Question

我有以下观点（称为view3）

我创建了一个角色，并在两列上授予了SELECT和UPDATE权限。

CREATE ROLE Testrole
GRANT SELECT (Doc_ID, [Total Attentions]) ON view3 TO Testrole

然后我将角色分配给已创建的用户（test）

ALTER ROLE Testrole ADD MEMBER test

但是当执行事务检查是否一切正常时，将显示所有列而不是所需的两列（上图中的相同图像）。

这是脚本

CREATE LOGIN logtest
    WITH PASSWORD = 'logtest'

CREATE USER test 
    FOR LOGIN logtest

CREATE ROLE Testrole
GRANT SELECT (Doc_ID, [Total Attentions]) ON view3 TO Testrole
ALTER ROLE Testrole ADD MEMBER test


SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED

BEGIN TRANSACTION
    EXECUTE AS USER = 'test'

    SELECT * /*This should give an error*/
        FROM view3

    SELECT Doc_ID, [Total Attentions] /*This should work just fine*/
        FROM view3

    REVERT

ROLLBACK

Answer 1

GRANT权限是累积的。这些症状表明视图级（所有列）权限存在，继承自此角色或其他角色。运行下面的查询以查看是否是这种情况。

SELECT
      permission_name
    , OBJECT_NAME(major_id) AS ObjectName
    , CASE WHEN c.name IS NULL THEN 'All Columns' ELSE c.name END AS ColumnName
    , USER_NAME(grantee_principal_id) AS Gratee
FROM sys.database_permissions AS p
LEFT JOIN sys.columns AS c ON 
    c.object_id = p.major_id
    AND c.column_id = p.minor_id
WHERE
    major_id = OBJECT_ID(N'view3');

GRANT权限似乎不适用于VIEW

1 个答案: