Ssrs 2019中,TaskMask和RoleFlags如何解读?
In Ssrs 2019, how are TaskMask and RoleFlags to be interpreted?
如果您在 Ssrs 数据库目录中执行 SELECT * FROM Roles WHERE 1=1;,您会看到如下内容:
如何解释“TaskMask”和“RoleFlags”中的值?我在网上找到了部分信息,但没有来自 Microsoft。
网上没有什么东西很容易发现,所以我去反编译了 ReportingServicesLibrary.dll(我用的是“dnSpy”)并搜索直到找到我要找的东西Microsoft.ReportingServices.Library.AuthzData class.
我在 Ssrs 数据库目录中发现了以下关于“角色”table 的信息:
- 存储在
Roles.RoleFlags 中的值实际上只是 SecurityScope 枚举的基础值。它们指示使用哪个枚举来解释 TaskMask.
- 存储在
Roles.TaskMask 中的值对应于 CatalogItemTaskEnum、CatalogTaskEnum 或 ModelItemTaskEnum 枚举的成员。 “1”表示 member/setting 是“开”,“0”表示它是“关”。从 left-to-right 读取字符串,每个位置(从 0 开始)对应于枚举成员的基础值。如果右端缺少一个位置,假设设置为“关闭”。
警告
如果您打算使用 Sql 更改角色的 TaskMask,请不要直接更新它。相反,使用 SetRolePropertiesAndInvalidatePolicies 存储过程。这负责将链接到角色(将数据标记为“脏”)的所有现有策略的 SecData.NtSecDescState 列设置为 1。下一次 Ssrs ReportServer 服务检查策略更新时,它将更新存储在 SecData.NtSecDescPrimary 列中的序列化 (AceCollection) 数据,用于 table-- 中的所有“脏”记录-- - 用于您的授权扩展。 (SecData 数据是授权扩展在检查 permissions/access 时显示的内容。)
例如
考虑 built-in“文件夹查看者”角色。由于 RoleFlags 为“0”,因此对应于 SecurityScope.CatalogItem 并且意味着 TaskMask 使用 CatalogItemTaskEnum 进行解释。接下来,由于 TaskMask 是“000000100000000000”,这意味着他们具有 ViewFolders “任务”权限,因为“1”位于 position/index 6 (zero-based) 中TaskMask 字符串,CatalogItemTaskEnum.ViewFolders 的基础值为 6 .
代码定义
internal enum SecurityScope
{
CatalogItem,
Catalog,
ModelItem
}
internal enum CatalogItemTaskEnum
{
Invalid = 268435455,
ConfigureAccess = 0,
CreateLinkedReports,
ViewReports,
ManageReports,
ViewResources,
ManageResources,
ViewFolders,
ManageFolders,
ManageSnapshots,
Subscribe,
ManageAnySubscription,
ViewDataSources,
ManageDataSources,
ViewModels,
ManageModels,
ConsumeReports,
Comment,
ManageComments
}
internal enum CatalogTaskEnum
{
Invalid = 268435455,
ManageRoles = 0,
ManageSystemSecurity,
ViewSystemProperties,
ManageSystemProperties,
ViewSharedSchedules,
ManageSharedSchedules,
GenerateEvents,
ManageJobs,
ExecuteReportDefinitions
}
internal enum ModelItemTaskEnum
{
Invalid = 268435455,
ViewModelItems = 0
}
这些年来他们增加了项目。例如。 CatalogItemTaskEnum.Comment Ssrs2012 中不存在。
根据@Granger 的回答,这里是 SQL 单独授予每个权限的代码。
SELECT
r.*,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 1), 1) = '1', 1, 0) AS BIT) AS ConfigureAccess,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 2), 1) = '1', 1, 0) AS BIT) AS CreateLinkedReports,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 3), 1) = '1', 1, 0) AS BIT) AS ViewReports,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 4), 1) = '1', 1, 0) AS BIT) AS ManageReports,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 5), 1) = '1', 1, 0) AS BIT) AS ViewResources,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 6), 1) = '1', 1, 0) AS BIT) AS ManageResources,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 7), 1) = '1', 1, 0) AS BIT) AS ViewFolders,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 8), 1) = '1', 1, 0) AS BIT) AS ManageFolders,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 9), 1) = '1', 1, 0) AS BIT) AS ManageSnapshots,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 10), 