我用sa身份建立了一个数据库TEST,在里面建立了Notice的表。另外建立了一个名为normal的登录名和相应的normal的用户。给normal用户分配了对TEST库的EXECUTE权限,但没有分配对Notice表的INSERT权限。问题是我建立了以下PROCEDURE:
CREATE PROCEDURE [dbo].[NewNotice]
-- Add the parameters for the stored procedure here
@noticeTitle nvarchar(100)='',
@noticeContext nvarchar(max) = '',
WITH EXECUTE AS CALLERAS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
insert into Notice values(@noticeTitle,@noticeContext,@haveAnnex,@authorName,@department,@duration,GetDate(),@annexFileInfo,0)
END发现使用normal用户居然可以对表notice的INSERT操作,这是为何,请大家指教。谢谢
CREATE PROCEDURE [dbo].[NewNotice]
-- Add the parameters for the stored procedure here
@noticeTitle nvarchar(100)='',
@noticeContext nvarchar(max) = '',
WITH EXECUTE AS CALLERAS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
insert into Notice values(@noticeTitle,@noticeContext,@haveAnnex,@authorName,@department,@duration,GetDate(),@annexFileInfo,0)
END发现使用normal用户居然可以对表notice的INSERT操作,这是为何,请大家指教。谢谢
--Create our users
create login User1 with password='^*ahfn2@^(K'
go
create login User2 with password='*HABa7s7aas'
go
create login User3 with password='zxd837&^gqF'
go
create database ExampleDB
go
use ExampleDB
go
--User 3 will own a table
create user User3 with default_schema=User3
go
create schema User3 authorization User3
go
--User 2 will have SELECT access and write a proc to access
create user User2 with default_schema=User2
go
create schema User2 authorization User2
go--User 1 will have the right to exec the proc
create user User1 with default_schema=User1
go
create schema User1 authorization User1
gogrant create table to User3
go
grant create proc to User2
go
execute as login='User3'
go
create table User3.CustomerInformation
(CustomerName nvarchar(50))
go
insert into CustomerInformation values ('Bryan''s Bowling Alley')
insert into CustomerInformation values ('Tammie''s Tavern')
insert into CustomerInformation values ('Frank''s Fresh Produce')
go
grant select on CustomerInformation to User2
go
revert
go
execute as login='User2'
--create a stored proc that will return the rows in our table
create proc ViewCustomerNames
AS
BEGIN
select * from User3.CustomerInformation
END
go
grant execute on ViewCustomerNames to User1
go
revert
goexecute as login='User1'
--Notice User1 cannot access table directly
select * from User3.CustomerInformation
--User1 can execute the procedure but does not have permissions on the underlying table
exec User2.ViewCustomerNames
go
revert
go
execute as login='User2'
go
ALTER PROCEDURE ViewCustomerNames
WITH EXECUTE AS OWNER
AS
BEGIN
select * from User3.CustomerInformation
END
go
revert
go
execute as login='User1'
--User1 still cannot access table directly
select * from User3.CustomerInformation
--User1 can execute a procedure that uses the CustomerInformation table
exec User2.ViewCustomerNames
go
revert
go
--
存储过程里的insert与表权限无关,只与表有关
不要让用户直接操作表的权限,可给其执行存储过程的权限,让存储过程执行表的插入,修改,删除操作.
以此作为保证数据库安全的一种手段.