Export-DbaLogin: Add -IncludeRolePermissions switch (#10196)

mbentham · web-flow · commit 7777c14012c5 · 2026-03-06T13:34:57.000+01:00
diff --git a/public/Export-DbaLogin.ps1 b/public/Export-DbaLogin.ps1
@@ -88,6 +88,11 @@ function Export-DbaLogin {
         Includes detailed object-level permissions for each database user associated with the exported logins.
         Use this for complete permission migration when you need granular security settings preserved in the target environment.
 
+    .PARAMETER IncludeRolePermissions
+        Includes permissions granted to database roles that the login's database users are members of.
+        By default, Export-DbaLogin scripts role membership (ALTER ROLE ... ADD MEMBER) but not the permissions granted to those roles.
+        Use this switch to also export GRANT/DENY statements for each non-fixed role, ensuring the roles have the correct permissions on the target server.
+
     .PARAMETER EnableException
         By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
         This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
@@ -207,6 +212,7 @@ function Export-DbaLogin {
         [switch]$NoPrefix,
         [switch]$Passthru,
         [switch]$ObjectLevel,
+        [switch]$IncludeRolePermissions,
         [switch]$EnableException
     )
 
@@ -529,6 +535,29 @@ function Export-DbaLogin {
                             } catch {
                                 Stop-Function -Message "Failed to extract permissions for user $dbUserName in database $dbName" -Continue -ErrorRecord $_
                             }
+
+                            if ($IncludeRolePermissions) {
+                                foreach ($role in $sourceDb.Roles) {
+                                    if ($role.IsFixedRole -eq $false -and $role.EnumMembers() -contains $dbUserName) {
+                                        $splatExportRole = @{
+                                            SqlInstance    = $server
+                                            Database       = $dbName
+                                            Role           = $role.Name
+                                            Passthru       = $true
+                                            NoPrefix       = $true
+                                            BatchSeparator = ""
+                                        }
+                                        try {
+                                            $roleScript = Export-DbaDbRole @splatExportRole
+                                            if ($roleScript) {
+                                                $outsql += $roleScript
+                                            }
+                                        } catch {
+                                            Write-Message -Level Warning -Message "Failed to export permissions for role $($role.Name) in database $dbName : $($_.Exception.Message)"
+                                        }
+                                    }
+                                }
+                            }
                         } else {
                             try {
                                 $sql = $server.Databases[$dbName].Users[$dbUserName].Script($scriptOptions)
@@ -551,6 +580,29 @@ function Export-DbaLogin {
                                 }
                             }
 
