用戶(hù)管理:SQL Server中通用數(shù)據(jù)庫(kù)角色權(quán)限的處理
時(shí)間:2024-03-12 20:33作者:下載吧人氣:39
前言
安全性是所有數(shù)據(jù)庫(kù)管理系統(tǒng)的一個(gè)重要特征。理解安全性問(wèn)題是理解數(shù)據(jù)庫(kù)管理系統(tǒng)安全性機(jī)制的前提。
最近和同事在做數(shù)據(jù)庫(kù)權(quán)限清理的事情,主要是刪除一些賬號(hào);取消一些賬號(hào)的較大的權(quán)限等,例如,有一些有db_owner權(quán)限,我們?nèi)∠~號(hào)的數(shù)據(jù)庫(kù)角色db_owner,授予最低要求的相關(guān)權(quán)限。但是這種工作完全是一個(gè)體力活,而且是吃力不討好,而且推進(jìn)很慢。另外,為了管理方便和細(xì)化,我們又在常用的數(shù)據(jù)庫(kù)角色外,新增了6個(gè)通用的數(shù)據(jù)庫(kù)角色。
如下截圖所示。
另外,為了減少授權(quán)工作量和一些重復(fù)的體力活,我們創(chuàng)建了一個(gè)作業(yè),每天定期執(zhí)行一個(gè)存儲(chǔ)過(guò)程db_common_role_grant_rigths,這個(gè)存儲(chǔ)過(guò)程的邏輯如下:
1:遍歷所有用戶(hù)數(shù)據(jù)庫(kù)(排除了系統(tǒng)數(shù)據(jù)庫(kù)以及一些特殊數(shù)據(jù)庫(kù)),發(fā)現(xiàn)該數(shù)據(jù)庫(kù)不存在這些通用數(shù)據(jù)庫(kù)角色,那么就創(chuàng)建相關(guān)數(shù)據(jù)庫(kù)角色。
2:遍歷所有用戶(hù)數(shù)據(jù)庫(kù),為相關(guān)數(shù)據(jù)庫(kù)角色授權(quán),例如,如果發(fā)現(xiàn)某個(gè)新增的存儲(chǔ)過(guò)程,沒(méi)有授權(quán)給db_procedure_execute數(shù)據(jù)庫(kù)角色。那么就執(zhí)行授權(quán)操作。
當(dāng)然目前還在測(cè)試、應(yīng)用階段,以后會(huì)根據(jù)具體相關(guān)需求,不斷完善相關(guān)功能。
–==================================================================================================================
— ScriptName : db_common_role_grant_rigths.sql
— Author : 瀟湘隱者
— CreateDate : 2018-09-13
— Description : 創(chuàng)建數(shù)據(jù)庫(kù)角色db_procedure_execute等,并授予相關(guān)權(quán)限給角色。
— Note :
/******************************************************************************************************************
Parameters : 參數(shù)說(shuō)明
********************************************************************************************************************
@RoleName : 角色名
********************************************************************************************************************
Modified Date Modified User Version Modified Reason
********************************************************************************************************************
2018-09-12 瀟湘隱者 V01.00.00 新建該腳本。
2018-09-12 瀟湘隱者 V01.00.01 注意@@ROWCOUNT的生效范圍;解決循環(huán)邏輯問(wèn)題。
2018-09-26 瀟湘隱者 V01.00.02 修正類(lèi)型為FT(CLR_TABLE_VALUED_FUNCTION)的函數(shù)問(wèn)題。程序集 (CLR) 表值函數(shù)
*******************************************************************************************************************/
–===================================================================================================================
USE YourSQLDba;
GO
IF EXISTS (SELECT 1 FROM sys.procedures WHERE type=’P’ AND name=’db_common_role_grant_rigths’)
BEGIN
DROP PROCEDURE Maint.db_common_role_grant_rigths;
END
GO
CREATE PROCEDURE Maint.db_common_role_grant_rigths
AS
BEGIN
DECLARE @database_id INT;
DECLARE @database_name sysname;
DECLARE @cmdText NVARCHAR(MAX);
