Pro*_*eur 4 sql-server-2008 access-control sql-server-2008-r2 users
我们有一个 SQL Server 2008 数据库,并且限制了所有表和视图远离特定用户 ID。多年来,我们根据用户需要一次授予一个表和视图。
我们必须这样做,因为供应商提供public了开箱即用的角色的读/写访问权限,因此我们必须为此用户创建一个角色,删除所有访问权限并仅授予他们需要的权限。
今天我们将创建一个仅包含这些表和视图的复制数据库,以便用户可以在不降低生产系统的情况下运行报告。问题是我不确定该用户可以访问哪些表和视图,因为多年来许多人一次授予访问权限。
是否有查询来检查此用户的访问权限?
PS 我是一名应用程序开发人员,所以请根据需要随意解释这一点。
编辑 - 最初如何创建角色和访问权限
------------------------------
-- CREATE ROLE db_finrep_deny
------------------------------
DECLARE @RoleName sysname
set @RoleName = N'db_finrep_deny'
IF EXISTS (SELECT * FROM sys.database_principals WHERE name = @RoleName AND type = 'R')
Begin
DECLARE @RoleMemberName sysname
DECLARE Member_Cursor CURSOR FOR
select [name]
from sys.database_principals
where principal_id in (
select member_principal_id
from sys.database_role_members
where role_principal_id in (
select principal_id
FROM sys.database_principals where [name] = @RoleName AND type = 'R' ))
OPEN Member_Cursor;
FETCH NEXT FROM Member_Cursor
into @RoleMemberName
WHILE @@FETCH_STATUS = 0
BEGIN
exec sp_droprolemember @rolename=@RoleName, @membername= @RoleMemberName
FETCH NEXT FROM Member_Cursor
into @RoleMemberName
END;
CLOSE Member_Cursor;
DEALLOCATE Member_Cursor;
End
GO
-- dropping the role itself
IF EXISTS (SELECT * FROM sys.database_principals WHERE name = N'db_finrep_deny' AND type = 'R')
DROP ROLE [db_finrep_deny]
GO
------------------------------
-- Grant access (read/write/select/upd) to only select tables
------------------------------
CREATE ROLE [db_finrep_deny]
AUTHORIZATION [dbo]
GO
exec sp_addrolemember 'db_finrep_deny', 'finrep'
GO
-- run the dynamic sql generated by this statement
select 'DENY SELECT, INSERT, UPDATE, DELETE ON '
+ ss.name
+ '.'
+ st.name
+ ' TO db_finrep_deny;'
from sys.tables st
inner join sys.schemas ss on st.schema_id=ss.schema_id
where st.name not in ('TABLE1','TABLE2','TABLE3','TABLE4')
order by ss.name, st.name;
grant select on dbo.vwFINMASTER to db_finrep_deny;
Aaron - 这是我运行查询时得到的结果,它只显示视图,但不显示表
(No column name) name permission_name
dbo dtproperties REFERENCES
dbo vwFINMASTER SELECT
dbo vwLEDGERVIEW SELECT
您可以使用该功能fn_my_permissions并模拟用户以查看他们有权访问哪些对象。您可能希望将类型扩展为过程和各种类型的函数......
USE Your_Database;
GO
EXECUTE AS USER = N'the_user_name';
GO
SELECT
s.name,
o.name,
p.[permission_name]
FROM sys.objects AS o
INNER JOIN sys.schemas AS s
ON o.[schema_id] = s.[schema_id]
CROSS APPLY sys.fn_my_permissions(QUOTENAME(s.name)
+ N'.' + QUOTENAME(o.name), N'OBJECT') AS p
WHERE o.[type] IN (N'U', N'V') -- tables and views
AND p.subentity_name = N''; -- ignore column permissions
GO
REVERT;
仅在兼容级别 100+ 上测试;您可能需要在较旧的兼容模式中稍微不同地构造它(请参阅此处的第一个示例)。
由于您的实际角色已通过授权获得了一系列对表的隐式访问权限,请尝试:
-- all the tables and views in the system
SELECT
schemaName = s.name,
objectName = o.name,
o.[object_id]
FROM sys.objects AS o
INNER JOIN sys.schemas AS s
ON o.[schema_id] = s.[schema_id]
WHERE type IN (N'U',N'V')
AND NOT EXISTS
(
-- except those that have been *explicitly* denied
SELECT 1
FROM sys.database_permissions AS p
WHERE p.class = 1
AND p.state_desc = N'DENY'
AND p.major_id = o.[object_id]
AND p.grantee_principal_id IN (USER_ID(N'db_finrep_deny'),USER_ID(N'finrep'))
);