如何给开发者授予权限,给用户授予权限?
有没有一种方法可以让开发人员授予用户对对象的权限,而不给他们创建用户或函数的选项?
我正在尝试限制开发人员权限,最近发现开发人员在开发和生产环境中拥有 db_owner
权限! 所以我正在尽力阻止这种疯狂行为。
关于这个问题有什么好的文章吗?
Is there a way I can give developers permission to grant a user permissions over objects without giving them the option to create users or functions?
I'm trying to limit developers permissions, I recently found out that developers had db_owner
permissions in dev and prod environments! So I'm doing my best to stop this madness.
Any good article about this matter?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
您可以使它们成为“db_securityadmin”数据库角色的成员
You can make them members of the "db_securityadmin" database role
如前所述,如果有人可以分发权限,他们就可以向自己(或虚拟帐户)分发权限。 我不确定SQL Server中是否有一个技巧来提供“给予用户权限少于我”。
我的方法是使用存储过程。
创建一个存储过程,为指定用户授予特定权限或一组权限(这些权限是允许普通用户拥有的权限)。 然后授予开发人员对此存储过程的执行访问权限。 实际上,您使用存储过程来创建 GRANT 的有限版本,同时保留完整的 GRANT 命令。
As said, if someone could hand out permissions, they could hand out permissions to themselves (or a dummy account). I'm not sure if there is a trick in SQL Server to provide "give user permissions less then me".
The way I would do it is with stored procedures.
Create a stored procedure that gives a specified user a specific right or set of rights (those rights are the ones that regular users are allowed to have). Then give the developers execute access to this stored procedure. In effect you use stored procedures to create a limited version of GRANT, while keeping the full GRANT command to yourself.
如果某人可以授予别人权限,他也可以授予自己做他想做的事情的权限。 那么这有什么用呢? 可能我不明白你的处境。
If someone can give someone else permissions, he can also give himself the permission to do what he wants. So what is this good for? Probably I don't understand your situation.
对象的所有者可以授予这些对象的权限。 如果您的开发人员不需要授予诸如 CREATE TABLE 权限之类的权限,您也许可以向他们授予您希望他们授予权限的对象的所有权。
Owners of objects can grant permissions on those objects. Provided your developers don't need to grant things like CREATE TABLE rights, you might be able to give them ownership of the objects that you want them to grant permission on.
正如斯特凡所说,给予他们授予权限将有效地授予他们所有权限,因为如果他们想做某事,他们所要做的就是授予自己执行该操作的权限。
不过,您可能需要考虑为开发人员提供第二个用于管理数据库的用户帐户,而不是将开发人员视为敌人。 不向开发人员授予任何生产权限是很常见的,至少在他们的开发帐户上是这样。
As Stefan said, giving them grant permissions would effectively give them all permissions, since if they want to do something all they have to do is grant themselves the permissions to do it.
Rather than considering the developers the enemy, though, you may want to consider giving the developers a second user account that's used to administer the database. It's pretty common not to give developers ANY permissions to production, at least on their development account.
对存储过程等对象的权限设置可以通过“GRANT EXECUTE ON . to ”来完成;
但是,您可能还希望在登录级别和用户级别授予安全权限。您将希望确定并仅授予对象所需的权限考虑使用“EXECUTE AS”功能,该功能可以模拟另一个用户来验证执行代码所需的权限,而无需向所有底层对象授予所有必要的权限( EXECUTE AS 可以添加到存储过程、函数、触发器等中。
在存储过程中添加如下代码: CREATE PROCEDURE dbo.MyProcedure WITH EXECUTE AS OWNER
在这种情况下,您将模拟 的所有者。您还可以模拟 SELF,或者创建或更改模块的用户,或者...模拟 CALLER ,这将使模块能够获取当前用户的权限,或者...模拟 OWNER,这将采取根据被调用过程所有者的许可或...模拟“user_name”,这将模拟特定用户或...模拟“login_name”将模拟特定登录。
大多数时候,您只需要向存储过程授予 EXECUTE 权限,然后向存储过程中引用的所有对象授予权限。
这样,您不需要授予隐式权限(例如:更新数据或调用其他过程)。 所有权链可以为您处理这个问题。 这对于动态 SQL 或需要创建提升安全性的任务(例如 CREATE TABLE)特别有用。 EXECUTE AS 是解决这些问题的一个方便的工具。
这个例子可能有助于澄清所有这些:
创建一个名为 NoPrivUser 的用户,可以公开访问数据库(例如 dbadb)
USE [master] GO CREATE LOGIN [NoPrivUser] WITH PASSWORD=N'ABC5%', DEFAULT_DATABASE=[dbadb], CHECK_EXPIRATION =ON, CHECK_POLICY=ON GO USE [DBAdb] GO CREATE USER [NoPrivUser] FOR LOGIN [NoPrivUser] GO
注意:此过程的创建者或所有者将需要在目标数据库中创建表的权限。
使用 DBAdb go CREATE PROCEDURE dbo.MyProcedure WITH EXECUTE AS OWNER AS IF NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].MyTable') AND type in (N'U')) CREATE TABLE MyTable (PKid int, column1 char(10)) INSERT INTO MyTable VALUES (1,'ABCDEF')
GO
GRANT EXEC ON dbo.MyProcedure TO NoPrivUser; 开始
——现在以 NoPrivUser 身份登录到数据库服务器并运行以下命令。
use dbadb go
EXEC dbo.MyProcedure
(1 行受影响)
现在尝试在以 NoPrivuser 身份登录时从新表中进行选择。
您将得到以下信息:
select * from MyTable go
Msg 229, Level 14, State 5, Line 1 对对象“MyTable”、数据库“DBAdb”、模式“dbo”的 SELECT 权限被拒绝。
这是预期的,因为您仅在以 NoPrivUser 身份登录时在 Owner 的安全上下文下运行该过程。
NoPrivUser 因为没有实际读取该表的权限。 只是执行创建和插入行的过程。
使用 EXECUTE AS 子句,存储过程在对象所有者的上下文中运行。 此代码成功创建 dbo.MyTable 并成功插入行。 在此示例中,用户“NoPrivUser”绝对没有被授予修改该表、或者读取或修改该表中的任何数据的权限。
它仅具有完成此过程上下文中编码的特定任务所需的权限。
这种创建存储过程的方法非常有用,这些存储过程可以执行需要提升安全权限的任务,而无需永久分配这些权限。