DECLARE @prc_text NVARCHAR(MAX);
DECLARE @RowIndex INT;
IF OBJECT_ID(‘TempDB.dbo.#databases’) IS NOT NULL
DROP TABLE dbo.#databases;
CREATE TABLE #databases
(
database_id INT,
database_name sysname
)
IF OBJECT_ID(‘TempDB.dbo.#sql_text’) IS NOT NULL
DROP TABLE dbo.#sql_text;
CREATE TABLE #sql_text
(
sql_id INT IDENTITY(1,1),
sql_cmd NVARCHAR(MAX)
)
INSERT INTO #databases
SELECT database_id ,
name
FROM sys.databases
WHERE name NOT IN ( ‘master’, ‘tempdb’, ‘model’, ‘msdb’,
‘distribution’, ‘ReportServer’,
‘ReportServerTempDB’, ‘YourSQLDba’ )
AND state = 0; –state_desc=ONLINE
–開(kāi)始循環(huán)每一個(gè)用戶(hù)數(shù)據(jù)庫(kù)(排除了上面相關(guān)數(shù)據(jù)庫(kù))
WHILE 1= 1
BEGIN
SELECT TOP 1 @database_name= database_name
FROM #databases
ORDER BY database_id;
IF @@ROWCOUNT =0
BREAK;
–PRINT(@database_name);
— SP_EXECUTESQL 中切換數(shù)據(jù)庫(kù)不能當(dāng)參數(shù)傳入。
–創(chuàng)建數(shù)據(jù)庫(kù)角色db_procedure_execute
SET @cmdText = ‘USE ‘ + @database_name + ‘;’ +CHAR(10)
SELECT @cmdText += ‘IF NOT EXISTS (SELECT 1 FROM sys.database_principals WHERE name =”db_procedure_execute”)
BEGIN
CREATE ROLE [db_procedure_execute] AUTHORIZATION [dbo];
END ‘ + CHAR(10);
–創(chuàng)建數(shù)據(jù)庫(kù)角色db_function_execute
SELECT @cmdText += ‘IF NOT EXISTS (SELECT 1 FROM sys.database_principals WHERE name =”db_function_execute”)
BEGIN
CREATE ROLE [db_function_execute] AUTHORIZATION [dbo];
END’ + CHAR(10);
–創(chuàng)建數(shù)據(jù)庫(kù)角色db_view_table_definition
SELECT @cmdText += ‘IF NOT EXISTS (SELECT 1 FROM sys.database_principals WHERE name =”db_view_table_definition”)
BEGIN
CREATE ROLE [db_view_table_definition] AUTHORIZATION [dbo];
END ‘ + CHAR(10);
–創(chuàng)建數(shù)據(jù)庫(kù)角色db_view_view_definition
SELECT @cmdText += ‘IF NOT EXISTS (SELECT 1 FROM sys.database_principals WHERE name =”db_view_view_definition”)
BEGIN
CREATE ROLE [db_view_view_definition] AUTHORIZATION [dbo];
END ‘ + CHAR(10);
–創(chuàng)建數(shù)據(jù)庫(kù)角色db_view_procedure_definition
SELECT @cmdText += ‘IF NOT EXISTS (SELECT 1 FROM sys.database_principals WHERE name =”db_view_procedure_definition”)
BEGIN
CREATE ROLE [db_view_procedure_definition] AUTHORIZATION [dbo];
END ‘ + CHAR(10);
–創(chuàng)建數(shù)據(jù)庫(kù)角色db_view_function_definition
SELECT @cmdText += ‘IF NOT EXISTS (SELECT 1 FROM sys.database_principals WHERE name =”db_view_function_definition”)
BEGIN
CREATE ROLE [db_view_function_definition] AUTHORIZATION [dbo];
END ‘ + CHAR(10);
–PRINT @cmdText;
— EXECUTE SP_EXECUTESQL @cmdText;
EXECUTE (@cmdText);
–給角色db_procedure_execute授權(quán)
SET @cmdText =’USE ‘ + QUOTENAME(@database_name) + ‘;’
SET @cmdText +=’INSERT INTO #sql_text(sql_cmd)
SELECT ”GRANT EXECUTE ON ” + SCHEMA_NAME(schema_id) + ”.”
