Security4:Role 和 Permission

Grants permissions on a securable to a principal.  The general concept is to GRANT <some permission> ON <some object> TO <some user, login, or group>. 简单记作 Grant Permission on securable to principal

授予权限分为三部分:Permission,Securable 和 principal,用一句话来解释这三个concept:授予 Principal 操作 Securable 的 Permission。Principal是被授予权限的实体,Securable是table,view等对象,是Principal操作的对象;有时Principal也会作为Securable,被Principal操纵。

一,Role 作为 Principal,被授予权限

查看Permission列表,点击:Permissions (Database Engine),这里列出的是Individual permission,role 是权限的集合。

1, Create Role 和 Create Server role

Create Role 子句 Creates a new database role in the current database.

Syntax

CREATE ROLE role_name
[ AUTHORIZATION owner_name ]

AUTHORIZATION owner_name

Is the database user or role that is to own the new role. If no user is specified, the role will be owned by the user that executes CREATE ROLE.

Remarks    

Roles are database-level securables. After you create a role, configure the database-level permissions of the role by using GRANT, DENY, and REVOKE. To add members to a database role, use ALTER ROLE (Transact-SQL).

Database roles are visible in the sys.database_role_members and sys.database_principals catalog views.

2,GRANT Permissions to Role

Role作为一个Principal,可以使用Grant子句为role授予权限,这里为role授予Object的Permissions,参考 GRANT Object Permissions (Transact-SQL)

GRANT <permission> [ ,...n ] ON
    [ OBJECT :: ][ schema_name ]. object_name [ ( column [ ,...n ] ) ]
    TO <database_principal> [ ,...n ]
    [ WITH GRANT OPTION ]
    [ AS <database_principal> ]

<permission> ::=
    ALL [ PRIVILEGES ] | permission [ ( column [ ,...n ] ) ]

<database_principal> ::=
        Database_user
    | Database_role
    | Application_role
    | Database_user_mapped_to_Windows_User
    | Database_user_mapped_to_Windows_Group
    | Database_user_mapped_to_certificate
    | Database_user_mapped_to_asymmetric_key
    | Database_user_with_no_login

Examples:

grant ALTER,DELETE,INSERT,SELECT,UPDATE        --Permission List
on dbo.dt_test        --Table Name
to dabase_level_role    --Role Name
with GRANT OPTION

3,Add member

Adds members to a database role

Syntax

ALTER ROLE role_name
{
      [ ADD MEMBER database_principal ]
    | [ DROP MEMBER database_principal ]
    | WITH NAME = new_name
}

ADD MEMBER database_principal

Adds the specified database principal to the database role. database_principal can be a user or a user-defined database role. database_principal cannot be a fixed database role, or a server principal.

二,Role 作为Securable,Principal授予操纵Role的权限

Role 可以是Dabase Principal,被授予权限;Role可以是Database Securable,Grant子句可以授予Principal操纵Role的权限。

参考 GRANT Database Principal Permissions (Transact-SQL)

GRANT permission [ ,...n ]
    ON
    {  [ USER :: database_user ]
              | [ ROLE :: database_role ]
       | [ APPLICATION ROLE :: application_role ]
    }
    TO <database_principal> [ ,...n ]
    [ WITH GRANT OPTION ]
        [ AS <database_principal> ]

<database_principal> ::=
        Database_user
    | Database_role
    | Application_role
    | Database_user_mapped_to_Windows_User
    | Database_user_mapped_to_Windows_Group
    | Database_user_mapped_to_certificate
    | Database_user_mapped_to_asymmetric_key
    | Database_user_with_no_login

Examples

1,Granting CONTROL permission on a user to another user

The following example grants CONTROL permission on user Wanida to user RolandX.

GRANT CONTROL
ON USER::Wanida
   TO RolandX;

2,Granting VIEW DEFINITION permission on a role to a user with GRANT OPTION

The following example grants VIEW DEFINITION permission on AdventureWorks2012 role SammamishParking together with GRANT OPTION to database user JinghaoLiu.

