背景
我有一个具有以下权限的 SQL 用户:
GRANT CREATE SEQUENCE ON SCHEMA::seq TO SequenceCreator
GO
我希望能够让这个用户创建一个它拥有的序列。但是当我运行以下命令时:
EXECUTE AS USER = 'SequenceCreator'
CREATE SEQUENCE seq.Testing START WITH 1 INCREMENT BY 1 NO CACHE
REVERT
所有者是dbo,继承自架构。如以下查询所示:
;with objects_cte as
( select o.name, o.type_desc,
case
when o.principal_id is null then s.principal_id
else o.principal_id
end as principal_id
from sys.objects o
INNER join sys.schemas s
ON o.schema_id = s.schema_id )
select cte.name, dp.name AS owner
from objects_cte cte
JOIN sys.database_principals dp
ON cte.principal_id = dp.principal_id
WHERE cte.name = 'Testing'
结果:
name name
Testing dbo
但是当我(as dbo)运行这个时:
ALTER AUTHORIZATION ON seq.[Test--Things] TO SequenceCreator
然后该查询的结果变为:
name owner
Testing SequenceCreator
但是如果我放弃序列并运行它:
EXECUTE AS USER = 'SequenceCreator'
CREATE SEQUENCE seq.Testing START WITH 1 INCREMENT BY 1 NO CACHE
ALTER AUTHORIZATION ON seq.[Testing] TO SequenceCreator
REVERT
我收到以下错误:
Cannot find the object 'Testing', because it does not exist or you do not have permission.
这是意料之中的,因为用户SequenceCreator没有看到更少alter序列的权限。
但似乎,既然用户正在创建它,它也应该能够设置谁拥有它。(类似于CREATE SCHEMA seq AUTHORIZATION dbo通话)
问题
如何让创建用户 ( SequenceCreator) 拥有它创建的序列,而无需更高级别的用户转移所有权?
绝对不。创建后,对象归模式所有者所有,如果允许用户获取 DBO 对象的所有权,这将是一个安全漏洞。
授予 SequenceCreator
seq架构的所有权。除了解决这个问题之外,对象不属于其架构所有者的情况极为罕见。许多人和工具甚至不知道这是可能的。所以最好避免单独的对象所有权。
此外,允许非管理员用户在
dbo. 序列可能是无害的,但表、视图或过程将允许用户提升权限。