+                            if ($IncludeRolePermissions) {
+                                foreach ($role in $sourceDb.Roles) {
+                                    if ($role.IsFixedRole -eq $false -and $role.EnumMembers() -contains $dbUserName) {
+                                        $splatExportRole = @{
+                                            SqlInstance    = $server
+                                            Database       = $dbName
+                                            Role           = $role.Name
+                                            Passthru       = $true
+                                            NoPrefix       = $true
+                                            BatchSeparator = ""
+                                        }
+                                        try {
+                                            $roleScript = Export-DbaDbRole @splatExportRole
+                                            if ($roleScript) {
+                                                $outsql += $roleScript
+                                            }
+                                        } catch {
+                                            Write-Message -Level Warning -Message "Failed to export permissions for role $($role.Name) in database $dbName : $($_.Exception.Message)"
+                                        }
+                                    }
+                                }
+                            }
+
                             # Connect, Alter Any Assembly, etc
                             $perms = $sourceDb.EnumDatabasePermissions($dbUserName)
                             foreach ($perm in $perms) {
diff --git a/tests/Export-DbaLogin.Tests.ps1 b/tests/Export-DbaLogin.Tests.ps1
@@ -31,6 +31,7 @@ Describe $CommandName -Tag UnitTests {
                 "NoPrefix",
                 "Passthru",
                 "ObjectLevel",
+                "IncludeRolePermissions",
                 "EnableException"
             )
             Compare-Object -ReferenceObject $expectedParameters -DifferenceObject $hasParameters | Should -BeNullOrEmpty
@@ -73,6 +74,21 @@ Describe $CommandName -Tag IntegrationTests {
         $login3 = "dbatoolsci_exportdbalogin_login3$random"
         $server.Query("CREATE LOGIN [$login3] WITH PASSWORD = 'GoodPass1234!'")
         $db1.Query("CREATE USER [$login3] WITHOUT LOGIN")
+
+        # login with a custom role that has granted permissions (for IncludeRolePermissions tests)
+        $login4 = "dbatoolsci_exportdbalogin_login4$random"
+        $user4 = "dbatoolsci_exportdbalogin_user4$random"
+        $role4 = "dbatoolsci_exportdbalogin_role4$random"
+        $null = $server.Query("CREATE LOGIN [$login4] WITH PASSWORD = 'GoodPass1234!'")
+        $db1.Query("CREATE USER [$user4] FOR LOGIN [$login4]")
+        $db1.Query("CREATE ROLE [$role4]")
+        $db1.Query("GRANT SELECT ON SCHEMA::dbo TO [$role4]")
+        $db1.Query("GRANT EXECUTE ON SCHEMA::dbo TO [$role4]")
+        if ($server.VersionMajor -lt 11) {
+            $db1.Query("EXEC sp_addrolemember @rolename = N'$role4', @membername = N'$user4'")
+        } else {
+            $db1.Query("ALTER ROLE [$role4] ADD MEMBER [$user4]")
+        }
     }
     AfterAll {
         Remove-DbaDatabase -SqlInstance $TestConfig.InstanceSingle -Database $dbname1
@@ -87,6 +103,7 @@ Describe $CommandName -Tag IntegrationTests {
         }
 
         Remove-DbaLogin -SqlInstance $TestConfig.InstanceSingle -Login $login3
+        Remove-DbaLogin -SqlInstance $TestConfig.InstanceSingle -Login $login4
     }
 
     Context "Executes with Exclude Parameters" {
@@ -159,6 +176,24 @@ Describe $CommandName -Tag IntegrationTests {
             $results | Should -Match ([regex]::Escape("IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'$user1')"))
         }
     }
+    Context "Executes with IncludeRolePermissions" {
+        It "Should include role permissions in non-ObjectLevel export" {
+            $results = Export-DbaLogin -SqlInstance $server -Login $login4 -Database $dbname1 -IncludeRolePermissions -Passthru -WarningAction SilentlyContinue
+            $results | Should -Match "GRANT SELECT ON SCHEMA::\[dbo\]"
+            $results | Should -Match "GRANT EXECUTE ON SCHEMA::\[dbo\]"
+            $results | Should -Match ([regex]::Escape("[$role4]"))
+        }
+        It "Should include role permissions in ObjectLevel export" {
+            $results = Export-DbaLogin -SqlInstance $server -Login $login4 -Database $dbname1 -ObjectLevel -IncludeRolePermissions -Passthru -WarningAction SilentlyContinue
+            $results | Should -Match "GRANT SELECT ON SCHEMA::\[dbo\]"
+            $results | Should -Match "GRANT EXECUTE ON SCHEMA::\[dbo\]"
+            $results | Should -Match ([regex]::Escape("[$role4]"))
+        }
+        It "Should not include role permissions without the switch" {
+            $results = Export-DbaLogin -SqlInstance $server -Login $login4 -Database $dbname1 -Passthru -WarningAction SilentlyContinue
+            $results | Should -Not -Match "GRANT SELECT ON SCHEMA::\[dbo\]"
+        }
+    }
     Context "Exports file to random and specified paths" {
         It "Should export file to the configured path" {
             $file = Export-DbaLogin -SqlInstance $TestConfig.InstanceSingle -ExcludeDatabase -WarningAction SilentlyContinue
