Export-DbaLogin: Add -IncludeRolePermissions switch

[mbentham]

Type of Change

• Bug fix (non-breaking change, fixes # )
• New feature (non-breaking change, adds functionality, fixes Export-DbaLogin: add option to export roles that the login or its users are members of #10037 )
• Breaking change (affects multiple commands or functionality, fixes # )
• Ran manual Pester test and has passed (Invoke-ManualPester)
• Adding code coverage to existing functionality
• Pester test is included
• If new file reference added for test, has is been added to github.com/dataplat/appveyor-lab ?
• Unit test is included
• Documentation
• Build system

Purpose

Export-DbaLogin scripts role membership (ALTER ROLE ... ADD MEMBER) but silently omits the permissions granted to those roles. This means exported scripts can appear complete while missing critical GRANT/DENY statements, causing roles to exist on the target server with no actual permissions.

Approach

Add -IncludeRolePermissions switch that calls Export-DbaDbRole internally for each non-fixed role the login's database user belongs to, appending the role's GRANT/DENY statements to the export script. Implemented in both the ObjectLevel and non-ObjectLevel code paths

Commands to test

Export a login with role permissions included

Export-DbaLogin -SqlInstance sqlserver -Login mylogin -IncludeRolePermissions -Passthru

Combined with ObjectLevel

Export-DbaLogin -SqlInstance sqlserver -Login mylogin -ObjectLevel -IncludeRolePermissions -Passthru

Without the switch (should NOT include role GRANT statements - existing behavior unchanged)

Export-DbaLogin -SqlInstance sqlserver -Login mylogin -Passthru

Note

Couldnt run Invoke-ManualPester due to missing dependency (PSScriptAnalyzer) but running tests with Invoke-Pester directly ran successfully

[potatoqualitee]

Should this be default? Feels like it should be default. Whatcha think @ClaudioESSilva and @andreasjordan ?