Get-DbaPermission does not process DENY

[pollusb]

Type of Change

• Bug fix (non-breaking change, fixes # )
• New feature (non-breaking change, adds functionality, fixes # )
• Breaking change (affects multiple commands or functionality, fixes # )
• Ran manual Pester test and has passed (.\tests\manual.pester.ps1)
• Adding code coverage to existing functionality
• Pester test is included
• If new file reference added for test, has is been added to github.com/dataplat/appveyor-lab ?
• Unit test is included
• Documentation
• Build system

Purpose

Resolve wrong GrantStatement

Commands to test

PS> $perm = Get-DbaPermission @splat -ExcludeSystemObjects 
PS> $perm|? PermState -eq DENY|select -f 1 PermState,PermissionName,GrantStatement

PermState      : DENY
PermissionName : DELETE
GrantStatement : GRANT DELETE ON [dbo].[table1] TO [user1]

PS> $perm = Get-DbaPermission @splat -ExcludeSystemObjects 
PS> $perm|? PermState -eq DENY|select -f 1 PermState,PermissionName,GrantStatement

PermState      : DENY
PermissionName : DELETE
GrantStatement : DENY DELETE ON [dbo].[table1] TO [user1]

[pollusb]

What can I do to help it pass the last check?

Thanks

[niphlod]

hi @pollusb , failure was seemingly unrelated. I restarted the CI process.
PS: If I'm not around just pushing a new commit will trigger the CI automatically.

[pollusb]

Thanks for the tip Le ven. 5 juill. 2024 03:00, Simone Bizzotto ***@***.***> a écrit :

…

hi @pollusb <https://github.com/pollusb> , failure was seemingly unrelated. I restarted the CI process. PS: If I'm not around just pushing a new commit will trigger the CI automatically. — Reply to this email directly, view it on GitHub <#9416 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFFZ4P7BCBCPM3DSXL4XOTZKZACRAVCNFSM6AAAAABKLX4CAWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMJQGMYDSOJQG4> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[pollusb]

@Imran-imtiaz48
Are you asking something from me?
If so, please clarify exactly what you expect from me.

Thanks

[pollusb]

The actual code does not provide the right TSQL command. On database objects, you can GRANT or DENY an ACTION on an OBJECT to a USER. Let's use this example:
GRANT SELECT on dbo.Table1 to User1
When you ask Get-DbaPermission to provide 'GrantStatement' it will resolve correctly. But if you try to DENY it then the actual rationale is wrong.
DENY SELECT on dbo.Table1 to User1 would produce GRANT SELECT on dbo.Table1 to User1 in column GrantStatement.

I know that the column name is GrantStatement and RevokeStatement. We shouldn't create a new column DenyColumn because you can REVOKE both GRANT or DENY in the same way.

GRANT SELECT on dbo.Table1 to User1 -- would give access
DENY SELECT on dbo.Table1 to User1 -- would revoke the precedent grant and deny access
REVOKE SELECT on dbo.Table1 to User1 -- would revoke the precedent deny

[potatoqualitee]

@pollusb please ignore the review, it's AI generated. I appreciate AI but it needs to be implemented with intent and after a discussion with the team.

[potatoqualitee]

and thank you! 🥳

[pollusb]

Thanks to you.