如果表和过程的所有者相同,则不检查表的权限。这称为所有权链接。
注意,在此上下文中,“所有权”是指“模式所有者”。例如,该表
TestDB.Schema1.Table1由拥有的用户拥有
Schema1。
因为与
Orders具有相同的所有者
GetCustomerOrderInfo,所以存储过程具有隐式的读取权限
Orders。
但是
Customers拥有者不同,因此您必须明确授予对此的权限。
这是一个测试脚本来演示该问题:
use Testgoif exists (select * from sys.syslogins where name = 'UserA') drop login UserA create login UserA with password = 'Welcome'if exists (select * from sys.syslogins where name = 'UserB') drop login UserB create login UserB with password = 'Welcome'if exists (select * from sys.syslogins where name = 'UserC') drop login UserC create login UserC with password = 'Welcome'if exists (select * from sys.tables where name = 'Customers' and schema_name(schema_id) = 'SchemaA') drop table SchemaA.Customersif exists (select * from sys.schemas where name = 'SchemaA') drop schema SchemaAif exists (select * from sys.sysusers where name = 'UserA') drop user UserAif exists (select * from sys.tables where name = 'Orders' and schema_name(schema_id) = 'SchemaB') drop table SchemaB.Ordersif exists (select * from sys.procedures where name = 'GetCustomerOrderInfo' and schema_name(schema_id) = 'SchemaB') drop procedure SchemaB.GetCustomerOrderInfo if exists (select * from sys.schemas where name = 'SchemaB') drop schema SchemaBif exists (select * from sys.sysusers where name = 'UserB') drop user UserBif exists (select * from sys.sysusers where name = 'UserC') drop user UserCcreate user UserA for login UserAalter role db_owner add member UserAgocreate schema SchemaA authorization UserAgocreate user UserB for login UserBalter role db_owner add member UserBgocreate schema SchemaB authorization UserBgocreate user UserC for login UserCcreate table SchemaA.Customers (id int identity)create table SchemaB.Orders (id int identity, CustomerId int)gocreate procedure SchemaB.GetCustomerOrderInfo asselect *from SchemaB.Orders ojoin SchemaA.Customers con c.id = o.CustomerIdgo
设置完毕后,我们可以使用不同的权限测试该过程。首先,我们需要对存储过程具有执行权限,然后在上具有读取权限
Customers。此后,即使我们没有授予对的读取访问权限,该存储过程仍然有效
Orders。
execute as login = 'UserC' -- Login as UserCexec SchemaB.GetCustomerOrderInfo -- The EXECUTE permission was denied on the object 'GetCustomerOrderInfo', database 'Test', schema 'SchemaB'revert -- Revert back to our original logingrant execute on SchemaB.GetCustomerOrderInfo to UserCexecute as login = 'UserC'exec SchemaB.GetCustomerOrderInfo -- The SELECT permission was denied on the object 'Customers', database 'Test', schema 'SchemaA'.revertgrant select on SchemaA.Customers to UserCexecute as login = 'UserC'exec SchemaB.GetCustomerOrderInfo -- (0 row(s) affected)revert
