如何解决SQL Server:拒绝在重新创建的表上选择
在SQL Server 2017中,我有一个具有ddladmin特权的用户,该用户会定期删除并重新创建表。我们需要在该表上拒绝选择。
仅当删除表时,它才会丢失拒绝。我不想授予用户securityadmin。
如何确保每次重新创建该表时都保留拒绝选择?
解决方法
...调整
revert
go
-- drop trigger deny_select_on_frequentlydroppedtable on database
create or alter trigger deny_select_on_frequentlydroppedtable
on database
with execute as 'dbo'
for CREATE_TABLE
as
begin
set nocount on;
--when table name = frequentlydroppedtable
if EVENTDATA().value('(EVENT_INSTANCE/ObjectName)[1]','sysname') = 'frequentlydroppedtable'
begin
declare @tbl nvarchar(500) = concat(quotename(EVENTDATA().value('(EVENT_INSTANCE/SchemaName)[1]','sysname')),'.',quotename(EVENTDATA().value('(EVENT_INSTANCE/ObjectName)[1]','sysname')));
declare @user nvarchar(150) = EVENTDATA().value('(EVENT_INSTANCE/UserName)[1]','sysname');
if @user <> 'dbo' and IS_ROLEMEMBER('db_owner',@user) = 0 and IS_ROLEMEMBER('db_ddladmin',@user) = 1 --... any ddl admin gets deny when they create the table :)
begin
declare @sql nvarchar(500) = 'deny select on ' + @tbl + ' to ' + quotename(@user);
exec(@sql)
end
end
end
go
--dbo or ....
drop table if exists frequentlydroppedtable;
go
create table frequentlydroppedtable(id int);
go
--works
select * from frequentlydroppedtable
go
--create a test db_ddladmin
create user test_db_ddladmin without login;
go
alter role db_ddladmin add member test_db_ddladmin;
go
execute as user = 'test_db_ddladmin'
go
drop table if exists frequentlydroppedtable;
go
create table frequentlydroppedtable(id int);
go
--permission violation,deny select
select * from frequentlydroppedtable
go
revert
go
--cleanup
drop table if exists frequentlydroppedtable;
go
drop user test_db_ddladmin;
go
drop trigger deny_select_on_frequentlydroppedtable on database
go
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。