使用扩展属性的SQL Server数据库中的动态行级安全性
[英]Dynamic Row Level Security In a SQL Server Database Using Extended Properties
问题描述
We have a requirement to provide customer access to a staging database so that they can extract their data into their own servers, but every table contains all customers data. 
我们要求向客户提供对登台数据库的访问权,以便他们可以将数据提取到自己的服务器中,但是每个表都包含所有客户数据。 All of the tables have a 'CustomerID' column. 所有表都有一个“ CustomerID”列。 Customers should only see rows where the customerID is the same as theirs. 客户只能看到customerID与他们的客户ID相同的行。
I am not looking for suggestions to create separate databases or views for each customer as both suggestions are high maintenance and low efficiency. 我不是在寻找为每个客户创建单独的数据库或视图的建议,因为这两个建议都是高维护性和低效率的。
My solution has to work with: 我的解决方案必须与:
- 100GB database 100GB数据库
- 400 Tables 400桌
- Updates every 30 minutes from the core transaction database 每30分钟从核心交易数据库更新一次
- Quarterly schema changes (Application is in continuous Development). 季度架构更改(应用程序正在持续开发中)。
Can anyone give me a definitive answer as to why the following method is not secure or will not work?: 关于以下方法为何不安全或行不通的问题,谁能给我一个明确的答案?:
I've set up a database user for each customer, with their customerID as an extended property. 我已经为每个客户设置了一个数据库用户,并将他们的customerID作为扩展属性。
I've created a view of every table that dynamically selects * from the table where the customerID column is the same as the extended property CustomerID of the logged in user. 我创建了每个表的视图,该表从表中动态选择*,其中customerID列与已登录用户的扩展属性CustomerID相同。 The code looks like this and appears to work well: 该代码如下所示,并且看起来运行良好:
CREATE VIEW [CustomerAccessDatabase].[vw_Sales]
AS SELECT * FROM [CustomerAccessDatabase].[Sales]
WHERE [Sales].[CustomerID]=
(SELECT CONVERT(INT,p.value) AS [Value]
FROM sys.extended_properties
JOIN sys.sysusers ON extended_properties.major_id=sysusers.[uid]
AND extended_properties.name = 'CustomerID'
AND sysusers.[SID]=(SELECT suser_sid())
);
GO
To provide access to the views I've created a generic database role 'Customer_Access_Role'. 为了提供对视图的访问,我创建了一个通用数据库角色“ Customer_Access_Role”。 This role has access granted to all of the table views, but access to the database tables themselves is denied. 该角色具有对所有表视图的访问权限,但拒绝访问数据库表本身。
To prevent users from changing their own customerID I've denied access to the extended properties like so: 为了防止用户更改自己的customerID,我拒绝访问扩展属性,如下所示:
USE [master];
GO
DENY EXEC ON sys.sp_addextendedproperty to [public];
GO
DENY EXEC ON sys.sp_dropextendedproperty to [public];
GO
DENY EXEC ON sys.sp_updateextendedproperty to [public];
GO
The end result is that I only need one database, and one set of permissions. 最终结果是,我只需要一个数据库和一组权限。
To add a new customer all I would need to do is create a new user with their customerID as an extended attribute and add them to the Customer_Access_Role. 要添加新客户,我需要做的就是创建一个新用户,并将其customerID作为扩展属性,并将其添加到Customer_Access_Role。 Thats it! 而已!
1 个解决方案
解决方案1
0 2016-03-15 15:12:40
I am going to reiterate what everyone is stating already and sum it up. 我要重申每个人已经说过的话并总结一下。
- You are making your job harder than it has to be. 您使工作变得更加艰辛。
- Create a View, that is just their data and then give them Security access to that View. 创建一个仅是其数据的视图,然后向他们授予对该视图的安全性访问权限。
- Alternatively, extract all their data out of the "Core" database and into their own and give them the necessary access to that data. 或者,将其所有数据从“ Core”数据库中提取出来并提取到自己的数据库中,并为他们提供对该数据的必要访问权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.