1) = '1', 1, 0) AS BIT) AS Subscribe,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 11), 1) = '1', 1, 0) AS BIT) AS ManageAnySubscription,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 12), 1) = '1', 1, 0) AS BIT) AS ViewDataSources,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 13), 1) = '1', 1, 0) AS BIT) AS ManageDataSources,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 14), 1) = '1', 1, 0) AS BIT) AS ViewModels,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 15), 1) = '1', 1, 0) AS BIT) AS ManageModels,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 16), 1) = '1', 1, 0) AS BIT) AS ConsumeReports,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 17), 1) = '1', 1, 0) AS BIT) AS Comment,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 18), 1) = '1', 1, 0) AS BIT) AS ManageComments,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 1), 1) = '1', 1, 0) AS BIT) AS ManageRoles,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 2), 1) = '1', 1, 0) AS BIT) AS ManageSystemSecurity,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 3), 1) = '1', 1, 0) AS BIT) AS ViewSystemProperties,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 4), 1) = '1', 1, 0) AS BIT) AS ManageSystemProperties,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 5), 1) = '1', 1, 0) AS BIT) AS ViewSharedSchedules,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 6), 1) = '1', 1, 0) AS BIT) AS ManageSharedSchedules,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 7), 1) = '1', 1, 0) AS BIT) AS GenerateEvents,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 8), 1) = '1', 1, 0) AS BIT) AS ManageJobs,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 9), 1) = '1', 1, 0) AS BIT) AS ExecuteReportDefinitions,
CAST(IIF(r.RoleFlags = 2 AND RIGHT(LEFT(r.TaskMask + '0', 1), 1) = '1', 1, 0) AS BIT) AS ViewModelItems
FROM dbo.Roles r
如果您在 Ssrs 数据库目录中执行 SELECT * FROM Roles WHERE 1=1;,您会看到如下内容:
如何解释“TaskMask”和“RoleFlags”中的值?我在网上找到了部分信息,但没有来自 Microsoft。
网上没有什么东西很容易发现,所以我去反编译了 ReportingServicesLibrary.dll(我用的是“dnSpy”)并搜索直到找到我要找的东西Microsoft.ReportingServices.Library.AuthzData class.
我在 Ssrs 数据库目录中发现了以下关于“角色”table 的信息:
- 存储在
Roles.RoleFlags中的值实际上只是SecurityScope枚举的基础值。它们指示使用哪个枚举来解释TaskMask. - 存储在
Roles.TaskMask中的值对应于CatalogItemTaskEnum、CatalogTaskEnum或ModelItemTaskEnum枚举的成员。 “1”表示 member/setting 是“开”,“0”表示它是“关”。从 left-to-right 读取字符串,每个位置(从 0 开始)对应于枚举成员的基础值。如果右端缺少一个位置,假设设置为“关闭”。
警告
如果您打算使用 Sql 更改角色的 TaskMask,请不要直接更新它。相反,使用 SetRolePropertiesAndInvalidatePolicies 存储过程。这负责将链接到角色(将数据标记为“脏”)的所有现有策略的 SecData.NtSecDescState 列设置为 1。下一次 Ssrs ReportServer 服务检查策略更新时,它将更新存储在 SecData.NtSecDescPrimary 列中的序列化 (AceCollection) 数据,用于 table-- 中的所有“脏”记录-- - 用于您的授权扩展。 (SecData 数据是授权扩展在检查 permissions/access 时显示的内容。)
例如
考虑 built-in“文件夹查看者”角色。由于 RoleFlags 为“0”,因此对应于 SecurityScope.CatalogItem 并且意味着 TaskMask 使用 CatalogItemTaskEnum 进行解释。接下来,由于 TaskMask 是“000000100000000000”,这意味着他们具有 ViewFolders “任务”权限,因为“1”位于 position/index 6 (zero-based) 中TaskMask 字符串,CatalogItemTaskEnum.ViewFolders 的基础值为 6 .
