRANT', 'db_ssisadmin', 'dbo', 'R')\n ,('sp_ssis_deletepackage', 'GRANT', 'db_ssisadmin', 'dbo', 'R')\n ,('sp_ssis_getfolder', 'GRANT', 'db_ssisadmin', 'dbo', 'R')\n ,('sp_ssis_getpackage', 'GRANT', 'db_ssisadmin', 'dbo', 'R')\n ,('sp_ssis_getpackageroles', 'GRANT', 'db_ssisadmin', 'dbo', 'R')\n ,('sp_ssis_listfolders', 'GRANT', 'db_ssisadmin', 'dbo', 'R')\n ,('sp_ssis_listpackages', 'GRANT', 'db_ssisadmin', 'dbo', 'R')\n ,('sp_ssis_putpackage', 'GRANT', 'db_ssisadmin', 'dbo', 'R')\n ,('sp_ssis_renamefolder', 'GRANT', 'db_ssisadmin', 'dbo', 'R')\n ,('sp_ssis_setpackageroles', 'GRANT', 'db_ssisadmin', 'dbo', 'R')\n ,('sp_ssis_addfolder', 'GRANT', 'db_ssisltduser', 'dbo', 'R')\n ,('sp_ssis_addlogentry', 'GRANT', 'db_ssisltduser', 'dbo', 'R')\n ,('sp_ssis_checkexists', 'GRANT', 'db_ssisltduser', 'dbo', 'R')\n ,('sp_ssis_deletefolder', 'GRANT', 'db_ssisltduser', 'dbo', 'R')\n ,('sp_ssis_deletepackage', 'GRANT', 'db_ssisltduser', 'dbo', 'R')\n ,('sp_ssis_getfolder', 'GRANT', 'db_ssisltduser', 'dbo', 'R')\n ,('sp_ssis_getpackage', 'GRANT', 'db_ssisltduser', 'dbo', 'R')\n ,('sp_ssis_getpackageroles', 'GRANT', 'db_ssisltduser', 'dbo', 'R')\n ,('sp_ssis_listfolders', 'GRANT', 'db_ssisltduser', 'dbo', 'R')\n ,('sp_ssis_listpackages', 'GRANT', 'db_ssisltduser', 'dbo', 'R')\n ,('sp_ssis_putpackage', 'GRANT', 'db_ssisltduser', 'dbo', 'R')\n ,('sp_ssis_renamefolder', 'GRANT', 'db_ssisltduser', 'dbo', 'R')\n ,('sp_ssis_setpackageroles', 'GRANT', 'db_ssisltduser', 'dbo', 'R')\n ,('sp_ssis_checkexists', 'GRANT', 'db_ssisoperator', 'dbo', 'R')\n ,('sp_ssis_deletepackage', 'GRANT', 'db_ssisoperator', 'dbo', 'R')\n ,('sp_ssis_getfolder', 'GRANT', 'db_ssisoperator', 'dbo', 'R')\n ,('sp_ssis_getpackage', 'GRANT', 'db_ssisoperator', 'dbo', 'R')\n ,('sp_ssis_listfolders', 'GRANT', 'db_ssisoperator', 'dbo', 'R')\n ,('sp_ssis_listpackages', 'GRANT', 'db_ssisoperator', 'dbo', 'R')\n ,('sp_ssis_putpackage', 'GRANT', 'db_ssisoperator', 'dbo', 'R')\n ,('fn_syscollector_highest_incompatible_mdw_version', 'GRANT', 'dc_admin', 'dbo', 'R')\n ,('sp_syscollector_cleanup_collector', 'GRANT', 'dc_admin', 'dbo', 'R')\n ,('sp_syscollector_create_collection_item', 'GRANT', 'dc_admin', 'dbo', 'R')\n ,('sp_syscollector_create_collection_set', 'GRANT', 'dc_admin', 'dbo', 'R')\n ,('sp_syscollector_create_collector_type', 'GRANT', 'dc_admin', 'dbo', 'R')\n ,('sp_syscollector_delete_collection_item', 'GRANT', 'dc_admin', 'dbo', 'R')\n ,('sp_syscollector_delete_collection_set', 'GRANT', 'dc_admin', 'dbo', 'R')\n ,('sp_syscollector_delete_collector_type', 'GRANT', 'dc_admin', 'dbo', 'R')\n ,('sp_syscollector_set_cache_directory', 'GRANT', 'dc_admin', 'dbo', 'R')\n ,('sp_syscollector_set_cache_window', 'GRANT', 'dc_admin', 'dbo', 'R')\n ,('sp_syscollector_set_warehouse_database_name', 'GRANT', 'dc_admin', 'dbo', 'R')\n ,('sp_syscollector_set_warehouse_instance_name', 'GRANT', 'dc_admin', 'dbo', 'R')\n ,('fn_syscollector_find_collection_set_root', 'GRANT', 'dc_operator', 'dbo', 'R')\n ,('sp_syscollector_create_tsql_query_collector', 'GRANT', 'dc_operator', 'dbo', 'R')\n ,('sp_syscollector_delete_execution_log_tree', 'GRANT', 'dc_operator', 'dbo', 'R')\n ,('sp_syscollector_disable_collector', 'GRANT', 'dc_operator', 'dbo', 'R')\n ,('sp_syscollector_enable_collector', 'GRANT', 'dc_operator', 'dbo', 'R')\n ,('sp_syscollector_get_tsql_query_collector_package_ids', 'GRANT', 'dc_operator', 'dbo', 'R')\n ,('sp_syscollector_run_collection_set', 'GRANT', 'dc_operator', 'dbo', 'R')\n ,('sp_syscollector_start_collection_set', 'GRANT', 'dc_operator', 'dbo', 'R')\n ,('sp_syscollector_stop_collection_set', 'GRANT', 'dc_operator', 'dbo', 'R')\n ,('sp_syscollector_update_collection_item', 'GRANT', 'dc_operator', 'dbo', 'R')\n ,('sp_syscollector_update_collection_set', 