
$script:sqlServerDscHelperModulePath = Join-Path -Path $PSScriptRoot -ChildPath '..\..\Modules\SqlServerDsc.Common'
$script:resourceHelperModulePath = Join-Path -Path $PSScriptRoot -ChildPath '..\..\Modules\DscResource.Common'

Import-Module -Name $script:sqlServerDscHelperModulePath
Import-Module -Name $script:resourceHelperModulePath

$script:localizedData = Get-LocalizedData -DefaultUICulture 'en-US'

        Returns the current permissions for the object in the database.
    .PARAMETER InstanceName
        Specifies the name of the SQL instance to be configured.
    .PARAMETER DatabaseName
        Specifies the name of the database where the object resides.
    .PARAMETER SchemaName
        Specifies the name of the schema for the database object.
    .PARAMETER ObjectName
        Specifies the name of the database object to set permission for.
        Can be an empty value when setting permission for a schema.
    .PARAMETER ObjectType
        Specifies the type of the database object to set permission for.
        Specifies the name of the database user, user-defined database role, or
        database application role that will have the permission.
    .PARAMETER Permission
        Specifies the permissions as an array of embedded instances of the
        DSC_DatabaseObjectPermission CIM class.
    .PARAMETER ServerName
        Specifies the host name of the SQL Server to be configured. Default value
        is the current computer name.
    .PARAMETER Force
        Specifies that permissions that has parameter Ensure set to 'Present'
        (the default value for permissions) should always be enforced even if that
        encompasses cascading revocations. An example if the desired state is
        'Grant' but the current state is 'GrantWithGrant'. If parameter Force is set
        to $true the With Grant permission is revoked, if set to $false an exception
        is thrown since the desired state could not be set. Default is to throw an

function Get-TargetResource
    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('SqlServerDsc.AnalyzerRules\Measure-CommandsNeededToLoadSMO', '', Justification = 'The command Connect-Sql is called when Get-DatabaseObject is called')]
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]
        [ValidateSet('Schema', 'Table', 'View', 'StoredProcedure')]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        $ServerName = (Get-ComputerName),


    Write-Verbose -Message (
        $script:localizedData.GetObjectPermission -f ('{0}.{1}' -f $SchemaName, $ObjectName), $ObjectType, $DatabaseName, $InstanceName, $ServerName

    $Permission = Assert-PermissionEnsureProperty -Permission $Permission

    # Create an empty collection of CimInstance that we can return.
    $cimInstancePermissionCollection = New-Object -TypeName 'System.Collections.ObjectModel.Collection`1[Microsoft.Management.Infrastructure.CimInstance]'

    $returnValue = @{
        ServerName   = $ServerName
        InstanceName = $InstanceName
        DatabaseName = $DatabaseName
        SchemaName   = $SchemaName
        ObjectName   = $ObjectName
        ObjectType   = $ObjectType
        Name         = $Name
        Permission   = $cimInstancePermissionCollection
        Force        = $Force

    $getDatabaseObjectParameters = @{
        ServerName   = $ServerName
        InstanceName = $InstanceName
        DatabaseName = $DatabaseName
        SchemaName   = $SchemaName
        ObjectName   = $ObjectName
        ObjectType   = $ObjectType

    $sqlObject = Get-DatabaseObject @getDatabaseObjectParameters

    if ($sqlObject)
        # Get the names of the possible permissions by creating an empty object.
        $permissionProperties = (
            New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.ObjectPermissionSet' |
                Get-Member -MemberType 'Property'

        # Loop through each desired permission state.
        foreach ($desiredPermission in $Permission)
            [System.String[]] $currentObjectPermissionNames = @()