+ QUOTENAME(name) + ” TO db_procedure_execute;”
FROM sys.procedures s
WHERE NOT EXISTS ( SELECT 1
FROM sys.database_permissions p
WHERE p.major_id = s.object_id
AND p.grantee_principal_id = USER_ID(”db_procedure_execute”))’;
EXECUTE SP_EXECUTESQL @cmdText;
–給角色db_function_execute(標(biāo)量函數(shù)授權(quán))
SET @cmdText =’USE ‘ + QUOTENAME(@database_name) + ‘;’
SET @cmdText += ‘INSERT INTO #sql_text(sql_cmd)
SELECT ”GRANT EXEC ON ” + SCHEMA_NAME(schema_id) + ”.” + QUOTENAME(name) + ” TO db_function_execute; ”
FROM sys.all_objects s
WHERE SCHEMA_NAME(schema_id) NOT IN (”sys”, ”INFORMATION_SCHEMA”)
AND NOT EXISTS ( SELECT 1
FROM sys.database_permissions p
WHERE p.major_id = s.object_id
AND p.grantee_principal_id =USER_ID(”db_function_execute”) )
AND ( s.[type] = ”FN”
OR s.[type] = ”AF”
OR s.[type] = ”FS”
–OR s.[type] = ”FT”
) ;’
EXECUTE SP_EXECUTESQL @cmdText;
–給角色db_function_execute(表值函數(shù)授權(quán))
SET @cmdText =’USE ‘ + @database_name + ‘;’
SET @cmdText += ‘INSERT INTO #sql_text(sql_cmd)
SELECT ”GRANT SELECT ON ” + SCHEMA_NAME(schema_id) + ”.” + QUOTENAME(name) + ” TO db_function_execute;”
FROM sys.all_objects s
WHERE SCHEMA_NAME(schema_id) NOT IN (”sys”, ”INFORMATION_SCHEMA”)
AND NOT EXISTS ( SELECT 1
FROM sys.database_permissions p
WHERE p.major_id = s.object_id
AND p.grantee_principal_id = USER_ID(”db_function_execute”))
AND ( s.[type] = ”TF”
OR s.[type] = ”IF”
) ; ‘
EXECUTE SP_EXECUTESQL @cmdText;
–查看存儲(chǔ)過(guò)程定義授權(quán)
SET @cmdText =’USE ‘ + @database_name + ‘;’
SET @cmdText +=’ INSERT INTO #sql_text(sql_cmd)
SELECT ”GRANT VIEW DEFINITION ON ” + SCHEMA_NAME(schema_id) + ”.”
+ QUOTENAME(name) + ” TO db_view_procedure_definition;”
FROM sys.procedures s
WHERE NOT EXISTS ( SELECT 1
FROM sys.database_permissions p
WHERE p.major_id = s.object_id
AND p.grantee_principal_id = USER_ID(”db_view_procedure_definition”))’
EXECUTE(@cmdText);
–查看函數(shù)定義的授權(quán)
SET @cmdText =’USE ‘ + @database_name + ‘;’
SELECT @cmdText += ‘INSERT INTO #sql_text(sql_cmd)
SELECT ”GRANT VIEW DEFINITION ON ” + SCHEMA_NAME(schema_id) + ”.”
+ QUOTENAME(name) + ” TO db_view_function_definition;”
FROM sys.objects s
WHERE type_desc IN (”SQL_SCALAR_FUNCTION”, ”SQL_TABLE_VALUED_FUNCTION”,
”AGGREGATE_FUNCTION” )
AND NOT EXISTS ( SELECT 1
FROM sys.database_permissions p
WHERE p.major_id = s.object_id
AND p.grantee_principal_id = USER_ID(”db_view_function_definition”))’;
EXECUTE SP_EXECUTESQL @cmdText;
–查看表定義的授權(quán)
SET @cmdText =’USE ‘ + @database_name + ‘;’
SET @cmdText +=’INSERT INTO #sql_text(sql_cmd)
SELECT ”GRANT VIEW DEFINITION ON ” + SCHEMA_NAME(schema_id) + ”.”
+ QUOTENAME(name) + ” TO db_view_table_definition ;”
FROM sys.tables s
WHERE NOT EXISTS ( SELECT 1
FROM sys.database_permissions p
WHERE p.major_id = s.object_id
AND p.grantee_principal_id = USER_ID(”db_view_table_definition”))’;
EXECUTE SP_EXECUTESQL @cmdText;
–查看視圖定義的授權(quán)
SET @cmdText =’USE ‘ + @database_name + ‘;’
SET @cmdText +=’INSERT INTO #sql_text(sql_cmd)
SELECT ”GRANT VIEW DEFINITION ON ” + SCHEMA_NAME(schema_id) + ”.”
