2

我正在寻找一种方法来识别授予特定数据库中用户的默认权限。我试过这个:

select *
from dbc.allrights
where username='user-id'
  and databasename='database-name'

以上有两个问题;首先,如所写,查询为用户 ID 拥有的每个表的每个权限返回一行,并且它包括专门授予的权限。其次,如果 user-d 根本没有创建任何表,则不会返回任何行。

我希望有另一个 DBC 视图包含用户和数据库的默认权限。

4

3 回答 3

5

您可以使用此查询来检查用户对不同数据库的访问:

SELECT               
       A.GRANTEE as ProxyID,B.DATABASENAME,
       CASE WHEN B.ACCESSRIGHT = 'D' THEN 'DELETE'
            WHEN B.ACCESSRIGHT = 'I' THEN 'INSERT'
            WHEN B.ACCESSRIGHT = 'R' THEN 'SELECT'
            WHEN B.ACCESSRIGHT = 'SH' THEN 'SHOW TABLE/VIEW'
            WHEN B.ACCESSRIGHT = 'U' THEN 'UPDATE' ELSE 'OTHER' END ACCESS_LEVEL
   FROM    
       DBC.ROLEMEMBERS A Join DBC.ALLROLERIGHTS B 
   ON          
       A.ROLENAME = B.ROLENAME 
   WHERE 
       Grantee='USER_ID'  AND B.DATABASENAME IN ('DATABASE1','DATABASE2',.....)

   GROUP BY 1,2,3
   ORDER BY 1,2,3

希望它可以帮助你。

于 2014-12-09T08:49:37.233 回答
2

仅当用户自己创建数据库时,才会存在数据库级别的隐式权限。否则,隐式权限位于创建对象的数据库中的对象级别。

建议在角色级别管理系统或安全管理员授予的显式权限。角色成员资格可以在 DBC.RoleMembers 视图中确定。可以在 DBC.AllRoleRights 中标识给定角色的访问权限。但是,如果我没记错的话,如果您在 DBC.AllRights 视图中引用伪表“All”,则可以确定在数据库级别授予用户的显式权限。

于 2012-07-17T22:00:28.357 回答
2

这个sql是一样的,只是扩展了更多的访问权限:

