MySQL根据列值授予权限?

时间:2013-04-08 11:39:12

标签: mysql database-permissions

我正在尝试向具有“经理”访问权限的特定用户授予访问权限。他们可以SELECTUPDATE但只能访问自己群体中的人。数据库为redflame,表格为payroll

表格的一部分是:

+------+---------+--------+-----------+--------+
| Dept | Manager | Name   | Birthdate | Salary |
+------+---------+--------+-----------+--------+
|    1 | Y       | BOB    | 1/1/1     |  50000 |
|    1 | N       | BILL   | 2/2/2     |  40000 |
|    1 | N       | BART   | 3/3/3     |  70000 |
|    2 | Y       | JIM    | 4/4/4     |  40000 |
|    2 | N       | JANET  | 5/5/5     |  50000 |
...

我希望只允许SELECTUPDATE权限给经理,但仅限于他的群组。我试过了,

GRANT SELECT (Dept, Manager, Name, Birthdate),
      UPDATE (Dept, Manager, Name, Birthdate)
   ON redflame.payroll WHERE Dept = '1'
   TO 'Bob'@'localhost';

我知道这不起作用,但您如何根据Bob实施Dept的许可?

非常感谢任何帮助。

2 个答案:

答案 0 :(得分:1)

为每个部门创建一个视图,并为其授予权限。

答案 1 :(得分:0)

根据MySQL手册:

http://dev.mysql.com/doc/refman/5.1/en/grant.html

  

通常,数据库管理员首先使用CREATE USER创建   帐户,然后GRANT来定义其特权和特征。

在您向工资表添加新记录时的PHP代码中,您必须执行以下操作(我使用伪代码编写):

if((new->Dept == 1) and (new->Manager == 'Y'))
{
      if (user with name == new->Name doesn't exist)
      {
            Create a new user with name = new->Name
            Grant SELECT and UPDATE privileges to the newly created user ON redflame.payroll table
      }
      else
      {
            error: user already exists!
      }
}

更新工资表中的记录时:

if(the record was a Manager and he is updated to non Manager)
{
      DROP USER with name = old->Name
}

if(the record was not a Manager and he is updated to Manager)
{
      if (user with name == new->Name doesn't exist)
      {
            Create a new user with name = new->Name
            Grant SELECT and UPDATE privileges to the newly created user ON redflame.payroll table
      }
      else
      {
            error: user already exists!
      }
}

从工资表中删除记录时:

if((old->Dept == 1) and (old->Manager == 'Y'))
{
      if (user with name == old->Name exists)
      {
            DROP USER with name = old->Name
      }
}

如果您具有数据库的root访问权限,则可以创建ON INSERT,ON UPDATE和ON DELETE触发器。然后使用这个逻辑,编写SQL代码。否则,在php中实现它。