如何映射多个ActiveDirectory中组以SQL登录? [英] How to map MULTIPLE ActiveDirectory Groups to SQL Logins?
问题描述
情况:
- 在一个Windows用户是成员的多 AD组。
- 在每个广告组映射到SQL Server登录。
- 在每个SQL登录映射到的数据库用户。
- 在每个数据库用户都有特定的角色。
- A Windows user is member in multiple AD groups.
- Every AD group is mapped to a SQL Server login.
- Every SQL login is mapped to a database user.
- Every database user has specific roles.
问:
是否有可能在Windows用户登录到SQL Server(使用WinAuth),而且他得到的所有的角色,他可以得到由于他在多个AD组的成员?
Is it possible that a Windows user is logging into SQL Server (using WinAuth) and that he gets all roles which he could get due to his membership in multiple AD groups?
推荐答案
是的。在对象上的用户的权限是所有权限路径S中的工会/他有资格获得(包括任何DENY权限)。一个快速的方法来验证是使用sys.user_token和sys.login_token意见,以及在sys.fn_my_permissions功能。从管理的角度看,这些工作特别好,因为它们是在模拟准确。
Yes. A user's permissions on an object is the union of all permissions paths s/he qualifies for (including any DENY permissions). A quick way to verify is by using the sys.user_token and sys.login_token views as well as the sys.fn_my_permissions function. From an administrative perspective, these work especially well because they are accurate under impersonation (i.e. execute as login = 'yourDomain\someUser'
).
这篇关于如何映射多个ActiveDirectory中组以SQL登录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!