Security4:Role 和 Permission

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Security4:Role 和 Permission相关的知识,希望对你有一定的参考价值。

Grants permissions on a securable to a principal.  The general concept is to GRANT <some permission> ON <some object> TO <some user, login, or group>. 简单记作 Grant Permission on securable to principal

授予权限分为三部分:Permission,Securable 和 principal,用一句话来解释这三个concept:授予 Principal 操作 Securable 的 Permission。Principal是被授予权限的实体,Securable是table,view等对象,是Principal操作的对象;有时Principal也会作为Securable,被Principal操纵。

一,Role 作为 Principal,被授予权限

查看Permission列表,点击:Permissions (Database Engine),这里列出的是Individual permission,role 是权限的集合。

1, Create Role 和 Create Server role

Create Role 子句 Creates a new database role in the current database.

Syntax

CREATE ROLE role_name 
[ AUTHORIZATION owner_name ]

AUTHORIZATION owner_name

Is the database user or role that is to own the new role. If no user is specified, the role will be owned by the user that executes CREATE ROLE.

Remarks                                       

Roles are database-level securables. After you create a role, configure the database-level permissions of the role by using GRANT, DENY, and REVOKE. To add members to a database role, use ALTER ROLE (Transact-SQL).

Database roles are visible in the sys.database_role_members and sys.database_principals catalog views.

2,GRANT Permissions to Role

Role作为一个Principal,可以使用Grant子句为role授予权限,这里为role授予Object的Permissions,参考 GRANT Object Permissions (Transact-SQL)

GRANT <permission> [ ,...n ] ON 
    [ OBJECT :: ][ schema_name ]. object_name [ ( column [ ,...n ] ) ]
    TO <database_principal> [ ,...n ] 
    [ WITH GRANT OPTION ]
    [ AS <database_principal> ]

<permission> ::=
    ALL [ PRIVILEGES ] | permission [ ( column [ ,...n ] ) ]

<database_principal> ::= 
        Database_user 
    | Database_role 
    | Application_role 
    | Database_user_mapped_to_Windows_User 
    | Database_user_mapped_to_Windows_Group 
    | Database_user_mapped_to_certificate 
    | Database_user_mapped_to_asymmetric_key 
    | Database_user_with_no_login

Examples:

grant ALTER,DELETE,INSERT,SELECT,UPDATE        --Permission List
on dbo.dt_test        --Table Name
to dabase_level_role    --Role Name
with GRANT OPTION

3,Add member

Adds members to a database role

Syntax

ALTER ROLE role_name
{
      [ ADD MEMBER database_principal ]
    | [ DROP MEMBER database_principal ]
    | WITH NAME = new_name
}

ADD MEMBER database_principal              

Adds the specified database principal to the database role. database_principal can be a user or a user-defined database role. database_principal cannot be a fixed database role, or a server principal.

 

二,Role 作为Securable,Principal授予操纵Role的权限

Role 可以是Dabase Principal,被授予权限;Role可以是Database Securable,Grant子句可以授予Principal操纵Role的权限。

参考 GRANT Database Principal Permissions (Transact-SQL)

GRANT permission [ ,...n ]  
    ON 
    {  [ USER :: database_user ]
              | [ ROLE :: database_role ]
       | [ APPLICATION ROLE :: application_role ]
    }
    TO <database_principal> [ ,...n ]
    [ WITH GRANT OPTION ]
        [ AS <database_principal> ]

<database_principal> ::=
        Database_user 
    | Database_role 
    | Application_role 
    | Database_user_mapped_to_Windows_User 
    | Database_user_mapped_to_Windows_Group 
    | Database_user_mapped_to_certificate 
    | Database_user_mapped_to_asymmetric_key 
    | Database_user_with_no_login

 

Examples

1,Granting CONTROL permission on a user to another user

The following example grants CONTROL permission on user Wanida to user RolandX.

GRANT CONTROL 
ON USER::Wanida 
   TO RolandX;

2,Granting VIEW DEFINITION permission on a role to a user with GRANT OPTION

The following example grants VIEW DEFINITION permission on AdventureWorks2012 role SammamishParking together with GRANT OPTION to database user JinghaoLiu.