Setting permission on objects like stored procedures can be accomplished with "GRANT EXECUTE ON . to ;
However, you may also want to grant security rights at both the login and user level. You will want to determine and grant ONLY the necessary rights for the objects that require access (such as execution). Consider use of the "EXECUTE AS" capability which enables impersonation of another user to validate permissions that are required to execute the code WITHOUT having to grant all of the necessary rights to all of the underlying objects (e.g. tables). The EXECUTE AS can be added to stored procs, functions, triggers, etc.
Add to the code as follows right within the Stored Procedure: CREATE PROCEDURE dbo.MyProcedure WITH EXECUTE AS OWNER
In this case you are impersonating the owner of the module being called. You can also impersonate SELF, OR the user creating or altering the module OR... imperonate CALLER , which will enable to module to take on the permissionsof the current user, OR... impersonate OWNER, which will take on the permission of the owner of the procedure being called OR... impersonate 'user_name', which will impersonate a specific user OR... impersonate 'login_name' with will impersonate a specific login.
MOST of the time, you will only need to grant EXECUTE rights to stored procs and then rights are granted to all objects referenced within the stored proc.
In this way, you DO NO need to give implicit rights (example: to update data or call additional procs). Ownership chaining handles this for you. This is especially helpful for dynamic sql or if you need to create elevated security tasks such as CREATE TABLE. EXECUTE AS is a handy tool to consider for these.
This example may help clarify all of this:
Create a user called NoPrivUser with public access to a database (e.g. dbadb)
USE [master] GO CREATE LOGIN [NoPrivUser] WITH PASSWORD=N'ABC5%', DEFAULT_DATABASE=[dbadb], CHECK_EXPIRATION=ON, CHECK_POLICY=ON GO USE [DBAdb] GO CREATE USER [NoPrivUser] FOR LOGIN [NoPrivUser] GO
NOTE: CREATOR OR OWNER OF THIS PROCEDURE WILL REQUIRE CREATE TABLE RIGHTS within the target database.
use DBAdb go CREATE PROCEDURE dbo.MyProcedure WITH EXECUTE AS OWNER AS IF NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].MyTable') AND type in (N'U')) CREATE TABLE MyTable (PKid int, column1 char(10)) INSERT INTO MyTable VALUES (1,'ABCDEF')
GO
GRANT EXEC ON dbo.MyProcedure TO NoPrivUser; GO
-- Now log into your database server as NoPrivUser and run the following.
use dbadb go
EXEC dbo.MyProcedure
(1 row(s) affected)
Now try to select from the new table while logged on as NoPrivuser.
You will get the following:
select * from MyTable go
Msg 229, Level 14, State 5, Line 1 The SELECT permission was denied on the object 'MyTable', database 'DBAdb', schema 'dbo'.
That is expected since you only ran the procedure under the security context of Owner while logged on as NoPrivUser.
NoPrivUser as no rights to actually read the table. Just to execute the procedure which creates and inserts the rows.
With the EXECUTE AS clause the stored procedure is run under the context of the object owner. This code successfully creates dbo.MyTable and rows are inserted successfully. In this example, the user "NoPrivUser" has absolutey no granted rights to modify the table, or read or modify any of the data in this table.
It only takes on the rights needed to complete this specific task coded WITHIN the context of this procedure.
This method of creating stored procedures that can perform tasks that require elevated security rights without permanently assigning those rights come be very useful.
我发现 db_owner 角色最危险的方面是,如果您对权限发出拒绝,那么该角色的成员可以将其授予给自己。 我刚刚开始阅读此内容,并且正在对此进行测试。
到目前为止,我发现主题
TestUser
具有权限,但无法添加或删除固定数据库角色的成员。 您应该能够拒绝此时所需的任何内容,例如备份证书、备份主密钥等。这里是可以拒绝或授予的权限列表:
I've found that the most dangerous aspect of the db_owner role is that if you issue a deny on a permissions, then the members of the role can grant it back to themselves. I've just started reading about this and I'm testing this
So far, I've found that the subject
TestUser
has permissions without being able to add or remove members of the fixed database roles. You should be able to deny whatever you need at this point like backup certificate, backup master key, etc.Here is a list of permissions that can be denied or granted: