[英]Restricting permission to drop column in SQL Server?
ALTER TABLE [dbo].[Client] ADD [Awesomness] [nvarchar](max)
ALTER TABLE [dbo].[Client] DROP COLUMN [Awesomness]
The second command I don't want to be successful, I don't want any DROP COLUMN
to succeed. 第二个命令我不希望成功,我不希望任何
DROP COLUMN
成功。 So I created a user for my database, just wondering how I can deny this user the permission to DROP COLUMN
. 因此,我为数据库创建了一个用户,只是想知道如何拒绝该用户对
DROP COLUMN
的权限。 I set up a trigger but that doesn't seem to take care of DROP COLUMN
. 我设置了一个触发器,但这似乎并不能解决
DROP COLUMN
。 Is there anyway I could restrict this? 无论如何,我可以限制这一点吗?
CREATE TRIGGER [TR_DB_NO_DROPPING_OBJECTS_2]
on DATABASE
FOR
DROP_PROCEDURE,DROP_FUNCTION,DROP_VIEW,DROP_TABLE, DROP_DEFAULT,DROP_EXTENDED_PROPERTY
AS
BEGIN
IF --only two accounts allowed to drop stuff
suser_name() NOT IN('test' )
BEGIN
--raise an error, which goes to the error log
RAISERROR('Unauthorized use of drop object from inpermissible host.', 16, 1)
--prevent the drop
ROLLBACK
END
--if it got to here, it was the "right" user from the "right" machine (i hope)
END
The roles I've assigned my user. 我分配给用户的角色。
use Hasan
go
EXEC sp_addrolemember N'db_datareader', N'TestUser'
go
use Hasan
go
EXEC sp_addrolemember N'db_datawriter', N'TestUser'
go
use Hasan
GO
GRANT EXECUTE TO [TestUser]
GO
use Hasan
GO
GRANT INSERT TO [TestUser]
GO
use Hasan
GO
GRANT SELECT TO [TestUser]
GO
use Hasan
GRANT ALTER TO [TestUser]
GO
use Hasan
GO
GRANT UPDATE TO [TestUser]
GO
use Hasan
GO
GRANT DELETE TO [TestUser]
GO
That would be an Alter_Table DDL event. 那将是一个Alter_Table DDL事件。 See if that works for you.
看看是否适合您。
Also, I am not sure if you have looked into roles. 另外,我不确定您是否研究过角色。 Granting dbwriter and dbreader allows CRUD operations but no changes to DDL.
授予dbwriter和dbreader允许进行CRUD操作,但不能更改DDL。
https://msdn.microsoft.com/en-us/library/ms189121.aspx https://msdn.microsoft.com/zh-CN/library/ms189121.aspx
EDIT: This example does not check for a user but it works on my test table: 编辑:此示例不检查用户,但它适用于我的测试表:
CREATE TRIGGER testtrig
ON Database
FOR alter_table
AS
Declare @Msg nvarchar(max) = (SELECT EVENTDATA().value('(/EVENT_INSTANCE/TSQLCommand/CommandText)[1]','nvarchar(max)'))
If @Msg Like '%Drop Column ColumnA%'
Rollback
GO
There is probably a better way than parsing the message text like in my example, this was just a quick test. 像分析示例中的消息文本一样,可能有更好的方法,这只是一个快速测试。
Also remember this is just a safety to let the user know they should not drop this column. 还请记住,这只是一种安全措施,让用户知道他们不应删除此列。 If they have DDL rights they can disable or delete the trigger.
如果他们具有DDL权限,则可以禁用或删除触发器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.