Sql-Server

數據庫權限

  • March 22, 2019

我在伺服器級別創建了一個名為 TestUser 的登錄使用者,該使用者分配給只讀角色,現在我需要為 MyDb 上的 TestUser 登錄創建一個使用者

USE [MyDB]
GO
CREATE USER [Test] FOR LOGIN [TestUser]
GO
GRANT SELECT TO [Test]
GO
DENY DELETE TO [Test]
GO
DENY INSERT TO [Test]
GO
DENY UPDATE TO [Test]
GO

一切都很好,但是當我編寫 Test 使用者創建的腳本時,我在任何地方都看不到我提供選擇並拒絕插入、刪除和更新的腳本

我在伺服器級別創建了一個名為 TestUser 的登錄使用者,該使用者分配給只讀角色

沒有任何fixed server role可以稱為“只讀角色”的角色。

也許您的@@version>=2014並且您授予select all user securables您的登錄權限?

如果是這樣,則可以通過以下方式查看此伺服器級別權限:

select class_desc, permission_name, state_desc
from sys.server_permissions
where suser_name(grantee_principal_id) = 'Test';
---------------------------------------------------
--class_desc    permission_name state_desc
--SERVER    CONNECT SQL GRANT
--SERVER    SELECT ALL USER SECURABLES  GRANT

然後你做了一些不必要的grant/ deny,你不應該這樣做。當您映射您的登錄時,select all user securables該使用者已經訪問了該數據庫中的任何數據,因此不需要額外的SELECT權限。

也不需要deny其他權利,因為新創建的user沒有任何這些permission

但是,如果您想檢查它們是否granted/denied您應該sys.database_permissions像這樣選擇:

select class_desc, permission_name, state_desc
from sys.database_permissions
where user_name(grantee_principal_id) = 'Test';
---------------------------------------------------
--class_desc    permission_name state_desc
--DATABASE  CONNECT GRANT
--DATABASE  DELETE  DENY
--DATABASE  INSERT  DENY
--DATABASE  SELECT  GRANT
--DATABASE  UPDATE  DENY

您可以編寫腳本server level permissions以及database level permissions使用sys.server_permissions/ sys.database_permissions,在您的簡單情況下,當安全是腳本時database,腳本可以如下所示:

select state_desc +'  ' + permission_name + ' to Test'
from sys.database_permissions
where user_name(grantee_principal_id) = 'Test'
     and permission_name <> 'connect';

這是要測試的完整腳本:

create login Test with password = '*****', check_policy = off;
grant select all user securables to Test;

select class_desc, permission_name, state_desc
from sys.server_permissions
where suser_name(grantee_principal_id) = 'Test';
---------------------------------------------------
--class_desc    permission_name state_desc
--SERVER    CONNECT SQL GRANT
--SERVER    SELECT ALL USER SECURABLES  GRANT

use MyDB;
create user Test from login Test;

select class_desc, permission_name, state_desc
from sys.database_permissions
where user_name(grantee_principal_id) = 'Test';
---------------------------------------------------
--class_desc    permission_name state_desc
--DATABASE  CONNECT GRANT

GRANT SELECT TO [Test]
GO
DENY DELETE TO [Test]
GO
DENY INSERT TO [Test]
GO
DENY UPDATE TO [Test]
GO

select class_desc, permission_name, state_desc
from sys.database_permissions
where user_name(grantee_principal_id) = 'Test';
---------------------------------------------------
--class_desc    permission_name state_desc
--DATABASE  CONNECT GRANT
--DATABASE  DELETE  DENY
--DATABASE  INSERT  DENY
--DATABASE  SELECT  GRANT
--DATABASE  UPDATE  DENY

select state_desc +'  ' + permission_name + ' to Test'
from sys.database_permissions
where user_name(grantee_principal_id) = 'Test'
     and permission_name <> 'connect';

引用自:https://dba.stackexchange.com/questions/232788