权限管理一直都是没那么容易做好的一部分,权限要管理的精致就更难了,今天就碰到一个有意思的事情,写篇文章记录下吧。
环境介绍:
You administer a SQL Server 2012 server that contains a database named SalesDB. SalesDb contains a
schema named Customers that has a table named Regions. A user named UserA is a member of a role
named Sales.
UserA is granted the Select permission on the Regions table. The Sales role is granted the Select
permission on the Customers schema.
You need to ensure that the Sales role, including UserA, is disallowed to select from any of the tables in
the Customers schema.
Which Transact-SQL statement should you use?
A. REVOKE SELECT ON Schema::Customers FROM UserA
B. DENY SELECT ON Object::Regions FROM UserA
C. EXEC sp_addrolemember 'Sales', 'UserA'
D. DENY SELECT ON Object::Regions FROM Sales
E. REVOKE SELECT ON Object::Regions FROM UserA
F. DENY SELECT ON Schema::Customers FROM Sales
G. DENY SELECT ON Schema::Customers FROM UserA
H. EXEC sp_droprolemember 'Sales', 'UserA'
I. REVOKE SELECT ON Object::Regions FROM Sales
J. REVOKE SELECT ON Schema::Customers FROM Sales
给出的答案是选F,其实我觉得J也可以的呀,不知道为啥不选?看到的请帮忙解释下
F选项就是直接给”拒绝“就行了,J就是取消之前的设置,好吧这个告一段落,下面说另一个问题。
我发现一个用户:UserB 可以查看数据库: SalesDB里面所有的表,然后我查询了该用户的权限,截图如下:
除了UserB隶属于sales_1之外没有任何的权限,但是我打开sales_1并没有发现什么东西,感觉很奇怪,最终纠结了一下发现,其实sales_1已经有SalesDB的”Select“权限了,只是我们看不到,可以在下图的SalesDB属性-----权限里面看到,其实我疑惑的是为什么不在Sales_1属性里面的Securables显示出来?