仅创建过程权限 [英] Create Procedure Permission ONLY
问题描述
我在开发数据库中有 SQL Server 2008 的需求
I have a requirement in SQL Server 2008 in development database
- 只有 DBA(他们是数据库所有者)才能创建、更改表.开发人员不应创建或更改表.
- 开发人员可以创建/更改存储过程/用户定义的函数在 dbo 架构中,并且可以执行 SP/UDF.
- 开发人员应该对表有 SELECT、INSERT、DELETE、UPDATE(dbo 模式中的表
如何使用 GRANT 语句实现这一点
How to achieve this using GRANT statement
从 Google 找到了一个示例解决方案,但仍有问题
Found a sample solution from Google, but still have issue
CREATE LOGIN testdev WITH PASSWORD = 'sldkjlkjlkj 987kj//'
CREATE USER testdev
GRANT ALTER ON SCHEMA::dbo TO testdev
GRANT CREATE PROCEDURE TO testdev
GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA::dbo TO testdev
CREATE TABLE mysig (a int NOT NULL)
EXECUTE AS USER = 'testdev'
go
CREATE PROCEDURE slaskis AS PRINT 12
go
CREATE TABLE hoppsan(a int NOT NULL) -- FAILS!
go
INSERT mysig (a) VALUES(123)
go
REVERT
go
DROP PROCEDURE slaskis
DROP TABLE mysig
DROP USER testdev
DROP LOGIN testdev
上面的语法可以阻止开发者创建表,但不能阻止开发者使用 SSMS 设计和改变表.
The syntax above able to block developer to create table but cant block developer to use SSMS design and alter the table.
谢谢.
推荐答案
首先,我会使用角色而不是直接向用户授予访问权限.你可能已经这样做了,但我想我会提到它.
First of all I would use Roles instead of granting access directly to users. You may be already doing this, but I thought I would mention it.
好的,这里的问题是将 ALTER 授予架构意味着被授予者对架构中的所有对象类型具有 ALTER 访问权限.不幸的是,据我所知,没有办法授予特定对象类型的权限,所以要么全有要么全无.相反,您不能将 ALTER 授予所有对象,然后拒绝特定对象类型的 ALTER.
Okay, the problem here is granting ALTER to the Schema means that the grantee has ALTER access to all object types in the schema. Unfortunately, as far as I know, there is no way to grant permissions to specific object types so it is all or nothing. Conversely, you cannot grant ALTER to all objects and then deny ALTER to specific object types.
我发现这样做的唯一方法是将 ALTER 授予架构,然后使用 DDL 触发器来控制角色可以做什么.
The only way I have found to do this is to grant ALTER to the schema and then used a DDL Trigger to control what the role can do.
这是您的示例的更新版本,演示了该原理:
Here is an updated version of your example demonstrating the principle:
--** Create a Developer Role
CREATE ROLE [Developer] AUTHORIZATION db_securityadmin;
GO
--** Grant view and execute on all SPs to Devloper
--GRANT VIEW DEFINITION ON SCHEMA::dbo TO [Developer];
GRANT CREATE PROCEDURE TO [Developer];
GRANT SELECT, INSERT, UPDATE, DELETE, ALTER, EXECUTE, VIEW DEFINITION ON SCHEMA::dbo TO [Developer]
--** Create user and login for testdev and add to the Developer role
CREATE LOGIN testdev WITH PASSWORD = 'sldkjlkjlkj987kj'
CREATE USER testdev
EXEC sp_addrolemember @rolename = 'Developer', @membername = 'testdev';
GO
--** Create DDL trigger to deny drop and alter to the Developer role
CREATE TRIGGER tr_db_DenyDropAlterTable_Dev
ON DATABASE
FOR DROP_TABLE, ALTER_TABLE
AS
BEGIN
IF IS_MEMBER('Developer') = 1
BEGIN
PRINT 'You are not authorized to alter or drop a table.';
ROLLBACK TRAN;
END;
END;
GO
--** Testing
CREATE TABLE mysig (a int NOT NULL) ;
EXECUTE AS USER = 'testdev';
GO
CREATE PROCEDURE slaskis AS PRINT 12;
GO
CREATE TABLE hoppsan(a int NOT NULL); -- FAILS!
GO
INSERT mysig (a) VALUES(123);
GO
ALTER TABLE mysig ADD test INT; --** This will fail too
GO
REVERT;
GO
DROP PROCEDURE slaskis ;
DROP TABLE mysig ;
DROP USER testdev;
DROP LOGIN testdev;
DROP ROLE [Developer];
DROP TRIGGER tr_db_DenyDropAlterTable_Dev on DATABASE;
这篇关于仅创建过程权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