            # Get all current permissions for the permission state.
            $currentObjectPermissions = $sqlObject.EnumObjectPermissions($Name) |
                Where-Object -FilterScript {
                    $_.PermissionState -eq $desiredPermission.State

            if ($currentObjectPermissions)
                # Loop through each property to see if it is set to $true
                foreach ($currentPermissionProperty in $permissionProperties)
                    foreach ($objectPermission in $currentObjectPermissions)
                        if ($true -in $objectPermission.PermissionType[0].$currentPermissionProperty)
                            $currentObjectPermissionNames += $currentPermissionProperty

                # Remove any duplicate permission names.
                $currentObjectPermissionNames = @(
                    $currentObjectPermissionNames |
                        Sort-Object -Unique

            $compareObjectParameters = @{
                ReferenceObject  = $desiredPermission.Permission
                DifferenceObject = $currentObjectPermissionNames

            $resultOfPermissionCompare = Compare-Object @compareObjectParameters |
                Where-Object -FilterScript {
                    $_.SideIndicator -eq '<='

            # If there are no missing permission then return 'Ensure' state as 'Present'.
            if ($null -eq $resultOfPermissionCompare)
                $currentState = 'Present'
                $currentState = 'Absent'

            $cimInstancePermissionCollection += ConvertTo-CimDatabaseObjectPermission `
                -Permission $desiredPermission.Permission `
                -PermissionState $desiredPermission.State `
                -Ensure $currentState

        $returnValue['Permission'] = $cimInstancePermissionCollection

    return $returnValue

        Sets the permissions for the object in the database.
    .PARAMETER InstanceName
        Specifies the name of the SQL instance to be configured.
    .PARAMETER DatabaseName
        Specifies the name of the database where the object resides.
    .PARAMETER SchemaName
        Specifies the name of the schema for the database object.
    .PARAMETER ObjectName
        Specifies the name of the database object to set permission for.
        Can be an empty value when setting permission for a schema.
    .PARAMETER ObjectType
        Specifies the type of the database object to set permission for.
        Specifies the name of the database user, user-defined database role, or
        database application role that will have the permission.
    .PARAMETER Permission
        Specifies the permissions as an array of embedded instances of the
        DSC_DatabaseObjectPermission CIM class.
    .PARAMETER ServerName
        Specifies the host name of the SQL Server to be configured. Default value
        is the current computer name.
    .PARAMETER Force
        Specifies that permissions that has parameter Ensure set to 'Present'
        (the default value for permissions) should always be enforced even if that
        encompasses cascading revocations. An example if the desired state is
        'Grant' but the current state is 'GrantWithGrant'. If parameter Force is set
        to $true the With Grant permission is revoked, if set to $false an exception
        is thrown since the desired state could not be set. Default is to throw an

function Set-TargetResource
    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('SqlServerDsc.AnalyzerRules\Measure-CommandsNeededToLoadSMO', '', Justification = 'The command Connect-Sql will be implicitly called in the call to Compare-TargetResourceState')]
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]
        [ValidateSet('Schema', 'Table', 'View', 'StoredProcedure')]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        $ServerName = (Get-ComputerName),


    $Permission = Assert-PermissionEnsureProperty -Permission $Permission

        Compare the current state against the desired state. Calling this will
        also import the necessary module to later call Get-ServerProtocolObject
        which uses the SMO class ManagedComputer.

    $propertyState = Compare-TargetResourceState @PSBoundParameters

    # Get all properties that are not in desired state.
    $propertiesNotInDesiredState = $propertyState | Where-Object -FilterScript { -not $_.InDesiredState }

    if ($propertiesNotInDesiredState.Count -gt 0)
        Write-Verbose -Message (
            $script:localizedData.SetDesiredState -f ('{0}.{1}' -f $SchemaName, $ObjectName)

        $getDatabaseObjectParameters = @{
            ServerName   = $ServerName
            InstanceName = $InstanceName
            DatabaseName = $DatabaseName
            SchemaName   = $SchemaName
            ObjectName   = $ObjectName
            ObjectType   = $ObjectType

