Sql-Server-2012
SQL Server 登錄在創建時會在數據庫上獲得不需要的高權限
我們需要創建一個只能選擇 4 個特定表的新使用者。為此,我們創建登錄名並將其映射到所需的數據庫:
USE [master] GO CREATE LOGIN [pos] WITH PASSWORD=N'XXXX', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF GO USE [TARGETED_DB_NAME] GO CREATE USER [pos] FOR LOGIN [pos] GO之後,使用者可以執行任何 DML 語句,而他除了公共角色之外沒有其他權限。我們檢查了公共角色權限、伺服器權限等,但找不到使用者可以看到數據庫所有表的原因。
當我們在同一實例的另一個數據庫上創建使用者時,問題不存在。
知道為什麼登錄 pos 會獲得這樣的特權嗎?
以下查詢將有助於深入了解特定使用者直接或間接獲得的權限,根據結果,您可以分析/辨識問題的原因。
USE [TARGETED_DB_NAME] GO Declare @UserName varchar (100) = 'username'; -- Permission applied to user (directly) ------------------------------------------------------------- select d.name, dp.* from sys.database_permissions as dp join sys.database_principals as d on dp.grantee_principal_id = d.principal_id where d.name = (@UserName) --and dp.state = 'D' order by d.principal_id -- Permission applied to user (indirectly) ------------------------------------------------------------- select dm.name as DB_UserName, sp.name as LoginName, dr.name as DB_RoleName, dp.[permission_name], dp.type, dp.state_desc from sys.database_principals as dm join sys.database_role_members as drm on dm.principal_id = drm.member_principal_id join sys.database_principals as dr on drm.role_principal_id = dr.principal_id left join sys.server_principals as sp on dm.sid = sp.sid left join sys.database_permissions as dp on dr.principal_id = dp.grantee_principal_id Where (dm.name = @UserName or sp.name = @UserName) --and dr.name like 'db_deny%' go