如何为Active Directory域组检索SQL Server数据库角色
[英]How to retrieve SQL Server database roles for an Active Directory domain group
问题描述
I have the following environment: 
我有以下环境:
Microsoft SQL Server Enterprise 64bit version 11.0.5623.0 running on Microsoft Windows NT 6.1 (7601)
在Microsoft Windows NT 6.1(7601)上运行的Microsoft SQL Server Enterprise 64位版本11.0.5623.0 I have a domain called MyDomain , all end users are member of this domain, eg user Donald from the USA and user Fritz from Germany
我有一个名为MyDomain的域,所有最终用户都是该域的成员,例如,来自美国的用户Donald和来自德国的用户Fritz For each country I have a dedicated domain group eg MyDomain_Sales_USA group contains the US user Donald, MyDomain_Sales_GER contains the German user Fritz
对于每个国家/地区,我都有一个专用的域组,例如MyDomain_Sales_USA组包含美国用户Donald, MyDomain_Sales_GER包含德国用户Fritz I have one SQL Server instance in the
MyDomainwith aSalesdatabase.我在具有Sales数据库的MyDomain有一个SQL Server实例。The
Salesdatabase contains a table calledProductsthat is shown here:Sales数据库包含一个名为Products的表,如下所示:End users access the
Productstable with their domain account (single sign on) to read data最终用户使用其域帐户(单点登录)访问“ Products表以读取数据
The business case: 业务案例:
- USA users that are members of the domain group MyDomain_Sales_USA only see the products with
Country = USA, similarly German users only see the Germany products.属于域组MyDomain_Sales_USA的 Country = USA用户只能看到Country = USA的产品,类似地,德国用户也只能看到Germany产品。 - users are added and removed from the two domain groups frequently 经常将用户添加和删除两个域组
- The SQL Server admins only want to configure the domain groups. SQL Server管理员只希望配置域组。 No domain users are configured in the SQL Server. 在SQL Server中未配置任何域用户。
My approach: 我的方法:
Using SQL Server Management Studio I added the domain groups MyDomain_Sales_USA and MyDomain_Sales_GER to the SQL Server Security\\Logins node and mapped each group to the Sales database.
使用SQL Server Management Studio,我将域组MyDomain_Sales_USA和MyDomain_Sales_GER添加到SQL Server Security \\ Logins节点,并将每个组映射到Sales数据库。 I created two database roles in the
Salesdatabase,SalesRole_USAandSalesRole_GER.我在Sales数据库中创建了两个数据库角色SalesRole_USA和SalesRole_GER。 Using the database role properties dialog I added theMyDomain_Sales_USAas a member to theSalesRole_USArole and theMyDomain_Sales_GERto theSalesRole_GERrole使用数据库角色属性对话框,将MyDomain_Sales_USA作为成员添加到SalesRole_USA角色中,并将MyDomain_Sales_GER到SalesRole_GER角色中I created a view in products database with the following select statement
我使用以下选择语句在产品数据库中创建了一个视图 SELECT * FROM Products WHERE Country = GetCurrentUserCountry()
Here's my question: 这是我的问题:
How can I in the GetCurrentUserCountry() function to determine to which database role the connected user belongs? 如何在GetCurrentUserCountry()函数中确定连接的用户属于哪个数据库角色?
In other words: if Donald executes the select statement above then the function must return 'USA', if Fritz executes the statement then the function must return 'GER' 换句话说:如果唐纳德执行上述select语句,则该函数必须返回“美国”,如果弗里茨执行该语句,则该函数必须返回“ GER”
My expectation is the following: 我的期望如下:
SQL Server grants access to Donald and Fritz because their domain groups are registered and mapped to the
SalesdatabaseSQL Server授予对Donald和Fritz的访问权限,因为它们的域组已注册并映射到Sales数据库So it must be possible to retrieve the database roles for the connected user
因此,必须有可能为连接的用户检索数据库角色
1 个解决方案
解决方案1
0 已采纳 2016-10-28 11:50:20
在GetCurrentUserCountry()函数中,我使用了系统函数IS_MEMBER('MyDomain_Sales_USA')和IS_MEMBER('MyDomain_Sales_GER'),这很好,但有一个小缺点,因为每次创建新的国家/地区组时都必须更新该函数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.