'GRANT', 'dc_operator', 'dbo', 'R')\n ,('sp_syscollector_upload_collection_set', 'GRANT', 'dc_operator', 'dbo', 'R')\n ,('sp_verify_subsystems', 'GRANT', 'dc_operator', 'dbo', 'R')\n ,('fn_syscollector_highest_incompatible_mdw_version', 'GRANT', 'dc_proxy', 'dbo', 'R')\n ,('sp_syscollector_create_tsql_query_collector', 'GRANT', 'dc_proxy', 'dbo', 'R')\n ,('sp_syscollector_event_oncollectionbegin', 'GRANT', 'dc_proxy', 'dbo', 'R')\n ,('sp_syscollector_event_oncollectionend', 'GRANT', 'dc_proxy', 'dbo', 'R')\n ,('sp_syscollector_event_onerror', 'GRANT', 'dc_proxy', 'dbo', 'R')\n ,('sp_syscollector_event_onpackagebegin', 'GRANT', 'dc_proxy', 'dbo', 'R')\n ,('sp_syscollector_event_onpackageend', 'GRANT', 'dc_proxy', 'dbo', 'R')\n ,('sp_syscollector_event_onpackageupdate', 'GRANT', 'dc_proxy', 'dbo', 'R')\n ,('sp_syscollector_event_onstatsupdate', 'GRANT', 'dc_proxy', 'dbo', 'R')\n ,('sp_syscollector_get_tsql_query_collector_package_ids', 'GRANT', 'dc_proxy', 'dbo', 'R')\n ,('sp_syscollector_get_warehouse_connection_string', 'GRANT', 'dc_proxy', 'dbo', 'R')\n ,('sp_syscollector_snapshot_dm_exec_query_stats', 'GRANT', 'dc_proxy', 'dbo', 'R')\n ,('sp_syscollector_snapshot_dm_exec_requests', 'GRANT', 'dc_proxy', 'dbo', 'R')\n ,('sp_syspolicy_add_condition', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_add_object_set', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_add_policy', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_add_policy_category', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_add_policy_category_subscription', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_add_target_set', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_add_target_set_level', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_configure', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_create_purge_job', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_delete_condition', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_delete_object_set', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_delete_policy', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_delete_policy_category', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_delete_policy_category_subscription', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_dispatch_event', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_log_policy_execution_detail', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_log_policy_execution_end', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_log_policy_execution_start', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_purge_health_state', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_purge_history', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_rename_condition', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_rename_policy', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_rename_policy_category', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_repair_policy_automation', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_set_config_enabled', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_set_config_history_retention', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_set_log_on_success', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_update_condition', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_update_policy', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_update_policy_category', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_update_policy_category_subscription', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_update_target_set', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_update_target_set_level', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_syspolicy_verify_object_set_identifiers', 