SQL Server 2008 授予 information_schema.columns 权限

发布于 2024-09-12 16:06:49 字数 606 浏览 12 评论 0原文

我有一系列从数据库中选择数据的存储过程。我有一个角色(cctc_reader),它具有对过程授予的执行权限。其中一个过程调用另一个名为 recControl_system_option 的存储过程,后者依次查询 Information_schema.columns

问题在于,在此过程中,查询

select column_name from information_schema.columns where table_name = 'recControl_manager'

不会返回任何记录。 cctc_reader 具有以下权限:

  • 每个选择过程
  • recControl_system_option

因此理论上这应该可行。我在 dbo 下运行时没有任何问题。

如果我将 db_datareader 授予 cctc_reader 查询就可以,但我不想授予所有表的读者权限(因此我使用存储过程)。我已经尝试按照一些文章中的建议授予主数据库中 Information_schema 的 Select 权限,但仍然无法正常工作。

有什么建议吗?

I have a series of stored procedures that select data from a db. I have a role (cctc_reader) that has execute permissions granted on the procedures. One of the procedure calls another stored procedure called recControl_system_option which in turn queries Information_schema.columns.

The problem is that in this proc the query

select column_name from information_schema.columns where table_name = 'recControl_manager'

does not return any records. cctc_reader has grant permissions on:

  • each select proc
  • recControl_system_option

so in theory this should work. I have no problems when run under dbo.

If I grant db_datareader to cctc_reader the query is fine, but I don't want to grant reader permissions to all tables (hence why I used stored procs). I've tried granting Select permissions on Information_schema in the Master db as suggested in some articles, but still can't get this to work.

Any suggestions?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

忆依然 2024-09-19 16:06:49

对象元数据可见性受 查看定义 权限的约束:

GRANT VIEW DEFINITION ON ... TO cctc_reader;

查看定义权限允许
用户查看安全的元数据
授予许可的内容。
但是,VIEW DEFINITION 权限
不授予访问权限
本身是安全的。例如,一个用户
仅授予查看定义
表的权限可以查看元数据
与表中的相关
sys.objects 目录视图。然而,
无需额外权限,例如
SELECT 或 CONTROL,用户不能
从表中读取数据。

授予权限的正确安全取决于您的场景。它可以是 dbo 或其他一些模式,可以是数据库本身,也可以是单独的表。如果我处于你的位置,我会对recControl_system_option过程进行代码签名,并且我会在服务器级别的签名上授予“查看任何定义”的权限,这是使用角色和授予角色权限的更好、更安全的方式。有关如何签名的示例,请参阅签署激活的程序过程并授予对签名的服务器级别权限。

Objects metadata visibility is subject to the VIEW DEFINITION permission:

GRANT VIEW DEFINITION ON ... TO cctc_reader;

The VIEW DEFINITION permission lets a
user see the metadata of the securable
on which the permission is granted.
However, VIEW DEFINITION permission
does not confer access to the
securable itself. For example, a user
that is granted only VIEW DEFINITION
permission on a table can see metadata
related to the table in the
sys.objects catalog view. However,
without additional permissions such as
SELECT or CONTROL, the user cannot
read data from the table.

The right securable to grant permission to depends on your scenario. It could be the dbo or some other schema, it could be the database itself, it could be individual tables. If I was in your place, I'd code sign the recControl_system_option procedure and I'd grant VIEW ANY DEFINITION on the signature at server level, a much better and secure way that using roles and granting permission on roles. See Signing an activated procedure for an example of how to sign a procedure and grant a server level permission on the signature.

暗藏城府 2024-09-19 16:06:49

正如 Remus 提到的,元数据可见性会影响查询系统表和视图时返回的数据。如果您对安全对象(对象、登录名等)没有权限,它将不可见。

根据您的情况,您可以允许内部调用 EXECUTE AS OWNER,或者将 Information_schema.columns 包装在 udf 中,作为 EXECUTE AS OWNER

我们在查询元数据时使用此技术。

As Remus mentioned, metadata visbility affects data returned when querying system tables and views. If you have no rights on a securable (object, login, whatever) it won't be visible.

Depending on your situation, you would allow the internal call to have EXECUTE AS OWNER, or wrap Information_schema.columns in a udf that as EXECUTE AS OWNER

We use this technique where we query metadata.

雄赳赳气昂昂 2024-09-19 16:06:49

在其他地方找到这个,创建一个在数据库中调用系统存储过程 sp_columns 的存储过程。您的存储过程可以使用与其他存储过程相同的权限执行。缺点是返回的集合有许多您可能不感兴趣的列。我敢说您可以改进存储过程。我选择在代码中进行字段选择。

CREATE PROCEDURE [dbo].[proc_tblMyTableSchemaGet] 

作为
开始

SET NOCOUNT ON;


exec sp_columns @table_name = 'myTable', @table_owner = 'dbo';

结束

Found this elsewhere, make a sproc that calls System sproc sp_columns in your database. Your sproc can execute with the same permissions as your other sprocs. Downside is that the returned set has many columns that you probably are not interested in. I daresay you could refine the sproc. I chose to do the field choice in code.

CREATE PROCEDURE [dbo].[proc_tblMyTableSchemaGet] 

AS
BEGIN

SET NOCOUNT ON;


exec sp_columns @table_name = 'myTable', @table_owner = 'dbo';

END

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文