--<在SQL Server中创建用户角色及授权(使用SQL语句)>更新2023.07.06
--1. 首先在 SQL Server 服务器级别,创建登陆帐户(create login)
--2. 创建数据库用户(create user):
--3. 通过加入数据库角色,赋予数据库用户“dba”权限:
--创建登陆帐户(create login)
create login dba with password='abcd1234@', default_database=AliSysDB
--这时候,dba 帐户就可以连接到 SQL Server 服务器上了。但是此时还不能 访问数据库中的对象
--(严格的说,此时 dba 帐户默认是 guest 数据库用户身份, 可以访问 guest 能够访问的数据库对象)。
--要使 dba 帐户能够在 AliSysDB 数据库中访问自己需要的对象, 需要在数据库 AliSysDB 中建立一个“数据库用户”,
--赋予这个“数据库用户” 某些访问权限,并且把登陆帐户“dba” 和这个“数据库用户” 映射起来。
--创建“数据库用户”和建立映射关系只需要一步即可完成
--为登陆账户创建数据库用户(create user),在AliSysDB数据库中的security中的user下可以找到新创建的dba
create user dba for login dba with default_schema=dbo
--通过加入数据库角色,赋予数据库用户“db_owner”权限
exec sp_addrolemember 'db_owner', 'dba'
----让 SQL Server 登陆帐户“dba”访问多个数据库
use DBErp
create user dba for login dba with default_schema=dbo
exec sp_addrolemember 'db_owner', 'dba'
-->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
--删除数据库用户:
drop user dba
--删除 SQL Server登陆帐户:
drop login dba
--禁用登陆帐户
alter login dba disable
--启用登陆帐户
alter login dba enable
--登陆帐户改名
alter login dba with name=dba_tom
--登陆帐户改密码:
alter login dba with password='aabb@ccdd'
--数据库用户改名:
alter user dba with name=dba_tom
--更改数据库用户 defult_schema:
alter user dba with default_schema=sales
--使用T-SQL创建用户
--添加角色
use AliSysDB
go
sp_addlogin 'test_db','123456','AliSysDB'
go
sp_addsrvrolemember 'test_db','sysadmin'
go
sp_adduser 'test_db','test_db','db_owner'
go --使用存储过程来完成用户创建
--下面一个实例来说明在sqlserver中如何使用存储过程创建角色,重建登录,以及如何为登录授权等问题
USE DBErp
--创建角色 r_test
EXEC sp_addrole 'r_test'
--添加登录 l_test,设置密码为pwd,默认数据库为pubs
EXEC sp_addlogin 'l_test','a@cd123','DBErp'
--为登录 l_test 在数据库 pubs 中添加安全账户 u_test
EXEC sp_grantdbaccess 'l_test','u_test'
--添加 u_test 为角色 r_test 的成员
EXEC sp_addrolemember 'r_test','u_test'
--授予角色 r_test 对 效期查询 表的所有权限
GRANT ALL ON 效期查询 TO r_test
--ALL 权限已不再推荐使用,并且只保留用于兼容性目的。它并不表示对实体定义了 ALL 权限。
--如果要收回权限,可以使用如下语句。(可选择执行)
revoke all on 效期查询 from r_test
--授予角色 r_test 对 实时库存查询 表的 SELECT 权限
GRANT SELECT ON 实时库存查询 TO r_test
--用l_test登陆,发现可以查询Sales.Orders和实时库存查询两张表
select * from 效期查询
select * from 实时库存查询
--拒绝安全账户 u_test 对 效期查询 表的 SELECT 权限
DENY SELECT ON 效期查询 TO u_test
--重新授权
GRANT SELECT ON 效期查询 TO u_test
--从数据库中删除安全账户,failed
EXEC sp_revokedbaccess 'u_test'
--删除角色 r_test,failed
EXEC sp_droprole 'r_test'
--删除登录 l_test,success
EXEC sp_droplogin 'l_test'
--revoke 与 deny的区别
--revoke:收回之前被授予的权限
--deny:拒绝给当前数据库内的安全帐户授予权限并防止安全帐户通过其组或角色成员资格继承权限。比如UserA所在的角色组有inset权限,但是我们Deny UserA使其没有insert权限,那么以后即使UserA再怎么到其他含有Insert的角色组中去,还是没有insert权限,除非该用户被显示授权。
--简单来说,deny就是将来都不许给,revoke就是收回已经给予的。
GRANT INSERT ON TableA TO RoleA
GO
EXEC sp_addrolemember RoleA, 'UserA' -- 用户UserA将有TableA的INSERT权限
GO
REVOKE INSERT ON TableA FROM RoleA -- 用户UserA将没有TableA的INSERT权限,收回权限
GO
GRANT INSERT ON TableA TORoleA --重新给RoleA以TableA的INSERT权限
GO
DENY INSERT ON TableA TO UserA -- 虽然用户UserA所在RoleA有TableA的INSERT权限,但UserA本身被DENY了,所以用户UserA将没有TableA的INSERT权限。
Using SSMS database management tools to create user logins, this visual operation is much simpler than using SQL statements to create
1. Create a user
Log in to the database, in Security → Login Name (right click) → New Login Name
In the "General" of the new login name window that pops up, enter the login name and password. The password must be set more complex, otherwise an error will be reported. If you want to set a simple password, you can just remove the "enforce password policy" √. .
2. Set administrator permissions
Click "Server Role" on the selection page on the left to grant permissions to the newly created user. In the server role panel on the right, check public
Note: If the created account does not need to have the authority of the system administrator, do not check the sysadmin item!
Server Role Description
sysadmin performs any operation in SQL Server
serveradmin configures server settings
setupadmin installs replication and manages extension processes
securityadmin manages login and CREATE DATABASE privileges and reads audit
processadmin manages SQL Server processes
dbcreator creates and modifies databases
diskadmin manages disk files
3. Set non-administrator permissions
Click "User Mapping" on the selection page on the left, select the database that the user can log in to, and select the permissions that the user has to log in to the database. And check the db_owner item in [Database Role Membership] below the panel!
Note: If you assign an account without system management authority to manage a database, you must check the db_owner item! Otherwise, the account cannot see any data tables in the database!
Let the newly created user dba have permissions to multiple databases,
then continue with the previous step, click on other databases, and then check the corresponding permissions below. In this way, users can be granted different permissions on multiple databases at one time.
'db_owner' -- has all the permissions of the database, including deleting the database permission
'db_accessadmin' -- only gives the database user the permission to create other database users, but does not have the permission to create login users.
'db_securityadmin' -- can manage full permissions, object ownership, roles and role membership
'db_ddladmin' -- can issue all DDL (Create, Alter and Drop), but cannot issue GRANT, REVOKE or DENY statements
'db_backupoperator' -- allow Permission to back up and restore the database [Backup and restore can also be done through sql sever management studio]
'db_datareader' -- can select all data in any user table in the database
'db_datawriter' -- can change any user table in the database All data in
'db_denydatareader' -- cannot query any data in any user table in the database
'db_denydatawriter' -- cannot change any data in any user table in the database
4. Click "Security Object" on the selection page on the left, select a security object, and then authorize.
4. Enter [Status] to set the connection engine authorization
Finally, click "Status", grant the connection to the database engine, enable the login name, and finally click OK.
If you cannot log in
, please check whether the SQL Server and windows authentication modes are enabled in the [Security] of the database property page;