SQL 服务器:拒绝 select 重新创建 table
SQL Server : deny select on recreated table
在 SQL Server 2017 中,我有一个拥有 ddladmin 权限的用户定期删除并重新创建 table。我们需要在 table.
上拒绝 select
只有当table被丢弃时,才会失去拒绝。我不想授予用户 securityadmin。
如何确保每次重新创建此 table 时保留拒绝 select?
...调整
revert
go
-- drop trigger deny_select_on_frequentlydroppedtable on database
create or alter trigger deny_select_on_frequentlydroppedtable
on database
with execute as 'dbo'
for CREATE_TABLE
as
begin
set nocount on;
--when table name = frequentlydroppedtable
if EVENTDATA().value('(EVENT_INSTANCE/ObjectName)[1]', 'sysname') = 'frequentlydroppedtable'
begin
declare @tbl nvarchar(500) = concat(quotename(EVENTDATA().value('(EVENT_INSTANCE/SchemaName)[1]', 'sysname')), '.', quotename(EVENTDATA().value('(EVENT_INSTANCE/ObjectName)[1]', 'sysname')));
declare @user nvarchar(150) = EVENTDATA().value('(EVENT_INSTANCE/UserName)[1]', 'sysname');
if @user <> 'dbo' and IS_ROLEMEMBER('db_owner', @user) = 0 and IS_ROLEMEMBER('db_ddladmin', @user) = 1 --... any ddl admin gets deny when they create the table :)
begin
declare @sql nvarchar(500) = 'deny select on ' + @tbl + ' to ' + quotename(@user);
exec(@sql)
end
end
end
go
--dbo or ....
drop table if exists frequentlydroppedtable;
go
create table frequentlydroppedtable(id int);
go
--works
select * from frequentlydroppedtable
go
--create a test db_ddladmin
create user test_db_ddladmin without login;
go
alter role db_ddladmin add member test_db_ddladmin;
go
execute as user = 'test_db_ddladmin'
go
drop table if exists frequentlydroppedtable;
go
create table frequentlydroppedtable(id int);
go
--permission violation, deny select
select * from frequentlydroppedtable
go
revert
go
--cleanup
drop table if exists frequentlydroppedtable;
go
drop user test_db_ddladmin;
go
drop trigger deny_select_on_frequentlydroppedtable on database
go
在 SQL Server 2017 中,我有一个拥有 ddladmin 权限的用户定期删除并重新创建 table。我们需要在 table.
上拒绝 select只有当table被丢弃时,才会失去拒绝。我不想授予用户 securityadmin。
如何确保每次重新创建此 table 时保留拒绝 select?
...调整
revert
go
-- drop trigger deny_select_on_frequentlydroppedtable on database
create or alter trigger deny_select_on_frequentlydroppedtable
on database
with execute as 'dbo'
for CREATE_TABLE
as
begin
set nocount on;
--when table name = frequentlydroppedtable
if EVENTDATA().value('(EVENT_INSTANCE/ObjectName)[1]', 'sysname') = 'frequentlydroppedtable'
begin
declare @tbl nvarchar(500) = concat(quotename(EVENTDATA().value('(EVENT_INSTANCE/SchemaName)[1]', 'sysname')), '.', quotename(EVENTDATA().value('(EVENT_INSTANCE/ObjectName)[1]', 'sysname')));
declare @user nvarchar(150) = EVENTDATA().value('(EVENT_INSTANCE/UserName)[1]', 'sysname');
if @user <> 'dbo' and IS_ROLEMEMBER('db_owner', @user) = 0 and IS_ROLEMEMBER('db_ddladmin', @user) = 1 --... any ddl admin gets deny when they create the table :)
begin
declare @sql nvarchar(500) = 'deny select on ' + @tbl + ' to ' + quotename(@user);
exec(@sql)
end
end
end
go
--dbo or ....
drop table if exists frequentlydroppedtable;
go
create table frequentlydroppedtable(id int);
go
--works
select * from frequentlydroppedtable
go
--create a test db_ddladmin
create user test_db_ddladmin without login;
go
alter role db_ddladmin add member test_db_ddladmin;
go
execute as user = 'test_db_ddladmin'
go
drop table if exists frequentlydroppedtable;
go
create table frequentlydroppedtable(id int);
go
--permission violation, deny select
select * from frequentlydroppedtable
go
revert
go
--cleanup
drop table if exists frequentlydroppedtable;
go
drop user test_db_ddladmin;
go
drop trigger deny_select_on_frequentlydroppedtable on database
go