'GRANT', 'PolicyAdministratorRole', 'dbo', 'R')\n ,('sp_sysmanagement_add_shared_registered_server', 'GRANT', 'ServerGroupAdministratorRole', 'dbo', 'R')\n ,('sp_sysmanagement_add_shared_server_group', 'GRANT', 'ServerGroupAdministratorRole', 'dbo', 'R')\n ,('sp_sysmanagement_delete_shared_registered_server', 'GRANT', 'ServerGroupAdministratorRole', 'dbo', 'R')\n ,('sp_sysmanagement_delete_shared_server_group', 'GRANT', 'ServerGroupAdministratorRole', 'dbo', 'R')\n ,('sp_sysmanagement_move_shared_registered_server', 'GRANT', 'ServerGroupAdministratorRole', 'dbo', 'R')\n ,('sp_sysmanagement_move_shared_server_group', 'GRANT', 'ServerGroupAdministratorRole', 'dbo', 'R')\n ,('sp_sysmanagement_rename_shared_registered_server', 'GRANT', 'ServerGroupAdministratorRole', 'dbo', 'R')\n ,('sp_sysmanagement_rename_shared_server_group', 'GRANT', 'ServerGroupAdministratorRole', 'dbo', 'R')\n ,('sp_sysmanagement_update_shared_registered_server', 'GRANT', 'ServerGroupAdministratorRole', 'dbo', 'R')\n ,('sp_sysmanagement_update_shared_server_group', 'GRANT', 'ServerGroupAdministratorRole', 'dbo', 'R')\n ,('sp_enum_login_for_proxy', 'GRANT', 'SQLAgentOperatorRole', 'dbo', 'R')\n ,('sp_help_alert', 'GRANT', 'SQLAgentOperatorRole', 'dbo', 'R')\n ,('sp_help_notification', 'GRANT', 'SQLAgentOperatorRole', 'dbo', 'R')\n ,('sp_help_targetserver', 'GRANT', 'SQLAgentOperatorRole', 'dbo', 'R')\n ,('sp_purge_jobhistory', 'GRANT', 'SQLAgentOperatorRole', 'dbo', 'R')\n ,('sp_add_job', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_add_jobschedule', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_add_jobserver', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_add_jobstep', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_add_schedule', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_addtask', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_agent_get_jobstep', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_attach_schedule', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_check_for_owned_jobs', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_check_for_owned_jobsteps', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_delete_job', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_delete_jobschedule', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_delete_jobserver', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_delete_jobstep', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_delete_jobsteplog', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_delete_schedule', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_detach_schedule', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_droptask', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_enum_sqlagent_subsystems', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_get_job_alerts', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_get_jobstep_db_username', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_get_sqlagent_properties', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_category', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_job', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_jobactivity', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_jobcount', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_jobhistory', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_jobhistory_full', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_jobhistory_sem', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_jobhistory_summary', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_jobs_in_schedule', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_jobschedule', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_jobserver', