4

I'm currently using SQL Server 2012, and I have a question concerning cross-schema access with different access rights:

Let's say I have two schemas: UserSchema and TableSchema.

TableSchema contains of 2 tables, and this schema is accessible by an administrator user only, for reading, updates, etc.

UserSchema is to be accessible by users with SELECT-rights (or whatever you would call the reading rights). This schema contains a view that is supposed to select data from the two tables in the TableSchema.

My idea is that the users of the UserSchema should have access to the UserSchema only, but not having access to the TableSchema. Will this work? Or will querying the view not work because of not having persmission to read data directly from the tables? Is there a good solution to work around this, or will I have to forget the idea and give the users reading access to the TableSchema as well?

The answer to the main question is probably obvious, but I seem to find a bit different answers when trying to google it, so this is more or less a yes-or-no-question to confirm or refute the idea.

4

1 回答 1

6

只要每个模式的所有者相同,这种方法就可以正常工作,因为所有权链是完整的。

有关详细信息,请参阅以下链接:

所有权链

例如,这将起作用:

  • UsersSchema 所有者 dbo

  • TableSchema 所有者 dbo

  • User1 授予对 UsersSchema 的选择权限,拒绝对 TableSchema 的选择权限

  • view1 位于 UsersSchema 中(从 Table1 中选择)

  • table1 位于 TableSchema 中

user1 执行 select * from UsersSchema.view1 - SQL 服务器检查 user1 是否有权从视图中选择,他这样做了,一切都很好

SQL 服务器然后检查谁拥有视图,dbo SQL 服务器然后检查谁拥有该视图想要数据的表,以及 dbo(因为 dbo 拥有两个模式)由于所有权链是完整的,SQL 服务器现在不会检查什么user1 对 table1 的权限并返回数据,即使您拒绝对 table1 或 TableSchema 上的 user1 进行选择。

如果 user1 尝试直接访问 table1,他仍然会被拒绝访问 table1。

于 2013-07-24T16:18:38.147 回答