Mik*_*ike 6 sql sql-server permissions stored-procedures ownership
数据库用户A应该只能访问特定数据.此数据当前由视图B.VIEW1提供,该视图从模式B和C拥有的表中进行选择.
CREATE VIEW [B].[VIEW1] AS SELECT * FROM [B].[VIEW2], [C].[VIEW1]
由于C.VIEW1不归B所有,因此所有权链适用.
这意味着虽然A被授予对B.VIEW1的SELECT权限,但它无法从中进行选择.
SELECT permission denied on object 'C.VIEW1', database '...', schema '...'.
存储过程B.PROC1与EXECUTE AS OWNER条款在安全性方面是B.VIEW1的有效替代吗?
CREATE PROC [B.PROC1] WITH EXECUTE AS OWNER AS BEGIN SELECT * FROM [B.VIEW2], [C].[VIEW1] END
或者是否存在可能导致任何安全问题的负面副作用?
就安全性而言,这似乎是防止访问底层表的好方法。
负面影响是您无法通过 WHERE、GROUP BY 子句或类似子句过滤存储过程生成的结果集。
但如果在底层视图中定义静态约束或通过存储过程的输入参数定义“动态”约束,这并不是那么悲惨。
1)底层视图中的静态约束
CREATE VIEW [B].[VIEW3] AS SELECT * FROM [B].[VIEW2], [C].[VIEW1] WHERE [X]='Something' AND [Y] = GETDATE()
CREATE PROC [B].[PROC1] WITH EXECUTE AS OWNER AS BEGIN SELECT * FROM [B].[VIEW3] END
2) 通过输入参数进行动态约束
CREATE PROC [B].[PROC1] (@X varchar(30), @Y DATETIME) WITH EXECUTE AS OWNER AS BEGIN SELECT * FROM [B].[VIEW2], [C].[VIEW1] WHERE [X]=@X AND [Y]=@Y AND
| 归档时间: |
|
| 查看次数: |
13181 次 |
| 最近记录: |