Question

我正在尝试为数据库创建GRANT脚本。

DB不能使用任何内置角色，因此我需要为存储过程重新创建db_reader，db_writer和EXEC到分配给此服务帐户的GRANT脚本。

我正在尝试自动执行此操作，而不是查看数据库中的每个项目并手动创建它。

到目前为止，我有这个：

/* USER_TABLE */
select   'GRANT SELECT, INSERT, UPDATE, DELETE ON dbo.' + name + ' TO [DOMAIN\user]' from sys.objects where  type  =  'U' order by  name;

/* INTERNAL_TABLE */
select   'GRANT SELECT, INSERT, UPDATE, DELETE ON dbo.' + name + ' TO [DOMAIN\user]' from sys.objects where  type  =  'IT' order by  name;

/* VIEW */
select   'GRANT SELECT ON dbo.' + name + ' TO [DOMAIN\user]' from sys.objects where  type  =  'V' order by  name;

/* SQL_STORED_PROCEDURE */
select   'GRANT EXECUTE ON dbo.' + name + ' TO [DOMAIN\user]' from sys.objects where  type  =  'P' order by  name;

/* SQL_TABLE_VALUED_FUNCTION */
select   'GRANT SELECT, INSERT, UPDATE, DELETE ON dbo.' + name + ' TO [DOMAIN\user]' from sys.objects where  type  =  'TF' order by  name;

/* SQL_SCALAR_FUNCTION */
select   'GRANT EXECUTE ON dbo.' + name + ' TO [DOMAIN\user]' from sys.objects where  type  =  'FN' order by  name;

但是，我不确定所有其他项目需要什么权利，即：SERVICE_QUEUE，SQL_TRIGGER等（见下文）另外，如果上述内容是正确的。

select  DISTINCT(type_desc), type as a from sys.objects WHERE type <> 'S';

- 那些我认为不需要的人

DEFAULT_CONSTRAINT（D）
FOREIGN_KEY_CONSTRAINT（F）
PRIMARY_KEY_CONSTRAINT（PK）
SERVICE_QUEUE（SQ）
UNIQUE_CONSTRAINT（UQ）
SQL_TRIGGER（TR）

- 我认为我需要的人

USER_TABLE（U）
INTERNAL_TABLE（IT）
查看（V）
SQL_STORED_PROCEDURE（P）
SQL_TABLE_VALUED_FUNCTION（TF）
SQL_SCALAR_FUNCTION（FN）

提前致谢！

Answer 1

在我看来，你必须做到以下几点：

create role [DatabaseUser]
go
grant select to [DatabaseUser]
grant insert to [DatabaseUser]
grant update to [DatabaseUser]
grant delete to [DatabaseUser]
grant execute to [DatabaseUser]
go

然后，对于您想要授予权限的每个用户，只需执行

exec sp_addrolemember 'DatabaseUser', 'DOMAIN\user'

您应避免向对象和用户添加显式权限。当您使用数据库角色和模式来安排所需的安全性时，您将使您的生活更轻松。你可以看看我的博客，还有更多关于这个主题的内容。

此致

·彼得

Answer 2

假设所有对象都在dbo架构中，那么快速而肮脏的方式就是这个

grant select on schema::dbo to [MyUser]
grant insert on schema::dbo to [MyUser]
grant update on schema::dbo to [MyUser]
grant delete on schema::dbo to [MyUser]
grant execute on schema::dbo to [MyUser]

最佳做法是使用角色

CREATE ROLE MyRole
GO
EXEC sp_addrolemember 'MyRole', 'MyUser'
GO
grant select on schema::dbo to [MyRole]
grant insert on schema::dbo to [MyRole]
grant update on schema::dbo to [MyRole]
grant delete on schema::dbo to [MyRole]
grant execute on schema::dbo to [MyRole]
GO

Answer 3

declare @UserInformation table
(
    LocalId int identity(1,1) not null primary key,
    GrantToUser nvarchar(20) default null
);

DECLARE @SQL nvarchar(4000);
DECLARE @Owner sysname;
DECLARE @StoredProcedure sysname;

DECLARE @GrantToUser varchar(20);

declare @rowCount int;
declare @whereAt int;
declare @howMany int;

declare @object nvarchar(128);
DECLARE @RETURN int;

set nocount on;

DECLARE cursStoredProcedures CURSOR FAST_FORWARD
FOR
SELECT USER_NAME(uid) Owner, [name] StoredProcedure
FROM sysobjects
WHERE type in ('P','Fn') order by [name]

DECLARE mycursor scroll cursor
FOR
   select name from sysobjects
   where type = 'u'
   order by name;

DECLARE cursorViews scroll cursor
FOR
SELECT name AS view_name
FROM sys.views
order by name;

set nocount on;

set @GrantToUser = 'UserName1';
insert into @UserInformation(GrantToUser) values (@GrantToUser);
set @GrantToUser = 'UserName2';
insert into @UserInformation(GrantToUser) values (@GrantToUser);
set @GrantToUser = 'UserName2';
insert into @UserInformation(GrantToUser) values (@GrantToUser);

set @rowCount = (select isnull(count(LocalId),0) from @UserInformation);

if (@rowCount > 0)
begin

    set @whereAt = 1;

    while (@whereAt <= @rowCount)
    begin

        select
            @GrantToUser = GrantToUser
        from
            @UserInformation
        where
            LocalId = @whereAt;

        set @SQL = 'if exists(select * from dbo.sysusers where name = ''' + @GrantToUser + ''' and uid < 16382)';
        print @SQL;
        set @SQL = 'begin';
        print @SQL;

        OPEN cursStoredProcedures

        -- "Prime the pump" and get the first row
        FETCH NEXT FROM cursStoredProcedures
        INTO @Owner, @StoredProcedure

        -- Cycle through the rows of the cursor
        -- And grant permissions
        WHILE (@@FETCH_STATUS = 0)
        BEGIN

        -- Create the SQL Statement. Since we’re giving
        -- access to all stored procedures, we have to
        -- use a two-part naming convention to get the owner.
        SET @SQL = '    GRANT EXECUTE ON [' + @Owner
        + '].[' + @StoredProcedure
        + '] TO [' + @GrantToUser + '];'

        print @SQL;

        -- Get the next row
        FETCH NEXT FROM cursStoredProcedures
        INTO @Owner, @StoredProcedure
        END

        -- Clean-up after the cursor
        CLOSE cursStoredProcedures

       open mycursor
        fetch first from mycursor into @object

        while @@fetch_status <> -1
        begin
          if @@fetch_status <> -2
          begin

             set @SQL = '    grant SELECT, INSERT, UPDATE, DELETE on [dbo].['+@object+'] to [' + @GrantToUser + '];';

             print @SQL;

          end
          fetch next from mycursor into @object
        end

        close mycursor

        open cursorViews
        fetch first from cursorViews into @object

        while @@fetch_status <> -1
        begin
          if @@fetch_status <> -2
          begin

             set @SQL = '    grant SELECT on [dbo].['+@object+'] to [' + @GrantToUser + '];';

             print @SQL;

          end
          fetch next from cursorViews into @object
        end

        close cursorViews

        set @SQL = 'end;'
        print @SQL;

        set @whereAt = @whereAt + 1;

    end

end

print 'go';

set nocount off;

deallocate cursorViews
DEALLOCATE cursStoredProcedures
deallocate mycursor

go

尝试创建GRANT权限脚本

3 个答案: