我有以下观点(称为view3
)
我创建了一个角色,并在两列上授予了SELECT
和UPDATE
权限。
CREATE ROLE Testrole
GRANT SELECT (Doc_ID, [Total Attentions]) ON view3 TO Testrole
然后我将角色分配给已创建的用户(test
)
ALTER ROLE Testrole ADD MEMBER test
但是当执行事务检查是否一切正常时,将显示所有列而不是所需的两列(上图中的相同图像)。
这是脚本
CREATE LOGIN logtest
WITH PASSWORD = 'logtest'
CREATE USER test
FOR LOGIN logtest
CREATE ROLE Testrole
GRANT SELECT (Doc_ID, [Total Attentions]) ON view3 TO Testrole
ALTER ROLE Testrole ADD MEMBER test
SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED
BEGIN TRANSACTION
EXECUTE AS USER = 'test'
SELECT * /*This should give an error*/
FROM view3
SELECT Doc_ID, [Total Attentions] /*This should work just fine*/
FROM view3
REVERT
ROLLBACK
答案 0 :(得分:1)
GRANT权限是累积的。这些症状表明视图级(所有列)权限存在,继承自此角色或其他角色。运行下面的查询以查看是否是这种情况。
SELECT
permission_name
, OBJECT_NAME(major_id) AS ObjectName
, CASE WHEN c.name IS NULL THEN 'All Columns' ELSE c.name END AS ColumnName
, USER_NAME(grantee_principal_id) AS Gratee
FROM sys.database_permissions AS p
LEFT JOIN sys.columns AS c ON
c.object_id = p.major_id
AND c.column_id = p.minor_id
WHERE
major_id = OBJECT_ID(N'view3');