Sql-Server-2012

SQL Server 登錄在創建時會在數據庫上獲得不需要的高權限

  • September 5, 2019

我們需要創建一個只能選擇 4 個特定表的新使用者。為此,我們創建登錄名並將其映射到所需的數據庫:

USE [master]
GO
CREATE LOGIN [pos] WITH PASSWORD=N'XXXX', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO

USE [TARGETED_DB_NAME]
GO
CREATE USER [pos] FOR LOGIN [pos]
GO

之後,使用者可以執行任何 DML 語句,而他除了公共角色之外沒有其他權限。我們檢查了公共角色權限、伺服器權限等,但找不到使用者可以看到數據庫所有表的原因。

當我們在同一實例的另一個數據庫上創建使用者時,問題不存在。

知道為什麼登錄 pos 會獲得這樣的特權嗎?

以下查詢將有助於深入了解特定使用者直接間接獲得的權限,根據結果,您可以分析/辨識問題的原因。

USE [TARGETED_DB_NAME]
GO

Declare @UserName varchar (100) = 'username';

-- Permission applied to user (directly) -------------------------------------------------------------

select d.name, dp.* 
from sys.database_permissions as dp
       join sys.database_principals as d on dp.grantee_principal_id = d.principal_id
where d.name = (@UserName) --and dp.state = 'D'
order by d.principal_id

-- Permission applied to user (indirectly) -------------------------------------------------------------
select  dm.name as DB_UserName,
       sp.name as LoginName,
       dr.name as DB_RoleName,
       dp.[permission_name],
       dp.type,
       dp.state_desc
from sys.database_principals as dm  
       join sys.database_role_members as drm on dm.principal_id = drm.member_principal_id
       join sys.database_principals as dr on drm.role_principal_id = dr.principal_id
       left join sys.server_principals as sp on dm.sid = sp.sid
       left join sys.database_permissions as dp on dr.principal_id = dp.grantee_principal_id
Where (dm.name = @UserName or sp.name = @UserName) --and dr.name like 'db_deny%'
go

引用自:https://dba.stackexchange.com/questions/246874