主页 / dba / 问题 / 246874
Accepted
Mickael
Asked: 2019-09-04 07:14:03 +0800 CST

SQL Server 登录在创建时会在数据库上获得不需要的高权限

  • 772

我们需要创建一个只能选择 4 个特定表的新用户。为此,我们创建登录名并将其映射到所需的数据库:

USE [master]
GO
CREATE LOGIN [pos] WITH PASSWORD=N'XXXX', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO

USE [TARGETED_DB_NAME]
GO
CREATE USER [pos] FOR LOGIN [pos]
GO

之后,用户可以执行任何 DML 语句,而他除了公共角色之外没有其他权限。我们检查了公共角色权限、服务器权限等,但找不到用户可以看到数据库所有表的原因。

当我们在同一实例的另一个数据库上创建用户时,问题不存在。

知道为什么登录 pos 会获得这样的特权吗?

sql-server-2012 permissions

1 个回答

  1. Best Answer

    以下查询将有助于深入了解特定用户直接间接获得的权限,根据结果,您可以分析/识别问题的原因。

    USE [TARGETED_DB_NAME]
GO

Declare @UserName varchar (100) = 'username';

-- Permission applied to user (directly) -------------------------------------------------------------

select d.name, dp.* 
from sys.database_permissions as dp
        join sys.database_principals as d on dp.grantee_principal_id = d.principal_id
where d.name = (@UserName) --and dp.state = 'D'
order by d.principal_id

-- Permission applied to user (indirectly) -------------------------------------------------------------
select  dm.name as DB_UserName,
        sp.name as LoginName,
        dr.name as DB_RoleName,
        dp.[permission_name],
        dp.type,
        dp.state_desc
from sys.database_principals as dm  
        join sys.database_role_members as drm on dm.principal_id = drm.member_principal_id
        join sys.database_principals as dr on drm.role_principal_id = dr.principal_id
        left join sys.server_principals as sp on dm.sid = sp.sid
        left join sys.database_permissions as dp on dr.principal_id = dp.grantee_principal_id
Where (dm.name = @UserName or sp.name = @UserName) --and dr.name like 'db_deny%'
go
    • 0

相关问题