+ QUOTENAME(name) + ” TO db_view_view_definition; ”
FROM sys.views s
WHERE NOT EXISTS ( SELECT 1
FROM sys.database_permissions p
WHERE p.major_id = s.object_id
AND p.grantee_principal_id = USER_ID(”db_view_view_definition”))’;
EXECUTE SP_EXECUTESQL @cmdText;
WHILE 1= 1
BEGIN
SELECT TOP 1 @RowIndex=sql_id, @cmdText = ‘USE ‘ + @database_name + ‘; ‘+ sql_cmd FROM #sql_text ORDER BY sql_id;
IF @@ROWCOUNT =0
BREAK;
PRINT(@cmdText);
EXECUTE(@cmdText);
DELETE FROM #sql_text WHERE sql_id =@RowIndex
END
DELETE FROM #databases WHERE database_name=@database_name;
END
DROP TABLE #databases;
DROP TABLE #sql_text;
END
相關(guān)推薦
- SQLServer2019數(shù)據(jù)庫(kù)如何配置端口號(hào)
- 深入了解PostgreSQL數(shù)據(jù)類(lèi)型:解決您的數(shù)據(jù)庫(kù)存儲(chǔ)難題(postgresql數(shù)據(jù)類(lèi)型)
- 社區(qū)MongoDB實(shí)戰(zhàn):在圖靈社區(qū)打造數(shù)據(jù)庫(kù)創(chuàng)新力量(mongodb實(shí)戰(zhàn)圖靈)
- 關(guān)于數(shù)據(jù)庫(kù)初始化及數(shù)據(jù)庫(kù)服務(wù)端操作詳解
- PostgreSQL登錄:體驗(yàn)自由融洽的數(shù)據(jù)庫(kù)訪問(wèn)(postgresql登陸)
- Postgresql數(shù)據(jù)庫(kù)備份實(shí)踐:簡(jiǎn)單而又必要(postgresql數(shù)據(jù)庫(kù)備份)
- SQL開(kāi)發(fā)知識(shí):Sql Server數(shù)據(jù)庫(kù)常用Transact-SQL腳本
- SQL開(kāi)發(fā)知識(shí):淺談sqlserver下float的不確定性
- SQL開(kāi)發(fā)知識(shí):SQLServer查詢(xún)某個(gè)時(shí)間段內(nèi)購(gòu)買(mǎi)過(guò)商品的用戶(hù)
- SQL開(kāi)發(fā)知識(shí):sqlserver實(shí)現(xiàn)樹(shù)形結(jié)構(gòu)遞歸查詢(xún)的方法
相關(guān)下載
熱門(mén)閱覽
- 1SQL開(kāi)發(fā)知識(shí):MyBatis SQL xml處理小于號(hào)與大于號(hào)正確的格式
- 2SQL基礎(chǔ):SQLServer2019 數(shù)據(jù)庫(kù)的基本使用之圖形化界面操作的實(shí)現(xiàn)
- 3SQL基礎(chǔ):SQL?Server的全文搜索功能
- 4數(shù)據(jù)庫(kù)恢復(fù)之 delete誤刪數(shù)據(jù)使用SCN號(hào)恢復(fù)的詳細(xì)方希
- 5一文教你SQL Server2012的數(shù)據(jù)庫(kù)備份和還原的教程
- 6SQL開(kāi)發(fā)知識(shí):SQL Server執(zhí)行動(dòng)態(tài)SQL的正確方法
- 7SQL開(kāi)發(fā)知識(shí):SQL中Truncate的用法
- 8SQL異常:教你sqlserver連接錯(cuò)誤之SQL評(píng)估期已過(guò)的問(wèn)題解決方法
- 9SQL開(kāi)發(fā)知識(shí):SQL Server數(shù)據(jù)庫(kù)查找表名或列名中包含空格的表和列
- 10SQL開(kāi)發(fā)知識(shí):關(guān)于SQL Server數(shù)據(jù)庫(kù)觸發(fā)器詳解
- 11Navicat 如何連接SQLServer數(shù)據(jù)庫(kù)詳細(xì)步驟截圖
- 12數(shù)據(jù)安全:SQL Server2019數(shù)據(jù)庫(kù)備份與還原腳本(批量備份)
最新排行
- 1SQL開(kāi)發(fā)知識(shí):SQL注入工具
- 2SQL開(kāi)發(fā)知識(shí):SQL 在自增列插入指定數(shù)據(jù)的操作方法
- 3Sql Server2012數(shù)據(jù)庫(kù)使用IP登錄服務(wù)器的配置教程
- 4SQL開(kāi)發(fā)知識(shí):Navicat導(dǎo)出.sql文件方法
- 5SQL開(kāi)發(fā)知識(shí):SQL Server表和索引存儲(chǔ)結(jié)構(gòu)
- 6SQL開(kāi)發(fā)知識(shí):Sql注入原理簡(jiǎn)介
- 7SQL開(kāi)發(fā)知識(shí):SQL Server Management Studio(SSMS)復(fù)制數(shù)據(jù)庫(kù)的方法
- 8SQL開(kāi)發(fā)知識(shí):SQL Server執(zhí)行動(dòng)態(tài)SQL的正確方法
- 9SQL開(kāi)發(fā)知識(shí):SQL Server Parameter Sniffing及其改進(jìn)方法
- 10SQL開(kāi)發(fā)知識(shí):sql server2008調(diào)試存儲(chǔ)過(guò)程的步驟
- 11SQL開(kāi)發(fā)知識(shí):SQL Server非動(dòng)態(tài) SQL語(yǔ)句來(lái)對(duì)動(dòng)態(tài)查詢(xún)進(jìn)行執(zhí)行
- 12一文帶你詳解SQL Server 2016數(shù)據(jù)庫(kù)快照代理過(guò)程
網(wǎng)友評(píng)論