标签:
近期在对接中,业务(数据挖掘同事)需要将部分账号控制到表级别,只允许部分账号访问指定的表.
Create Database [TriggerLog]; GO USE [TriggerLog]; GO CREATE TABLE [dbo].[Authority_log]( [id] [bigint] IDENTITY(1,1) NOT NULL, [PostTime] [datetime] NOT NULL DEFAULT (getdate()), [DB_User] [nvarchar](200) NOT NULL DEFAULT (‘‘), [DBNAME] [nvarchar](50) NOT NULL DEFAULT (‘‘), [EventType] [nvarchar](100) NOT NULL DEFAULT (‘‘), [TSQLCommand] [nvarchar](max) NOT NULL DEFAULT (‘‘), CONSTRAINT [PK_Authority_log] PRIMARY KEY CLUSTERED ([id] ASC) ) ON [PRIMARY] GO
--赋予账号记录日志权限***必要,否则触发器无法正常运行,赋予权限操作也无法执行*** USE [TriggerLog] GO CREATE USER [test] FOR LOGIN [test] --新建登陆账号在日志库中对应的用户 GO GRANT INSERT ON [dbo].[Authority_log] TO [test] --赋予用户插入日志表数据的权限 GO
--在所需开通赋权的库上新建DDL触发器 USE [testdb] --如有多个库,每个库上都部署一个即可 GO IF EXISTS(SELECT * FROM sys.triggers WHERE name = N‘Tr_Train_Authority_Monitor‘ AND parent_class_desc = N‘DATABASE ‘) DROP TRIGGER Tr_Train_Authority_Monitor ON DATABASE GO CREATE TRIGGER Tr_Train_Authority_Monitor ON DATABASE FOR GRANT_DATABASE,DENY_DATABASE,REVOKE_DATABASE AS DECLARE @data XML SET @data = EVENTDATA() INSERT TriggerLog.dbo.[Authority_log] (PostTime, DB_User,DBNAME, EventType, TSQLCommand) VALUES (GETDATE(), CONVERT(nvarchar(100), CURRENT_USER), DB_NAME(), @data.value(‘(/EVENT_INSTANCE/EventType)[1]‘, ‘nvarchar(100)‘), @data.value(‘(/EVENT_INSTANCE/TSQLCommand)[1]‘, ‘nvarchar(2000)‘) ) ; GO
--在所需开通赋权的库上新建登陆和赋予db_securityadmin角色 USE [testdb] --如有多个库,每个库上都部署一个即可 GO CREATE USER [test] FOR LOGIN [test] GO ALTER ROLE [db_securityadmin] ADD MEMBER [test] GO
标签:
原文地址:http://www.cnblogs.com/qkiori/p/5459946.html