代码定义
internal enum SecurityScope
{
CatalogItem,
Catalog,
ModelItem
}
internal enum CatalogItemTaskEnum
{
Invalid = 268435455,
ConfigureAccess = 0,
CreateLinkedReports,
ViewReports,
ManageReports,
ViewResources,
ManageResources,
ViewFolders,
ManageFolders,
ManageSnapshots,
Subscribe,
ManageAnySubscription,
ViewDataSources,
ManageDataSources,
ViewModels,
ManageModels,
ConsumeReports,
Comment,
ManageComments
}
internal enum CatalogTaskEnum
{
Invalid = 268435455,
ManageRoles = 0,
ManageSystemSecurity,
ViewSystemProperties,
ManageSystemProperties,
ViewSharedSchedules,
ManageSharedSchedules,
GenerateEvents,
ManageJobs,
ExecuteReportDefinitions
}
internal enum ModelItemTaskEnum
{
Invalid = 268435455,
ViewModelItems = 0
}
这些年来他们增加了项目。例如。 CatalogItemTaskEnum.Comment Ssrs2012 中不存在。
根据@Granger 的回答,这里是 SQL 单独授予每个权限的代码。
SELECT
r.*,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 1), 1) = '1', 1, 0) AS BIT) AS ConfigureAccess,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 2), 1) = '1', 1, 0) AS BIT) AS CreateLinkedReports,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 3), 1) = '1', 1, 0) AS BIT) AS ViewReports,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 4), 1) = '1', 1, 0) AS BIT) AS ManageReports,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 5), 1) = '1', 1, 0) AS BIT) AS ViewResources,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 6), 1) = '1', 1, 0) AS BIT) AS ManageResources,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 7), 1) = '1', 1, 0) AS BIT) AS ViewFolders,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 8), 1) = '1', 1, 0) AS BIT) AS ManageFolders,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 9), 1) = '1', 1, 0) AS BIT) AS ManageSnapshots,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 10), 1) = '1', 1, 0) AS BIT) AS Subscribe,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 11), 1) = '1', 1, 0) AS BIT) AS ManageAnySubscription,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 12), 1) = '1', 1, 0) AS BIT) AS ViewDataSources,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 13), 1) = '1', 1, 0) AS BIT) AS ManageDataSources,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 14), 1) = '1', 1, 0) AS BIT) AS ViewModels,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 15), 1) = '1', 1, 0) AS BIT) AS ManageModels,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 16), 1) = '1', 1, 0) AS BIT) AS ConsumeReports,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 17), 1) = '1', 1, 0) AS BIT) AS Comment,
CAST(IIF(r.RoleFlags = 0 AND RIGHT(LEFT(r.TaskMask + '0', 18), 1) = '1', 1, 0) AS BIT) AS ManageComments,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 1), 1) = '1', 1, 0) AS BIT) AS ManageRoles,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 2), 1) = '1', 1, 0) AS BIT) AS ManageSystemSecurity,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 3), 1) = '1', 1, 0) AS BIT) AS ViewSystemProperties,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 4), 1) = '1', 1, 0) AS BIT) AS ManageSystemProperties,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 5), 1) = '1', 1, 0) AS BIT) AS ViewSharedSchedules,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 6), 1) = '1', 1, 0) AS BIT) AS ManageSharedSchedules,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 7), 1) = '1', 1, 0) AS BIT) AS GenerateEvents,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 8), 1) = '1', 1, 0) AS BIT) AS ManageJobs,
CAST(IIF(r.RoleFlags = 1 AND RIGHT(LEFT(r.TaskMask + '0', 9), 1) = '1', 1, 0) AS BIT) AS ExecuteReportDefinitions,
CAST(IIF(r.RoleFlags = 2 AND RIGHT(LEFT(r.TaskMask + '0', 1), 1) = '1', 1, 0) AS BIT) AS ViewModelItems
FROM dbo.Roles r