主页 / dba / 问题 / 283166
Accepted
Avi
Asked: 2021-01-14 09:24:13 +0800 CST

拒绝对 [dbo] 架构上的角色的 DDL_ADMIN 权限

  • 772

我有几个数据库模式,如 [ext]、[stag] 等,当然还有内置的 [dbo] 模式,还有一个名为 [MyRole] 的角色。

我的计划是将 [MyRole] 添加到 DDL_ADMIN 角色,以便他们可以在所有模式中创建、更改、删​​除对象,但我希望阻止他们在 [dbo] 模式中完全这样做。

DDL_ADMIN 内置角色为其成员提供以下权限:

ALTER ANY ASSEMBLY                    
ALTER ANY ASYMMETRIC KEY              
ALTER ANY CERTIFICATE                 
ALTER ANY CONTRACT                    
ALTER ANY DATABASE DDL TRIGGER        
ALTER ANY DATABASE EVENT NOTIFICATION 
ALTER ANY DATASPACE                   
ALTER ANY FULLTEXT CATALOG            
ALTER ANY MESSAGE TYPE                
ALTER ANY REMOTE SERVICE BINDING      
ALTER ANY ROUTE                       
ALTER ANY SCHEMA                      
ALTER ANY SERVICE                     
ALTER ANY SYMMETRIC KEY               
CHECKPOINT                            
CREATE AGGREGATE                      
CREATE DEFAULT                        
CREATE FUNCTION                       
CREATE PROCEDURE                      
CREATE QUEUE                          
CREATE RULE                           
CREATE SYNONYM                        
CREATE TABLE                          
CREATE TYPE                           
CREATE VIEW                           
CREATE XML SCHEMA COLLECTION          
REFERENCES

由于 DENY 优先于 GRANT,因此我可以在[MyRole]的dbo模式上拒绝完全相同的权限。

它应该很简单:

DENY ALTER ANY ASSEMBLY                    ON SCHEMA::dbo TO MyRole
DENY ALTER ANY ASYMMETRIC KEY              ON SCHEMA::dbo TO MyRole
DENY ALTER ANY CERTIFICATE                 ON SCHEMA::dbo TO MyRole
DENY ALTER ANY CONTRACT                    ON SCHEMA::dbo TO MyRole
DENY ALTER ANY DATABASE DDL TRIGGER        ON SCHEMA::dbo TO MyRole
DENY ALTER ANY DATABASE EVENT NOTIFICATION ON SCHEMA::dbo TO MyRole
DENY ALTER ANY DATASPACE                   ON SCHEMA::dbo TO MyRole
DENY ALTER ANY FULLTEXT CATALOG            ON SCHEMA::dbo TO MyRole
DENY ALTER ANY MESSAGE TYPE                ON SCHEMA::dbo TO MyRole
DENY ALTER ANY REMOTE SERVICE BINDING      ON SCHEMA::dbo TO MyRole
DENY ALTER ANY ROUTE                       ON SCHEMA::dbo TO MyRole
DENY ALTER ANY SCHEMA                      ON SCHEMA::dbo TO MyRole
DENY ALTER ANY SERVICE                     ON SCHEMA::dbo TO MyRole
DENY ALTER ANY SYMMETRIC KEY               ON SCHEMA::dbo TO MyRole
DENY CHECKPOINT                            ON SCHEMA::dbo TO MyRole
DENY CREATE AGGREGATE                      ON SCHEMA::dbo TO MyRole
DENY CREATE DEFAULT                        ON SCHEMA::dbo TO MyRole
DENY CREATE FUNCTION                       ON SCHEMA::dbo TO MyRole
DENY CREATE PROCEDURE                      ON SCHEMA::dbo TO MyRole
DENY CREATE QUEUE                          ON SCHEMA::dbo TO MyRole
DENY CREATE RULE                           ON SCHEMA::dbo TO MyRole
DENY CREATE SYNONYM                        ON SCHEMA::dbo TO MyRole
DENY CREATE TABLE                          ON SCHEMA::dbo TO MyRole
DENY CREATE TYPE                           ON SCHEMA::dbo TO MyRole
DENY CREATE VIEW                           ON SCHEMA::dbo TO MyRole
DENY CREATE XML SCHEMA COLLECTION          ON SCHEMA::dbo TO MyRole
DENY REFERENCES                            ON SCHEMA::dbo TO MyRole
GO

SQL Server 对以上所有内容都说“DENY ALTER ...附近的语法不正确”。

我试图从 BOL 中拼出正确的语法,但只能想出:

DENY ALTER ON SCHEMA::dbo TO MyRole;

没有其他的。

拒绝 DDL_ADMIN 成员资格向 [MyRole] 成员提供的所有权限的最简单方法是什么,但仅限于 [dbo] SCHEMA?

谢谢!

sql-server t-sql

1 个回答

  1. Best Answer

    您尝试更改的某些权限在您尝试使用它们的方式中并不存在。

    例如,要拒绝CREATE TABLE和大多数其他 DDL 语句,对于特定模式,正确的语法和权限应该是DENY ALTER ON SCHEMA::dbo TO MyRole.

    这应该涵盖相当于 db_ddladmin 角色的权限。(我知道这有点不直观,但拒绝所有ALTER,就像我上面的例子一样,确实包括拒绝CREATE权限。)

    • 1

相关问题