GRANT VIEW DEFINITION
ON ROLE::SammamishParking
    TO JinghaoLiu  WITH GRANT OPTION;

三,其他

1,GRANT Database Permissions

参考文档:https://msdn.microsoft.com/en-us/library/ms178569(v=sql.110).aspx

GRANT <permission> [ ,...n ]
    TO <database_principal> [ ,...n ] [ WITH GRANT OPTION ]
    [ AS <database_principal> ]

<permission>::=
permission | ALL [ PRIVILEGES ]

<database_principal> ::=
        Database_user
    | Database_role
    | Application_role
    | Database_user_mapped_to_Windows_User
    | Database_user_mapped_to_Windows_Group

Examples

1,Granting permission to create tables

The following example grants CREATE TABLE permission on the  AdventureWorks2012 database to user MelanieK.

USE AdventureWorks2012;
GRANT CREATE TABLE TO MelanieK;
GO

2,Granting CREATE VIEW with GRANT OPTION

The following example grants CREATE VIEW permission on the AdventureWorks2012database to user CarmineEs with the right to grant CREATE VIEW to other principals.

USE AdventureWorks2012;
GRANT CREATE VIEW TO CarmineEs WITH GRANT OPTION;
GO

2,GRANT Object Permissions

参考文档:https://msdn.microsoft.com/en-us/library/ms188371(v=sql.110).aspx

GRANT <permission> [ ,...n ] ON
    [ OBJECT :: ][ schema_name ]. object_name [ ( column [ ,...n ] ) ]
    TO <database_principal> [ ,...n ]
    [ WITH GRANT OPTION ]
    [ AS <database_principal> ]

<permission> ::=
    ALL [ PRIVILEGES ] | permission [ ( column [ ,...n ] ) ]

<database_principal> ::=
        Database_user
    | Database_role
    | Application_role
    | Database_user_mapped_to_Windows_User
    | Database_user_mapped_to_Windows_Group

ON [ OBJECT :: ] [ schema_name ] . object_name   

Specifies the object on which the permission is being granted. The OBJECT phrase is optional if schema_name is specified. If the OBJECT phrase is used, the scope qualifier (::) is required. If schema_name is not specified, the default schema is used. If schema_name is specified, the schema scope qualifier (.) is required.

ALL 

Granting ALL does not grant all possible permissions. Granting ALL is equivalent to granting all ANSI-92 permissions applicable to the specified object. The meaning of ALL varies as follows:

Scalar function permissions: EXECUTE, REFERENCES.

Table-valued function permissions: DELETE, INSERT, REFERENCES, SELECT, UPDATE.

Stored procedure permissions: EXECUTE.

Table permissions: DELETE, INSERT, REFERENCES, SELECT, UPDATE.

View permissions: DELETE, INSERT, REFERENCES, SELECT, UPDATE.

Examples

A. Granting SELECT permission on a table

The following example grants SELECT permission to user RosaQdM on table Person.Address in the AdventureWorks2012 database.

USE AdventureWorks2012;
GRANT SELECT ON OBJECT::Person.Address TO RosaQdM;
GO

B. Granting EXECUTE permission on a stored procedure

The following example grants EXECUTE permission on stored procedure HumanResources.uspUpdateEmployeeHireInfo to an application role called Recruiting11.

USE AdventureWorks2012;
GRANT EXECUTE ON OBJECT::HumanResources.uspUpdateEmployeeHireInfo
    TO Recruiting11;
GO

参考文档:

https://msdn.microsoft.com/en-us/library/ms173848(v=sql.110).aspx

https://msdn.microsoft.com/en-us/library/ms188371(v=sql.110).aspx

https://msdn.microsoft.com/en-us/library/ms178569(v=sql.110).aspx

时间: 2024-08-24 19:56:17

Security4:Role 和 Permission的相关文章

User、Role、Permission数据库设计ABP

ABP 初探 之User.Role.Permission数据库设计 (EntityFramework 继承的另一种使用方法) 最近群里(134710707)的朋友都在讨论ABP源码,我把最近学习的内容记录下来,同时也分享给大家,希望正在研究ABP源码的朋友有一定帮助. 上篇介绍ABP的多语言,本篇主要介绍权限的数据库设计,用EntityFramework已经有段时间了,基于ABP这样的设计还是第一次看到,具体应用场景1:N,ABP权限设计,菜单的权限可以分配置给角色,也可以直接分配给用户. 另一

