use master;
create certificate [cert01] encryption by password = 'liuwqer;qwb42;u4y21;421jk!E' with subject = 'certificate for [dbo].[usp_getRolesByLogin]';

create login [cert01_login] from certificate [cert01];
grant impersonate any login to [cert01_login];
go

--перенос сертификата на целевую бд
declare @sql nvarchar(max) = N'';
declare @pub nvarchar(max) = N'';
declare @pvk nvarchar(max) = N'';
declare @pwd nvarchar(255) = N'liuwqer;qwb42;u4y21;421jk!E';

set @pub = convert(nvarchar(max), certencoded(cert_id('cert01')), 1);
set @pvk = convert(nvarchar(max), certprivatekey(cert_id('cert01'), @pwd, @pwd), 1);
set @pwd = quotename(@pwd, nchar(39));
set @sql = 'create certificate [cert01] from binary = ' + @pub + ' with private key (binary = ' + @pvk + ', decryption by password = ' + @pwd + ', encryption by password = ' + @pwd + ');';
exec [database].sys.sp_executesql @stmt = @sql;
go
--//перенос сертификата на целевую бд

use [database];
go

create or alter procedure [usp_getRolesByLogin]
      @login_name sysname
as
if original_login() <> 'service_account_name' throw 50000, 'procedure can be invoked only from web-service', 16;

if has_perms_by_name(@login_name, 'LOGIN', 'IMPERSONATE') = 0 throw 50000, 'You dont have permissions for impersonate this context', 16;

execute as login = @login_name;

select user_name(rm.[role_principal_id]) as [name], 'DBO_ACCESS' as [usage], 'DATABASE' as [level] 
from sys.server_principals sp
    join sys.database_principals dp on dp.[sid] = sp.[sid]
        join sys.database_role_members rm on rm.[member_principal_id] = dp.[principal_id]
where sp.[name] = @login_name
  and user_name() = 'dbo'
union
select [name], [usage], 'DATABASE' from sys.user_token where [type] = 'ROLE'
union
select [name], [usage], 'SERVER' from sys.login_token where [type] = 'SERVER ROLE';

revert;
go

add signature to [dbo].[usp_getRolesByLogin] by certificate [cert01] with password = 'liuwqer;qwb42;u4y21;421jk!E';