        $sqlObject = Get-DatabaseObject @getDatabaseObjectParameters

        if ($sqlObject)
            $permissionProperty = $propertiesNotInDesiredState | Where-Object -FilterScript { $_.ParameterName -eq 'Permission' }

            # Check if Permission property need updating.
            if ($permissionProperty)
                # Loop through each desired permission state.
                foreach ($desiredPermissionState in $Permission)
                    # Get the equivalent permission state form the current state.
                    $currentPermissionState = $permissionProperty.Actual | Where-Object -FilterScript { $_.State -eq $desiredPermissionState.State }

                    if ($desiredPermissionState.Ensure -ne $currentPermissionState.Ensure)
                            $permissionSet = New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.ObjectPermissionSet'

                            # Prepare the desired permission set to assign to the object.
                            foreach ($permissionName in $desiredPermissionState.Permission)
                                $permissionSet."$permissionName" = $true

                            switch ($desiredPermissionState.Ensure)
                                    Write-Verbose -Message (
                                        $script:localizedData.SetPermission -f @(
                                            ($desiredPermissionState.Permission -join ','),
                                            ('{0}.{1}' -f $SchemaName, $ObjectName),

                                    switch ($desiredPermissionState.State)
                                            $sqlObject.Grant($permissionSet, $Name, $true)

                                                If the permission was previously granted using With Grant then With Grant is
                                                revoked from all permissions since it is not the desired state.
                                                Even if we just revoke the With Grant and leaving the desired permission the
                                                permissions must always be granted regardless, this is because it is not known
                                                which permissions existed with With Grant or did not exist at all. It could be
                                                known if looping through the permissions and evaluating With Grant for each,
                                                but that would mean additional calls that did not seem necessary at the time

                                            if ($sqlObject.EnumObjectPermissions($Name, $permissionSet).PermissionState -contains 'GrantWithGrant')
                                                if ($Force)
                                                    Write-Verbose -Message (
                                                        $script:localizedData.RevokePermissionWithGrant -f @(
                                                            ($desiredPermissionState.Permission -join ','),
                                                            ('{0}.{1}' -f $SchemaName, $ObjectName),

                                                    # This must cascade the revoke.
                                                    $sqlObject.Revoke($permissionSet, $Name, $true, $true)
                                                    $errorMessage = $script:localizedData.GrantCantBeSetBecauseRevokeIsNotOptedIn -f @(
                                                        ($desiredPermissionState.Permission -join ','),
                                                        ('{0}.{1}' -f $SchemaName, $ObjectName),

                                                    New-InvalidOperationException -Message $errorMessage

                                            $sqlObject.Grant($permissionSet, $Name)

                                            $sqlObject.Deny($permissionSet, $Name)

                                    Write-Verbose -Message (
                                        $script:localizedData.RevokePermission -f @(
                                            ($desiredPermissionState.Permission -join ','),
                                            ('{0}.{1}' -f $SchemaName, $ObjectName),

                                    if ($desiredPermissionState.State -eq 'GrantWithGrant')
                                        $sqlObject.Revoke($permissionSet, $Name, $false, $true)
                                        $sqlObject.Revoke($permissionSet, $Name)
                            $errorMessage = $script:localizedData.FailedToSetDatabaseObjectPermission -f @(
                                ('{0}.{1}' -f $SchemaName, $ObjectName),

                            New-InvalidOperationException -Message $errorMessage -ErrorRecord $_
                        Write-Verbose -Message (
                            $script:localizedData.PermissionStateInDesiredState -f @(
                                ('{0}.{1}' -f $SchemaName, $ObjectName)
            $errorMessage = $script:localizedData.FailedToGetDatabaseObject -f @(
                ('{0}.{1}' -f $SchemaName, $ObjectName),

            New-InvalidOperationException -Message $errorMessage
        Write-Verbose -Message (
            $script:localizedData.DatabaseObjectIsInDesiredState -f $ObjectName, $ObjectType

