我有一个拥有架构的用户A,我们也称它为A。 另一个用户B拥有模式B。
用户A具有内联函数,该函数从表“ A.Table”返回数据集。
现在,我只希望用户B使用这些功能,而无需在实际表上向用户B提供选择功能。
通常这似乎可行,但是由于某些原因,我不确定为什么在用户B的架构A下选择GRANT不能正常工作。 有人可以阐明这个问题吗?
答案 0 :(得分:0)
确保该功能由用户A拥有(所有权链接,如果功能和表的所有者相同,则不检查表的权限)
--user A and schema A (owned by user A)
create user A without login
go
create schema A authorization A
go
--permissions to user A, create table&function
grant create table to A
go
grant create function to A
go
--user B
create user B without login
go
--user A
execute as user = 'A'
go
create table A.testtable(id int)
go
insert into A.testtable(id) values(1),(2);
go
create function A.testfunc()
returns
table
as
return
(
select *
from A.testtable
)
go
grant select on A.testfunc to B;
go
revert
go
--user B
execute as user = 'B'
go
--ownership chain, function and table in the function owned by the same user A (user A created the function)
select *
from A.testfunc()
go
revert
go
--change ownership of function, function is owned by dbo
alter authorization on A.testfunc to dbo
go
grant select on A.testfunc to B
go
--try again as user B
execute as user = 'B'
go
--permission violation
--ownership chain broken: function and referenced table (A.testtable in the function) are not owned by the same user...
select *
from A.testfunc()
go
revert
go
--cleanup
drop function A.testfunc
go
drop table A.testtable
go
drop schema A
go
drop user A
go
drop user B
go