0

如果您SELECT * FROM Roles WHERE 1=1;在 Ssrs 数据库目录中执行此操作,您会看到如下内容:

上述 SELECT 的 SSMS 中的输出

如何解释“TaskMask”和“RoleFlags”中的值?我在网上到处都找到了部分信息,但没有来自 Microsoft。

4

2 回答 2

1

在网络上没有什么真正容易发现的东西,所以我去反编译了 ReportingServicesLibrary.dll(我使用了“ dnSpy ”)并进行了搜索,直到我在 Microsoft.ReportingServices.Library.AuthzData 类中找到了我想要的东西。

我在 Ssrs 数据库目录中发现了以下关于“角色”表的信息:

  1. 存储在其中的值Roles.RoleFlags实际上只是SecurityScope枚举的基础值。它们指示使用哪个枚举来解释TaskMask
  2. 存储的值Roles.TaskMask对应于CatalogItemTaskEnumCatalogTaskEnumModelItemTaskEnum枚举的成员。“1”表示成员/设置为“on”,“0”表示“off”。从左到右读取字符串,每个位置(从 0 开始)对应于枚举成员的基础值。如果位置右端缺失,假定设置为“关闭”。

警告

如果您打算使用 Sql 更改角色的 TaskMask,请不要直接更新它。相反,使用SetRolePropertiesAndInvalidatePolicies存储过程。这负责SecData.NtSecDescState在链接到角色的所有现有策略上将列设置为 1(将数据标记为“脏”)。下次 Ssrs ReportServer 服务检查策略更新时,它将为该表中的所有“脏”记录更新AceCollection存储在SecData.NtSecDescPrimary列中的序列化 ( ) 数据——用于您的授权扩展。(该SecData数据是在检查权限/访问时呈现的授权扩展。)

例如

考虑内置的“文件夹查看器”角色。由于RoleFlags是“0”,因此对应于SecurityScope.CatalogItem并且表示TaskMask使用 解释CatalogItemTaskEnum。接下来,由于TaskMask是“000000100000000000”,这意味着他们拥有ViewFolders“任务”权限,因为“1”在TaskMask字符串中的位置/索引 6(从零开始)处,并且基础值为CatalogItemTaskEnum.ViewFolders6 。

代码定义

internal enum SecurityScope
{
    CatalogItem,
    Catalog,
    ModelItem
}

internal enum CatalogItemTaskEnum
{
    Invalid = 268435455,
    ConfigureAccess = 0,
    CreateLinkedReports,
    ViewReports,
    ManageReports,
    ViewResources,
    ManageResources,
    ViewFolders,
    ManageFolders,
    ManageSnapshots,
    Subscribe,
    ManageAnySubscription,
    ViewDataSources,
    ManageDataSources,
    ViewModels,
    ManageModels,
    ConsumeReports,
    Comment,
    ManageComments
}

internal enum CatalogTaskEnum
{
    Invalid = 268435455,
    ManageRoles = 0,
    ManageSystemSecurity,
    ViewSystemProperties,
    ManageSystemProperties,
    ViewSharedSchedules,
    ManageSharedSchedules,
    GenerateEvents,
    ManageJobs,
    ExecuteReportDefinitions
}

internal enum ModelItemTaskEnum
{
    Invalid = 268435455,
    ViewModelItems = 0
}

多年来,他们增加了项目。例如CatalogItemTaskEnum.Comment在 Ssrs2012 中不存在。

于 2020-08-14T23:36:13.693 回答
0

根据@Granger 的回答,这里是分别授予每个权限的 SQL 代码。

SELECT
    r.*,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 1), 1) = '1', 1, 0) AS BIT) AS ConfigureAccess,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 2), 1) = '1', 1, 0) AS BIT) AS CreateLinkedReports,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 3), 1) = '1', 1, 0) AS BIT) AS ViewReports,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 4), 1) = '1', 1, 0) AS BIT) AS ManageReports,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 5), 1) = '1', 1, 0) AS BIT) AS ViewResources,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 6), 1) = '1', 1, 0) AS BIT) AS ManageResources,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 7), 1) = '1', 1, 0) AS BIT) AS ViewFolders,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 8), 1) = '1', 1, 0) AS BIT) AS ManageFolders,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 9), 1) = '1', 1, 0) AS BIT) AS ManageSnapshots,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 10), 1) = '1', 1, 0) AS BIT) AS Subscribe,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 11), 1) = '1', 1, 0) AS BIT) AS ManageAnySubscription,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 12), 1) = '1', 1, 0) AS BIT) AS ViewDataSources,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 13), 1) = '1', 1, 0) AS BIT) AS ManageDataSources,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 14), 1) = '1', 1, 0) AS BIT) AS ViewModels,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 15), 1) = '1', 1, 0) AS BIT) AS ManageModels,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 16), 1) = '1', 1, 0) AS BIT) AS ConsumeReports,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 17), 1) = '1', 1, 0) AS BIT) AS Comment,
    CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 18), 1) = '1', 1, 0) AS BIT) AS ManageComments,
    CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 1), 1) = '1', 1, 0) AS BIT) AS ManageRoles,
    CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 2), 1) = '1', 1, 0) AS BIT) AS ManageSystemSecurity,
    CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 3), 1) = '1', 1, 0) AS BIT) AS ViewSystemProperties,
    CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 4), 1) = '1', 1, 0) AS BIT) AS ManageSystemProperties,
    CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 5), 1) = '1', 1, 0) AS BIT) AS ViewSharedSchedules,
    CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 6), 1) = '1', 1, 0) AS BIT) AS ManageSharedSchedules,
    CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 7), 1) = '1', 1, 0) AS BIT) AS GenerateEvents,
    CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 8), 1) = '1', 1, 0) AS BIT) AS ManageJobs,
    CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 9), 1) = '1', 1, 0) AS BIT) AS ExecuteReportDefinitions,
    CAST(IIF(r.RoleFlags = 2 AND RIGHT(LEFT(r.TaskMask + '0', 1), 1) = '1', 1, 0) AS BIT) AS ViewModelItems
FROM dbo.Roles r
于 2022-01-12T12:57:17.387 回答