        Determines if the permissions is set for the object in the database.
    .PARAMETER InstanceName
        Specifies the name of the SQL instance to be configured.
    .PARAMETER DatabaseName
        Specifies the name of the database where the object resides.
    .PARAMETER SchemaName
        Specifies the name of the schema for the database object.
    .PARAMETER ObjectName
        Specifies the name of the database object to set permission for.
        Can be an empty value when setting permission for a schema.
    .PARAMETER ObjectType
        Specifies the type of the database object to set permission for.
        Specifies the name of the database user, user-defined database role, or
        database application role that will have the permission.
    .PARAMETER Permission
        Specifies the permissions as an array of embedded instances of the
        DSC_DatabaseObjectPermission CIM class.
    .PARAMETER ServerName
        Specifies the host name of the SQL Server to be configured. Default value
        is the current computer name.
    .PARAMETER Force
        Specifies that permissions that has parameter Ensure set to 'Present'
        (the default value for permissions) should always be enforced even if that
        encompasses cascading revocations. An example if the desired state is
        'Grant' but the current state is 'GrantWithGrant'. If parameter Force is set
        to $true the With Grant permission is revoked, if set to $false an exception
        is thrown since the desired state could not be set. Default is to throw an

function Test-TargetResource
    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('SqlServerDsc.AnalyzerRules\Measure-CommandsNeededToLoadSMO', '', Justification = 'The command Connect-Sql will be implicitly called in the call to Compare-TargetResourceState')]
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]
        [ValidateSet('Schema', 'Table', 'View', 'StoredProcedure')]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        $ServerName = (Get-ComputerName),


    $fullObjectName = '{0}.{1}' -f $SchemaName, $ObjectName

    Write-Verbose -Message (
        $script:localizedData.TestDesiredState -f @(

    $propertyState = Compare-TargetResourceState @PSBoundParameters

    if ($false -in $propertyState.InDesiredState)
        $testTargetResourceReturnValue = $false

        Write-Verbose -Message (
            $script:localizedData.NotInDesiredState -f $fullObjectName
        $testTargetResourceReturnValue = $true

        Write-Verbose -Message (
            $script:localizedData.InDesiredState -f $fullObjectName

    return $testTargetResourceReturnValue

        Determines if the permissions is set for the object in the database.
    .PARAMETER InstanceName
        Specifies the name of the SQL instance to be configured.
    .PARAMETER DatabaseName
        Specifies the name of the database where the object resides.
    .PARAMETER SchemaName
        Specifies the name of the schema for the database object.
    .PARAMETER ObjectName
        Specifies the name of the database object to set permission for.
        Can be an empty value when setting permission for a schema.
    .PARAMETER ObjectType
        Specifies the type of the database object to set permission for.
        Specifies the name of the database user, user-defined database role, or
        database application role that will have the permission.
    .PARAMETER Permission
        Specifies the permissions as an array of embedded instances of the
        DSC_DatabaseObjectPermission CIM class.
    .PARAMETER ServerName
        Specifies the host name of the SQL Server to be configured. Default value
        is the current computer name.
    .PARAMETER Force
        Specifies that permissions that has parameter Ensure set to 'Present'
        (the default value for permissions) should always be enforced even if that
        encompasses cascading revocations. An example if the desired state is
        'Grant' but the current state is 'GrantWithGrant'. If parameter Force is set
        to $true the With Grant permission is revoked, if set to $false an exception
        is thrown since the desired state could not be set. Default is to throw an

function Compare-TargetResourceState
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]
        [ValidateSet('Schema', 'Table', 'View', 'StoredProcedure')]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        $ServerName = (Get-ComputerName),


    $Permission = Assert-PermissionEnsureProperty -Permission $Permission

    $getTargetResourceParameters = @{
        InstanceName = $InstanceName
        DatabaseName = $DatabaseName
        SchemaName   = $SchemaName
        ObjectName   = $ObjectName
        ObjectType   = $ObjectType
        Name         = $Name
        Permission   = $Permission
        ServerName   = $ServerName
        Force        = $Force

        We remove any parameters not passed by $PSBoundParameters so that
        Get-TargetResource can also evaluate $PSBoundParameters correctly.
        Need the @() around the Keys property to get a new array to enumerate.

