具有 Azure Active Directory 身份验证的 Azure SQL - 在安全功能中用于行级安全
我们有一个使用 Azure AD 身份验证的 Azure SQL 数据库。这对于会员和来宾 AD 用户以及 AD 组都适用。
我们需要对某些表应用行级安全性,基于:
- 用户是否拥有数据库的所有权(或至少 CREATE USER 权限),或者
- 基于 AD 组
我们创建了一个表值函数,用于适当的安全策略。 问题:
- 我们如何确定用户是否拥有函数内数据库的所有权(必须使用模式绑定定义)? 使用 sys.fn_my_permissions 查找权限被拒绝,因为 sys 函数无法与架构绑定一起使用。
- 我们如何查询用户属于哪些 AD 组?
或者我们是否需要维护数据库内的关系表(伴随多个维护 - AD + 多个数据库)?
We have a Azure SQL database using Azure AD authentication. This all works fine for both Member and Guest AD users, and with AD Groups.
We need to apply row-level security to some tables, based on:
- whether the user has ownership (or at least CREATE USER permission) over the database, or
- based on the AD group
We have created a table-valued function for use in the appropriate security policy.
Problem:
- how can we establish whether the user has ownership over the database within the function (which has to be defined
with schemabinding)?
Looking up permissions usingsys.fn_my_permissionsis refused assysfunctions can't be usedwith schemabinding. - how can we query what AD groups the user is a member of?
Or do we need to maintain tables of the relationships within the database (with attendant multiple maintenance - AD + several databases)?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
系统函数
is_member('') 可用于验证当前用户是否是某个 AD 组的成员,只要该 AD 组已作为 AD 组添加到数据库中即可。主要的。此功能也适用于数据库角色。
因此,像这样的安全功能是有效的:
第一个
is_member测试允许访问所有行的数据库角色。第二个is_member测试用户是否位于同一 (AD) 组中。is_member() 返回:则为 NULL 组名称不区分大小写。
The system function
is_member('<AD Group>')can be used to verify whether the current user is a member of an AD group as long as that AD Group has been added to the database as a principal.This function also works for database roles.
So security function like this works:
The first
is_membertests for a database role that allows access to all rows. The secondis_membertests for the user being in the same (AD) Group.is_member(<AD Group>)returns:The Group name is NOT case sensitive.