GRANT权限似乎不适用于VIEW

时间:2016-11-20 15:58:52

标签: sql sql-server

我有以下观点(称为view3

enter image description here

我创建了一个角色,并在两列上授予了SELECTUPDATE权限。

CREATE ROLE Testrole
GRANT SELECT (Doc_ID, [Total Attentions]) ON view3 TO Testrole

然后我将角色分配给已创建的用户(test

ALTER ROLE Testrole ADD MEMBER test

但是当执行事务检查是否一切正常时,将显示所有列而不是所需的两列(上图中的相同图像)。

这是脚本

CREATE LOGIN logtest
    WITH PASSWORD = 'logtest'

CREATE USER test 
    FOR LOGIN logtest

CREATE ROLE Testrole
GRANT SELECT (Doc_ID, [Total Attentions]) ON view3 TO Testrole
ALTER ROLE Testrole ADD MEMBER test


SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED

BEGIN TRANSACTION
    EXECUTE AS USER = 'test'

    SELECT * /*This should give an error*/
        FROM view3

    SELECT Doc_ID, [Total Attentions] /*This should work just fine*/
        FROM view3

    REVERT

ROLLBACK

1 个答案:

答案 0 :(得分:1)

GRANT权限是累积的。这些症状表明视图级(所有列)权限存在,继承自此角色或其他角色。运行下面的查询以查看是否是这种情况。

SELECT
      permission_name
    , OBJECT_NAME(major_id) AS ObjectName
    , CASE WHEN c.name IS NULL THEN 'All Columns' ELSE c.name END AS ColumnName
    , USER_NAME(grantee_principal_id) AS Gratee
FROM sys.database_permissions AS p
LEFT JOIN sys.columns AS c ON 
    c.object_id = p.major_id
    AND c.column_id = p.minor_id
WHERE
    major_id = OBJECT_ID(N'view3');