    @($getTargetResourceParameters.Keys) | ForEach-Object -Process {
        if (-not $PSBoundParameters.ContainsKey($_))

    $getTargetResourceResult = Get-TargetResource @getTargetResourceParameters

    $compareTargetResourceStateParameters = @{
        CurrentValues            = $getTargetResourceResult
        DesiredValues            = $PSBoundParameters
        Properties               = @(
            This is the property that makes each DSC_DatabaseObjectPermission
            CIM instance unique in the collection. It will be used to filter out
            the values to compare against in the current state.

        CimInstanceKeyProperties = @{
            Permission = @('Permission', 'State')

    return Compare-ResourcePropertyState @compareTargetResourceStateParameters

        Returns the object class for the specified name och object type.
    .PARAMETER ServerName
        Specifies the host name of the SQL Server to be configured.
    .PARAMETER InstanceName
        Specifies the name of the SQL instance to be configured.
    .PARAMETER DatabaseName
        Specifies the name of the database where the object resides.
    .PARAMETER SchemaName
        Specifies the name of the schema for the database object.
    .PARAMETER ObjectName
        Specifies the name of the database object to set per mission for.
        Can be an empty value when setting permission for a schema.
    .PARAMETER ObjectType
        Specifies the type of the database object to set permission for.

function Get-DatabaseObject
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]
        [ValidateSet('Schema', 'Table', 'View', 'StoredProcedure')]

    $sqlObject = $null

    $sqlServerObject = Connect-SQL -ServerName $ServerName -InstanceName $InstanceName -ErrorAction 'Stop'

    if ($sqlServerObject)
        $sqlDatabaseObject = $sqlServerObject.Databases[$DatabaseName]

        if ($sqlDatabaseObject)
            $sqlObject = switch ($ObjectType)

                    $sqlDatabaseObject.Tables.Item($ObjectName, $SchemaName)

                    $sqlDatabaseObject.StoredProcedures.Item($ObjectName, $SchemaName)

                    $sqlDatabaseObject.Views.Item($ObjectName, $SchemaName)

    return $sqlObject

        Converts permission names to DSC_DatabaseObjectPermission CIM class.
    .PARAMETER Permission
        This represents a SQL Server database object permission.
    .PARAMETER PermissionState
        This is the state of permission set. Valid values are 'Grant', 'Deny', or 'GrantWithGrant'.
    .PARAMETER Ensure
        Ensure if the permission should be granted (Present) or revoked (Absent).
        Default value is 'Present'.

function ConvertTo-CimDatabaseObjectPermission
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [ValidateSet('Present', 'Absent')]

    if (-not $PSBoundParameters.ContainsKey('Ensure'))
        $Ensure = 'Present'

    $cimClassName = 'DSC_DatabaseObjectPermission'
    $cimNamespace = 'root/microsoft/Windows/DesiredStateConfiguration'

    $cimProperties = @{
        State      = $PermissionState
        Permission = $Permission
        Ensure     = $Ensure

    return New-CimInstance -ClassName $cimClassName `
        -Namespace $cimNamespace `
        -Property $cimProperties `

        Asserts that if Ensure property is not set, then the Ensure property is
        set to 'Present' (which is the default).
    .PARAMETER Permission
        Specifies array of permission CIM instances.

function Assert-PermissionEnsureProperty
        [Parameter(Mandatory = $true)]

    foreach ($desiredPermission in $Permission)
        if (-not $desiredPermission.Ensure)
            $desiredPermission.Ensure = 'Present'

    return $Permission