ABP 初探 之User、Role、Permission数据库设计 (EntityFramework 继承的另一种使用方法)

最近群里(134710707)的朋友都在讨论ABP源码,我把最近学习的内容记录下来,同时也分享给大家,希望正在研究ABP源码的朋友有一定帮助. 上篇介绍ABP的多语言,本篇主要介绍权限的数据库设计,用EntityFramework已经有段时间了,基于ABP这样的设计还是第一次看到,具体应用场景1:N,ABP权限设计,菜单的权限可以分配置给角色,也可以直接分配给用户. 另一个应用场景也可以是订单系统:客户可以通过订单查询到客户的所有订单明细,订单明细与客户没有关系,如果想直接查看客户的订单明细,也

在 Web 项目中应用 Apache Shiro

Apache Shiro 是功能强大并且容易集成的开源权限框架,它能够完成认证.授权.加密.会话管理等功能.认证和授权为权限控制的核心,简单来说,"认证"就是证明你是谁? Web 应用程序一般做法通过表单提交用户名及密码达到认证目的."授权"即是否允许已认证用户访问受保护资源.关于 Shiro 的一系列特征及优点,很多文章已有列举,这里不再逐一赘述,本文重点介绍 Shiro 在 Web Application 中如何实现验证码认证以及如何实现单点登录. 用户权限模型

SpringMVC+Apache Shiro+JPA(hibernate)案例教学(四)基于Shiro验证用户权限,且给用户授权

最新项目比较忙,写文章的精力就相对减少了,但看到邮箱里的几个催更,还是厚颜把剩下的文档补上. 一.修改ShiroDbRealm类,实现它的doGetAuthorizationInfo方法 package org.shiro.demo.service.realm; import java.util.ArrayList; import java.util.List; import javax.annotation.Resource; import org.apache.commons.lang.St

Spring MVC + Mybatis + Shiro

1.Spring配置:web.xml <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/

第七章 与Web集成——《跟我学Shiro》

Shiro提供了与Web集成的支持,其通过一个ShiroFilter入口来拦截需要安全控制的URL,然后进行相应的控制,ShiroFilter类似于如Strut2/SpringMVC这种web框架的前端控制器,其是安全控制的入口点,其负责读取配置(如ini配置文件),然后判断URL是否需要登录/权限等工作. 7.1 准备环境 1.创建webapp应用 此处我们使用了jetty-maven-plugin和tomcat7-maven-plugin插件:这样可以直接使用“mvn jetty:run”或

Springmvc集成Shiro实现权限管理

Shiro是一个安全框架,他可以集成其他开发开发框架 如:Springmvc,实现用户身份认证.权限管理等等功能,shiro详细的介绍也就不讲了,这里给出一些关键的知识点吧: 知识点: shiro中默认的过滤器 过滤器名称 过滤器类 描述 anon org.apache.shiro.web.filter.authc.AnonymousFilter 匿名过滤器 authc org.apache.shiro.web.filter.authc.FormAuthenticationFilter 如果继续

ASP.NET Identity “角色-权限”管理 6

1.1.       Role-Permission UserRole是User与Role的关联表,代码见User-Role分析.参考可得Role-Permission的设计,代码图如下,RolePermission是Role与Permission的关联表,保存着RoleId与PermissionId. 1.1.1.      新建RolePermission 在IdentityModels.cs中增加ApplicationRolePermission类. public class Applic

权限表设计之代码解析

在权限表设计中已经说了权限表的结构,在这里我说下代码 user表 </pre><pre name="code" class="html">@Entity @Table(name="user") public class User implements Serializable{ private static final long serialVersionUID = 6177417450707400228L; @Id @G