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_jobstep', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_jobsteplog', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_operator', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_proxy', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_help_schedule', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_maintplan_subplans_by_job', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_notify_operator', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_start_job', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_stop_job', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_uniquetaskname', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_update_job', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_update_jobschedule', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_update_jobstep', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_update_schedule', 'GRANT', 'SQLAgentUserRole', 'dbo', 'R')\n ,('sp_agent_get_jobstep', 'GRANT', 'TargetServersRole', 'dbo', 'R')\n ,('sp_downloaded_row_limiter', 'GRANT', 'TargetServersRole', 'dbo', 'R')\n ,('sp_enlist_tsx', 'GRANT', 'TargetServersRole', 'dbo', 'R')\n ,('sp_help_jobschedule', 'GRANT', 'TargetServersRole', 'dbo', 'R')\n ,('sp_help_jobstep', 'GRANT', 'TargetServersRole', 'dbo', 'R')\n ,('sp_maintplan_subplans_by_job', 'GRANT', 'TargetServersRole', 'dbo', 'R')\n ,('sp_sqlagent_check_msx_version', 'GRANT', 'TargetServersRole', 'dbo', 'R')\n ,('sp_sqlagent_probe_msx', 'GRANT', 'TargetServersRole', 'dbo', 'R')\n ,('sp_sqlagent_refresh_job', 'GRANT', 'TargetServersRole', 'dbo', 'R')\n ,('fn_encode_sqlname_for_powershell', 'GRANT', 'UtilityCMRReader', 'dbo', 'R')\n ,('fn_sysutility_get_is_instance_ucp', 'GRANT', 'UtilityCMRReader', 'dbo', 'R')\n ,('fn_sysutility_ucp_get_aggregated_failure_count', 'GRANT', 'UtilityCMRReader', 'dbo', 'R')\n ,('fn_sysutility_ucp_get_applicable_policy', 'GRANT', 'UtilityCMRReader', 'dbo', 'R')\n ,('fn_sysutility_ucp_get_global_health_policy', 'GRANT', 'UtilityCMRReader', 'dbo', 'R')\n ,('fn_sysutility_get_culture_invariant_conversion_style_internal', 'GRANT', 'UtilityIMRReader', 'dbo', 'R')\n ,('fn_sysutility_mi_get_cpu_architecture_name', 'GRANT', 'UtilityIMRReader', 'dbo', 'R')\n ,('fn_sysutility_mi_get_cpu_family_name', 'GRANT', 'UtilityIMRReader', 'dbo', 'R')\n ,('sp_sysutility_mi_collect_dac_execution_statistics_internal', 'GRANT', 'UtilityIMRWriter', 'dbo', 'R')\n ,('sp_sysutility_mi_get_dac_execution_statistics_internal', 'GRANT', 'UtilityIMRWriter', 'dbo', 'R')\n\nSELECT [Permission Class]\n ,[Schema Name]\n ,rules.object_name AS [Object]\n ,Permission\n ,[Principal Type]\n ,rules.prin_name AS Principal\nFROM (\n SELECT perms.class_desc COLLATE DATABASE_DEFAULT AS [Permission Class]\n ,object_schema_name(major_id) COLLATE DATABASE_DEFAULT AS [Schema Name]\n ,object_name(major_id) COLLATE DATABASE_DEFAULT AS object_name\n ,perms.permission_name COLLATE DATABASE_DEFAULT AS Permission\n ,type_desc COLLATE DATABASE_DEFAULT AS [Principal Type]\n ,prin.name COLLATE DATABASE_DEFAULT AS prin_name\n ,state_desc COLLATE DATABASE_DEFAULT AS state_desc\n ,prin.type COLLATE DATABASE_DEFAULT AS prin_type\n ,user_name(grantor_principal_id) COLLATE DATABASE_DEFAULT AS user_name\n FROM sys.database_permissions AS perms\n INNER JOIN sys.database_principals AS prin\n ON perms.grantee_principal_id = prin.principal_id\n WHERE permission_name IN ('EXECUTE')\n AND perms.class = 1\n AND [state] IN ('G','W')\n AND grantee_principal_id NOT IN (DATABASE_PRINCIPAL_ID('guest') ,DATABASE_PRINCIPAL_ID('public'))) AS rules\nLEFT JOIN #entries_to_exclude\n ON rules.object_name = #entries_to_exclude.object_name\n AND rules.state_desc = #entries_to_exclude.state_desc\n AND rules.prin_name = #entries_to_exclude.prin_name\n AND rules.user_name = #entries_to_exclude.user_name\n AND rules.prin_type = #entries_to_exclude.prin_type\n WHERE #entries_to_exclude.object_name IS NULL ",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Permission Class",
