授予角色以执行存储过程
Grant role to exec stored procedures
我有一个代理用户,我正在尝试将其添加到可以执行所有存储过程的角色。使用其他 Whosebug 帖子,我已经能够将这个脚本放在一起
USE abc
Create ROLE db_exec
go
GRANT EXECUTE TO db_exec
go
EXEC sp_addrolemember 'db_exec', 'abc_user'
go
当我尝试 运行 我的存储过程时,根据我的错误处理,我仍然收到此错误。
The EXECUTE permission was denied on the object 'sp_OACreate', database 'mssqlsystemresource', schema 'sys'.
我该怎么做才能让abc_user执行sp_OACreate?
除了系统管理员角色外,您还需要授予对这些过程实际所在的 master 数据库的执行权限
use master
go
grant exec on sp_OACreate to abc_user
GO
在您运行之后,您可以通过以下方式验证您是否有权执行该过程
SELECT *
FROM master.sys.database_permissions [dp]
JOIN master.sys.system_objects [so] ON dp.major_id = so.object_id
JOIN master.sys.sysusers [usr] ON
usr.uid = dp.grantee_principal_id AND usr.name = 'abc_user'
WHERE permission_name = 'EXECUTE' AND so.name = 'sp_OACreate'
给出的答案有效,但是,我们通常尽量不向 任何 用户授予系统管理员权限。在这种情况下,我发现 运行 sp_OACreate 您实际上并不需要系统管理员角色。
我运行以下:
use master
grant exec on sp_OACreate to yourSecObject
grant exec on sp_OADestroy to yourSecObject --Optional
grant exec on sp_OAMethod to yourSecObject
出于我的目的,我需要一个清理步骤,因此用户需要创建和销毁。
我希望这可以帮助任何想要运行这些过程但不希望用户拥有对服务器上所有其他数据库的完全数据库访问权限的人。
-斯科特
如果出现以下错误:
The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OACreate', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAMethod', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAMethod', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAMethod', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAGetProperty', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAGetProperty', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OADestroy', database 'mssqlsystemresource', schema 'sys'.
启用xp_cmdshell程序
此时可能已经执行完毕,仅供参考:
EXEC sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO
EXEC sp_configure 'xp_cmdshell', 1
GO
EXEC sp_configure 'show advanced options', 0
GO
RECONFIGURE
GO
允许用户执行存储过程
use [master]
GO
GRANT EXECUTE ON [sys].[xp_cmdshell] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OACreate] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OADestroy] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OAGetErrorInfo] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OAGetProperty] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OAMethod] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OAStop] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OASetProperty] TO [DOMAIN\username];
GO
检查是否设置了执行权限
SELECT *
FROM master.sys.database_permissions [dp]
JOIN master.sys.system_objects [so] ON dp.major_id = so.object_id
JOIN master.sys.sysusers [usr] ON usr.uid = dp.grantee_principal_id AND usr.name = 'DOMAIN\username'
WHERE permission_name = 'EXECUTE'
AND (so.name = 'xp_cmdshell'
OR so.name = 'sp_OACreate'
OR so.name = 'sp_OADestroy'
OR so.name = 'sp_OAGetErrorInfo'
OR so.name = 'sp_OAGetProperty'
OR so.name = 'sp_OAMethod'
OR so.name = 'sp_OAStop'
OR so.name = 'sp_OASetProperty')
proc 位于 master > Programmability > Extended Stored Procedures > System Extended Stored Procedures 如果有帮助的话。
我有一个代理用户,我正在尝试将其添加到可以执行所有存储过程的角色。使用其他 Whosebug 帖子,我已经能够将这个脚本放在一起
USE abc
Create ROLE db_exec
go
GRANT EXECUTE TO db_exec
go
EXEC sp_addrolemember 'db_exec', 'abc_user'
go
当我尝试 运行 我的存储过程时,根据我的错误处理,我仍然收到此错误。
The EXECUTE permission was denied on the object 'sp_OACreate', database 'mssqlsystemresource', schema 'sys'.
我该怎么做才能让abc_user执行sp_OACreate?
除了系统管理员角色外,您还需要授予对这些过程实际所在的 master 数据库的执行权限
use master
go
grant exec on sp_OACreate to abc_user
GO
在您运行之后,您可以通过以下方式验证您是否有权执行该过程
SELECT *
FROM master.sys.database_permissions [dp]
JOIN master.sys.system_objects [so] ON dp.major_id = so.object_id
JOIN master.sys.sysusers [usr] ON
usr.uid = dp.grantee_principal_id AND usr.name = 'abc_user'
WHERE permission_name = 'EXECUTE' AND so.name = 'sp_OACreate'
给出的答案有效,但是,我们通常尽量不向 任何 用户授予系统管理员权限。在这种情况下,我发现 运行 sp_OACreate 您实际上并不需要系统管理员角色。
我运行以下:
use master
grant exec on sp_OACreate to yourSecObject
grant exec on sp_OADestroy to yourSecObject --Optional
grant exec on sp_OAMethod to yourSecObject
出于我的目的,我需要一个清理步骤,因此用户需要创建和销毁。
我希望这可以帮助任何想要运行这些过程但不希望用户拥有对服务器上所有其他数据库的完全数据库访问权限的人。
-斯科特
如果出现以下错误:
The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OACreate', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAMethod', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAMethod', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAMethod', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAGetProperty', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAGetProperty', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OADestroy', database 'mssqlsystemresource', schema 'sys'.
启用xp_cmdshell程序
此时可能已经执行完毕,仅供参考:
EXEC sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO
EXEC sp_configure 'xp_cmdshell', 1
GO
EXEC sp_configure 'show advanced options', 0
GO
RECONFIGURE
GO
允许用户执行存储过程
use [master]
GO
GRANT EXECUTE ON [sys].[xp_cmdshell] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OACreate] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OADestroy] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OAGetErrorInfo] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OAGetProperty] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OAMethod] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OAStop] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OASetProperty] TO [DOMAIN\username];
GO
检查是否设置了执行权限
SELECT *
FROM master.sys.database_permissions [dp]
JOIN master.sys.system_objects [so] ON dp.major_id = so.object_id
JOIN master.sys.sysusers [usr] ON usr.uid = dp.grantee_principal_id AND usr.name = 'DOMAIN\username'
WHERE permission_name = 'EXECUTE'
AND (so.name = 'xp_cmdshell'
OR so.name = 'sp_OACreate'
OR so.name = 'sp_OADestroy'
OR so.name = 'sp_OAGetErrorInfo'
OR so.name = 'sp_OAGetProperty'
OR so.name = 'sp_OAMethod'
OR so.name = 'sp_OAStop'
OR so.name = 'sp_OASetProperty')
proc 位于 master > Programmability > Extended Stored Procedures > System Extended Stored Procedures 如果有帮助的话。