欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

SQL语句(六) 自主存取控制

程序员文章站 2024-03-19 14:48:28
...

一、关于自主存取控制

       实现自主存取控制主要是使用GRANT和REVOKE语句进行授权和回收操作,授权就是给数据库的用户赋予对某些数据库对象的操作;回收就是收回其权限。

GRANT语句:

GRANT 权限,权限......

ON 对象名,对象名......

TO 用户,用户......

WITGRANT OPTION//表示获得某种权限的用户还可以将权限授予其他用户,可以省略

REVOKE语句:

REVOKE 权限,权限......

ON 对象名,对象名......

FROM 用户,用户......

CASCADE|RESTRICT

二、实例

1.创建用户
①为采购、销售、客户管理等三个部门的经理创建用户标识,具有创建用户或者角色的权利。
create login David with password='david123',default_database=TPC
create user David for login David with default_schema=dbo
grant create role to David;

create login Tom with password='tom123',default_database=TPC
create user Tom for login Tom with default_schema=dbo
grant create role to Tom;

create login Kathy with password='kathy123',default_database=TPC
create user Kathy for login Kathy with default_schema=dbo
grant create role to Kathy;
②为采购、销售、客户管理等三个部门的职员创建用户标识和用户口令。
create login Jeffery with password='jeffery123',default_database=TPC
create user Jeffery for login Jeffery with default_schema=dbo;

create login Jane with password='jane123',default_database=TPC
create user Jane for login Jane with default_schema=dbo;

create login Mike with password='mike123',default_database=TPC
create user Mike for login Mike with default_schema=dbo;

2.创建角色并分配权限
①为各个部门分别创建一个查询角色,并分配查询权限。
CREATE ROLE PurchaseRole;--创建PurchaseRole角色
GRANT SELECT ON supplier TO PurchaseRole WITH GRANT OPTION;
GRANT SELECT ON part TO PurchaseRole WITH GRANT OPTION;
GRANT SELECT ON partsupp TO PurchaseRole WITH GRANT OPTION;

CREATE ROLE SaleRole;--创建SaleRole角色
GRANT SELECT ON orders TO SaleRole WITH GRANT OPTION;
GRANT SELECT ON lineitem TO SaleRole WITH GRANT OPTION;

CREATE ROLE CustomerRole;--创建CustomerRole角色
GRANT SELECT ON customer TO CustomerRole WITH GRANT OPTION;
GRANT SELECT ON nation TO CustomerRole WITH GRANT OPTION;
GRANT SELECT ON region TO CustomerRole WITH GRANT OPTION;

②为各个部门分别创建一个职员角色,对本部门的信息具有查看、插入权限。
CREATE ROLE PurchaseEmployeeRole;--创建PurchaseEmployeeRole角色
GRANT SELECT,INSERT ON supplier TO PurchaseEmployeeRole;
GRANT SELECT,INSERT ON part TO PurchaseEmployeeRole;
GRANT SELECT,INSERT ON partsupp TO PurchaseEmployeeRole;

CREATE ROLE SaleEmployeeRole;--创建SaleEmployeeRole角色
GRANT SELECT,INSERT ON orders TO SaleEmployeeRole;
GRANT SELECT,INSERT ON lineitem TO SaleEmployeeRole;

CREATE ROLE CustomerEmployeeRole;--创建CustomerEmployeeRole角色
GRANT SELECT,INSERT ON customer TO CustomerEmployeeRole;
GRANT SELECT,INSERT ON nation TO CustomerEmployeeRole;
GRANT SELECT,INSERT ON region TO CustomerEmployeeRole;
③为各部门创建一个经理角色,相应角色对本部门的信息具有完全控制权限,对其他部门信息具有查询权,经理有权给本部门职员分配权限。
CREATE ROLE PurchaseManagerRole;--创建PurchaseManagerRole角色
GRANT ALL ON supplier TO PurchaseManagerRole;
GRANT ALL ON part TO PurchaseManagerRole;
GRANT ALL ON partsupp TO PurchaseManagerRole;
exec sp_addrolemember 'SaleRole','PurchaseManagerRole';
exec sp_addrolemember 'CustomerRole','PurchaseManagerRole';

CREATE ROLE SaleManagerRole;--创建SaleManagerRole角色
GRANT ALL ON orders TO SaleManagerRole;
GRANT ALL ON lineitem TO SaleManagerRole;
exec sp_addrolemember 'PurchaseRole','SaleManagerRole';
exec sp_addrolemember 'CustomerRole','SaleManagerRole';

CREATE ROLE CustomerManagerRole;--创建CustomerManagerRole角色
GRANT ALL ON customer TO CustomerManagerRole;
GRANT ALL ON nation TO CustomerManagerRole;
GRANT ALL ON region TO CustomerManagerRole;
exec sp_addrolemember 'PurchaseRole','CustomerManagerRole';
exec sp_addrolemember 'SaleRole','CustomerManagerRole';
3.给用户分配权限
--①给各部门经理分配权限
exec sp_addrolemember 'PurchaseManagerRole','David';
exec sp_addrolemember 'SaleManagerRole','Tom';
exec sp_addrolemember 'CustomerManagerRole','Kathy';
②给各部门职员分配权限
exec sp_addrolemember 'PurchaseEmployeeRole','Jeffery' ;
exec sp_addrolemember 'SaleEmployeeRole','Jane' ;
exec sp_addrolemember 'CustomerEmployeeRole','Mike' ;
4.回收角色或用户权限
①回收客户经理角色的销售信息查看权限
exec sp_droprolemember 'SaleRole','CustomerManagerRole' ;
②回收MIKE的客户部门职员权限
exec sp_droprolemember 'CustomerEmployeeRole','Mike' ;
5.验证权限分配的正确性
①以David用户名登录数据库,验证采购部门经理的权限
SELECT *
FROM part;
SELECT *
FROM orders;
②回收MIKE的客户部门职员权限
SELECT *
FROM customer;
SELECT *
FROM part;