SELECT RN.Grantee
       ,ARR.DatabaseName
       ,ARR.AccessRight
       ,CASE 
            WHEN ARR.AccessRight = 'AE' THEN 'ALTER EXTERNAL PROCEDURE'    
            WHEN ARR.AccessRight = 'AF' THEN 'ALTER FUNCTION'    
            WHEN ARR.AccessRight = 'AP' THEN 'ALTER PROCEDURE'    
            WHEN ARR.AccessRight = 'AS' THEN 'ABORT SESSION'    
            WHEN ARR.AccessRight = 'CA' THEN 'CREATE AUTHORIZATION'    
            WHEN ARR.AccessRight = 'CD' THEN 'CREATE DATABASE'    
            WHEN ARR.AccessRight = 'CE' THEN 'CREATE EXTERNAL PROCEDURE'    
            WHEN ARR.AccessRight = 'CF' THEN 'CREATE FUNCTION'    
            WHEN ARR.AccessRight = 'CG' THEN 'CREATE TRIGGER'    
            WHEN ARR.AccessRight = 'CM' THEN 'CREATE MACRO'    
            WHEN ARR.AccessRight = 'CO' THEN 'CREATE PROFILE'    
            WHEN ARR.AccessRight = 'CP' THEN 'CHECKPOINT'    
            WHEN ARR.AccessRight = 'CR' THEN 'CREATE ROLE'    
            WHEN ARR.AccessRight = 'CT' THEN 'CREATE TABLE'    
            WHEN ARR.AccessRight = 'CU' THEN 'CREATE USER'    
            WHEN ARR.AccessRight = 'CV' THEN 'CREATE VIEW'    
            WHEN ARR.AccessRight = 'D'  THEN 'DELETE'    
            WHEN ARR.AccessRight = 'DA' THEN 'DROP AUTHORIZATION'    
            WHEN ARR.AccessRight = 'DD' THEN 'DROP DATABASE'    
            WHEN ARR.AccessRight = 'DF' THEN 'DROP FUNCTION'    
            WHEN ARR.AccessRight = 'DG' THEN 'DROP TRIGGER'    
            WHEN ARR.AccessRight = 'DM' THEN 'DROP MACRO'    
            WHEN ARR.AccessRight = 'DO' THEN 'DROP PROFILE'    
            WHEN ARR.AccessRight = 'DP' THEN 'DUMP'    
            WHEN ARR.AccessRight = 'DR' THEN 'DROP ROLE'    
            WHEN ARR.AccessRight = 'DT' THEN 'DROP TABLE'    
            WHEN ARR.AccessRight = 'DU' THEN 'DROP USER'    
            WHEN ARR.AccessRight = 'DV' THEN 'DROP VIEW'    
            WHEN ARR.AccessRight = 'E'  THEN 'EXECUTE'    
            WHEN ARR.AccessRight = 'EF' THEN 'EXECUTE FUNCTION'    
            WHEN ARR.AccessRight = 'GC' THEN 'CREATE GLOP'    
            WHEN ARR.AccessRight = 'GD' THEN 'DROP GLOP'    
            WHEN ARR.AccessRight = 'GM' THEN 'GLOP MEMBER'    
            WHEN ARR.AccessRight = 'I'  THEN 'INSERT'    
            WHEN ARR.AccessRight = 'IX' THEN 'INDEX'    
            WHEN ARR.AccessRight = 'MR' THEN 'MONITOR RESOURCE'    
            WHEN ARR.AccessRight = 'MS' THEN 'MONITOR SESSION'    
            WHEN ARR.AccessRight = 'NT' THEN 'NONTEMPORAL'    
            WHEN ARR.AccessRight = 'OD' THEN 'OVERRIDE DELETE POLICY'    
            WHEN ARR.AccessRight = 'OI' THEN 'OVERRIDE INSERT POLICY'    
            WHEN ARR.AccessRight = 'OP' THEN 'CREATE OWNER PROCEDURE'    
            WHEN ARR.AccessRight = 'OS' THEN 'OVERRIDE SELECT POLICY'    
            WHEN ARR.AccessRight = 'OU' THEN 'OVERRIDE UPDATE POLICY'    
            WHEN ARR.AccessRight = 'PC' THEN 'CREATE PROCEDURE'    
            WHEN ARR.AccessRight = 'PD' THEN 'DROP PROCEDURE'    
            WHEN ARR.AccessRight = 'PE' THEN 'EXECUTE PROCEDURE'    
            WHEN ARR.AccessRight = 'R'  THEN 'SELECT'    
            WHEN ARR.AccessRight = 'RF' THEN 'REFERENCE'    
            WHEN ARR.AccessRight = 'RO' THEN 'REPLCONTROL'    
            WHEN ARR.AccessRight = 'RS' THEN 'RESTORE'    
            WHEN ARR.AccessRight = 'SA' THEN 'SECURITY CONSTRAINT ASSIGNMENT'    
            WHEN ARR.AccessRight = 'SD' THEN 'SECURITY CONSTRAINT DEFINITION'    
            WHEN ARR.AccessRight = 'SH' THEN 'SHOW'    
            WHEN ARR.AccessRight = 'SR' THEN 'SET RESOURCE RATE'    
            WHEN ARR.AccessRight = 'SS' THEN 'SET SESSION RATE'    
            WHEN ARR.AccessRight = 'ST' THEN 'STATISTICS'    
            WHEN ARR.AccessRight = 'TH' THEN 'CTCONTROL'    
            WHEN ARR.AccessRight = 'U'  THEN 'UPDATE'
            ELSE 'Unknown'
        END AS AccesRightText
  FROM DBC.RoleMembers AS RN
INNER JOIN DBC.AllRoleRights AS ARR 
    ON RN.RoleName = ARR.RoleName 
 WHERE RN.Grantee = 'User'
   AND ARR.DatabaseName IN ('Database1', 'Database2')
GROUP BY 1, 2, 3, 4
ORDER BY 1, 2, 3, 4
于 2018-06-01T12:51:42.843 回答