"Schema",
"Object",
"Permission",
"Principal Type",
"Principal"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA2108": {
"RuleId": "VA2108",
"Severity": "High",
"Category": "AuthenticationAndAuthorization",
"RuleType": "BaselineExpected",
"Title": "Minimal set of principals should be members of fixed high impact database roles",
"Description": "SQL Server provides roles to help manage the permissions. Roles are security principals that group other principals. Database-level roles are database-wide in their permission scope. This rule checks that a minimal set of principals are members of the fixed database roles.",
"Rationale": "Fixed database roles may have administrative permissions on the system. Following the principle of least privilege, it is important to minimize membership in fixed database roles and keep a baseline of these memberships. See https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles for additional information on database roles.",
"QueryCheck": {
"Query": "SELECT user_name(sr.member_principal_id) as [Principal] \n ,user_name(sr.role_principal_id) as [Role]\n ,type_desc as [Principal Type]\nFROM sys.database_role_members AS sr\nINNER JOIN sys.database_principals sp ON sp.principal_id = sr.member_principal_id\nWHERE sr.role_principal_id IN (user_id('bulkadmin'),\n user_id('db_accessadmin'),\n user_id('db_securityadmin'),\n user_id('db_ddladmin'),\n user_id('db_backupoperator'),\n user_id('db_owner'))\nORDER BY sp.name",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Principal",
"Role",
"Principal Type"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA2109": {
"RuleId": "VA2109",
"Severity": "Low",
"Category": "AuthenticationAndAuthorization",
"RuleType": "BaselineExpected",
"Title": "Minimal set of principals should be members of fixed low impact database roles",
"Description": "SQL Server provides roles to help manage the permissions. Roles are security principals that group other principals. Database-level roles are database-wide in their permission scope. This rule checks that a minimal set of principals are members of the fixed database roles.",
"Rationale": "Fixed database roles may have administrative permissions on the system. Following the principle of least privilege, it is important to minimize membership in fixed database roles and keep a baseline of these memberships. See https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles for additional information on database roles.",
"QueryCheck": {
"Query": "SELECT user_name(sr.member_principal_id) as [Principal]\n ,user_name(sr.role_principal_id) as [Role]\n ,type_desc as [Principal Type]\nFROM sys.database_role_members AS sr\nINNER JOIN sys.database_principals AS sp ON sp.principal_id = sr.member_principal_id\nWHERE sr.role_principal_id IN (\n user_id('db_datareader')\n ,user_id('db_datawriter')\n ,user_id('db_denydatareader')\n ,user_id('db_denydatawriter')\n )\nORDER BY sp.name",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Principal",
"Role",
"Principal Type"
]
},
"BenchmarkReferences": [
{
"Benchmark": "FedRAMP",
"Reference": null
}
]
},
"VA2128": {
"RuleId": "VA2128",
"Severity": "High",
"Category": "InstallationUpdatesAndPatches",
"RuleType": "Binary",
"Title": "Vulnerability Assessment is not supported for SQL Server versions lower than SQL Server 2012",
"Description": "To run a Vulnerability Assessment scan on your SQL Server, the server needs to be upgraded to SQL Server 2012 or higher.SQL Server 2008 R2 and below are no longer supported by Microsoft. See here: https://www.microsoft.com/en-us/cloud-platform/windows-sql-server-2008",