GRANT VIEW DEFINITION 
ON ROLE::SammamishParking 
    TO JinghaoLiu  
WITH GRANT OPTION;

 

三,其他

1,GRANT Database Permissions

参考文档:https://msdn.microsoft.com/en-us/library/ms178569(v=sql.110).aspx

GRANT <permission> [ ,...n ]  
    TO <database_principal> [ ,...n ] [ WITH GRANT OPTION ]
    [ AS <database_principal> ]

<permission>::=   
permission | ALL [ PRIVILEGES ]

<database_principal> ::=  
        Database_user 
    | Database_role 
    | Application_role 
    | Database_user_mapped_to_Windows_User 
    | Database_user_mapped_to_Windows_Group

Examples

1,Granting permission to create tables

The following example grants CREATE TABLE permission on the  AdventureWorks2012 database to user MelanieK.

USE AdventureWorks2012;
GRANT CREATE TABLE TO MelanieK;
GO

2,Granting CREATE VIEW with GRANT OPTION

The following example grants CREATE VIEW permission on the AdventureWorks2012database to user CarmineEs with the right to grant CREATE VIEW to other principals. 

USE AdventureWorks2012;
GRANT CREATE VIEW TO CarmineEs WITH GRANT OPTION;
GO

 

2,GRANT Object Permissions

参考文档:https://msdn.microsoft.com/en-us/library/ms188371(v=sql.110).aspx

GRANT <permission> [ ,...n ] ON 
    [ OBJECT :: ][ schema_name ]. object_name [ ( column [ ,...n ] ) ]
    TO <database_principal> [ ,...n ] 
    [ WITH GRANT OPTION ]
    [ AS <database_principal> ]

<permission> ::=
    ALL [ PRIVILEGES ] | permission [ ( column [ ,...n ] ) ]

<database_principal> ::= 
        Database_user 
    | Database_role 
    | Application_role 
    | Database_user_mapped_to_Windows_User 
    | Database_user_mapped_to_Windows_Group


ON [ OBJECT :: ] [ schema_name ] . object_name              

Specifies the object on which the permission is being granted. The OBJECT phrase is optional if schema_name is specified. If the OBJECT phrase is used, the scope qualifier (::) is required. If schema_name is not specified, the default schema is used. If schema_name is specified, the schema scope qualifier (.) is required.

ALL              

Granting ALL does not grant all possible permissions. Granting ALL is equivalent to granting all ANSI-92 permissions applicable to the specified object. The meaning of ALL varies as follows:

Scalar function permissions: EXECUTE, REFERENCES.

Table-valued function permissions: DELETE, INSERT, REFERENCES, SELECT, UPDATE.

Stored procedure permissions: EXECUTE.

Table permissions: DELETE, INSERT, REFERENCES, SELECT, UPDATE.

View permissions: DELETE, INSERT, REFERENCES, SELECT, UPDATE.

Examples

A. Granting SELECT permission on a table

The following example grants SELECT permission to user RosaQdM on table Person.Address in the AdventureWorks2012 database.

USE AdventureWorks2012;
GRANT SELECT ON OBJECT::Person.Address TO RosaQdM;
GO

B. Granting EXECUTE permission on a stored procedure

The following example grants EXECUTE permission on stored procedure HumanResources.uspUpdateEmployeeHireInfo to an application role called Recruiting11.

USE AdventureWorks2012; 
GRANT EXECUTE ON OBJECT::HumanResources.uspUpdateEmployeeHireInfo
    TO Recruiting11;
GO

 

参考文档:

https://msdn.microsoft.com/en-us/library/ms173848(v=sql.110).aspx

https://msdn.microsoft.com/en-us/library/ms188371(v=sql.110).aspx

https://msdn.microsoft.com/en-us/library/ms178569(v=sql.110).aspx

 

以上是关于Security4:Role 和 Permission的主要内容,如果未能解决你的问题,请参考以下文章

spring security4.2 配置CSRF防御场景

Spring实战----Security4.1.3认证过程源码分析

spring security4 问题

Spring Boot 集成spring security4

Spring Cloud 值Spring-Security

Spring Security4实战与原理分析视频课程( 扩展+自定义)