"Rationale": "Older versions of SQL server are no longer supported by Microsoft. Windows Server 2008 R2 end-of-life mainstream support ended on January 13, 2015. On January 14, 2020, Microsoft will end all support for Windows Server 2008 R2. ",
"QueryCheck": {
"Query": "SELECT CASE\n WHEN CONVERT(VARCHAR(128), SERVERPROPERTY ('productversion')) LIKE '7.%' THEN '1'\n WHEN CONVERT(VARCHAR(128), SERVERPROPERTY ('productversion')) LIKE '8.%' THEN '1'\n WHEN CONVERT(VARCHAR(128), SERVERPROPERTY ('productversion')) LIKE '9.%' THEN '1'\n WHEN CONVERT(VARCHAR(128), SERVERPROPERTY ('productversion')) LIKE '10.%' THEN '1'\n ELSE '0'\nEND AS Violation",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [
[
"0"
]
],
"ColumnNames": [
"Violation"
]
},
"BenchmarkReferences": []
},
"VA2129": {
"RuleId": "VA2129",
"Severity": "High",
"Category": "AuthenticationAndAuthorization",
"RuleType": "BaselineExpected",
"Title": "Changes to signed modules should be authorized",
"Description": "You can sign a stored procedure, function or trigger with a certificate or an asymmetric key. This is designed for scenarios when permissions cannot be inherited through ownership chaining or when the ownership chain is broken, such as dynamic SQL. This rule checks for changes made to signed modules which could be an indication of malicious use.",
"Rationale": "Changes made to the contents of a signed module or to the certificate or asymmetric key that is used to sign it, as well as the introduction of new signed modules could be an an indication of an attack. Setting the known signed modules as a baseline allows you to easily detect changes made, and to evaluate whether the changes are intended.",
"QueryCheck": {
"Query": "SELECT \n QUOTENAME(sc.name) + '.' + QUOTENAME(oj.name) AS [Module]\n ,IIF(ct.certificate_id IS NOT NULL, ct.name, ak.name) AS [Signing Object]\n ,dp.name AS [Signing Object Owner]\n ,cp.thumbprint AS [Signing Object Thumbprint]\n ,oj.modify_date AS [Last Definition Modify Date]\n ,HASHBYTES('SHA2_256', cp.crypt_property) AS [Hashed Signature Bits]\n ,IIF(ct.certificate_id IS NOT NULL, 'CERTIFICATE', 'ASYMMETRIC KEY') AS [Signing Object Type]\n -- For debbuging, uncomment following lines:\n -- ,IIF(ct.principal_id IS NOT NULL, SUSER_NAME(ct.principal_id), SUSER_NAME(ak.principal_id)) AS [Owner_Name]\n -- ,oj.type_desc\n -- ,crypt_type\n -- ,md.DEFINITION \n -- ,IIF(ct.subject IS NOT NULL, ct.subject, 'N/A') AS [Certificate Subject]\n -- ,IIF(ct.certificate_id IS NOT NULL, IS_OBJECTSIGNED('OBJECT', oj.object_id, 'certificate', cp.thumbprint), IS_OBJECTSIGNED('OBJECT', oj.object_id, 'asymmetric key', cp.thumbprint)) AS [Is Object Signed]\nFROM \n sys.crypt_properties AS cp\n INNER JOIN sys.objects AS oj ON cp.major_id = oj.object_id\n INNER JOIN sys.schemas AS sc ON oj.schema_id = sc.schema_id\n INNER JOIN sys.sql_modules AS md ON md.object_id = cp.major_id\n LEFT OUTER JOIN sys.certificates AS ct ON cp.thumbprint = ct.thumbprint\n LEFT OUTER JOIN sys.asymmetric_keys AS ak ON cp.thumbprint = ak.thumbprint\n LEFT OUTER JOIN sys.database_principals AS dp ON (ct.sid = dp.sid OR ak.sid = dp.sid)\nWHERE \n oj.type IN ('P','FN','TR')\n AND cp.class_desc = 'OBJECT_OR_COLUMN'",
"RequiresAdministrativeConnection": false,
"ExpectedResult": [],
"ColumnNames": [
"Module",
"Signing Object",
"Signing Object Owner",
"Signing Object Thumbprint",
"Last Definition Modify Date",
"Hashed Signature Bits",
"Signing Object Type"
]
},
"BenchmarkReferences": [
{
"Benchmark": "CIS",
"Reference": null
}
]
}
},
"EndTime": "2020-11-11T07:01:39.4052848Z"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment