Sql server SQL授予每次只更新一行的权限
是否可以将SQL server权限设置为特定用户,以便一次只更新一行? 如果答案是“是”,那么如何实现呢 例如,如果你有这样的东西:Sql server SQL授予每次只更新一行的权限,sql-server,tsql,Sql Server,Tsql,是否可以将SQL server权限设置为特定用户,以便一次只更新一行? 如果答案是“是”,那么如何实现呢 例如,如果你有这样的东西: use MyDB go update t1 set t1.something = 'xxx' --select * from table t1 如果此选择将返回一条以上要更新的记录,则不允许(…或只更新第一条记录),否则,如果只更新一条记录,则允许更新。SQL Server没有在安全/任务级别执行此操作的方法。但是,我相信您可以通过存储过程来实现这一点。
use MyDB
go
update t1 set t1.something = 'xxx'
--select *
from table t1
如果此选择将返回一条以上要更新的记录,则不允许(…或只更新第一条记录),否则,如果只更新一条记录,则允许更新。SQL Server没有在安全/任务级别执行此操作的方法。但是,我相信您可以通过存储过程来实现这一点。因此,您可以授予用户通过存储过程执行工作的能力。一旦存储过程中的工作“完成”,就可以检查
@@rowcountcreate procedure dbo.LimitRecordsChanged
@NumChangesAllowed int = 1
--other params
as
begin
-- parameter sniffing
declare @__NumChangesAllowed int = @NumChangesAllowed;
begin tran;
-- do your work here
if @@rowcount > @__NumChangesAllowed
rollback;
commit tran;
end
如果需要临时解决方案,触发器是一种简单的方法。
但这将阻止任何人一次更新多条记录。
如果你需要一个永久的解决方案,我会选择@Larnu
create trigger U_YourTableName on dbo.YourTableName
for update
as
begin
set nocount on
if (select count(1) from inserted) > 1
begin
;THROW 99001, 'your only allowed one update at a time', 1
end
end
这个问题有几个答案。一种是通过触发器,另一种是通过限制权限和使用存储过程。就我个人而言,我建议SP 下面的示例应该解释一切:
--Create a sample table and data
CREATE TABLE SomeTable (ID int IDENTITY(1,1),
SomeString varchar(100));
GO
INSERT INTO SomeTable (SomeString)
VALUES ('adsfasdfad'),
('sdafkjsdlf'),
('kjlsdahfsldjkhflds');
GO
SELECT *
FROM SomeTable;
GO
--Create a test user, give UPDATE permissions and test
CREATE USER TestUser WITHOUT LOGIN;
GO
GRANT UPDATE ON SomeTable TO TestUser;
GO
EXECUTE AS USER = 'TestUser';
UPDATE SomeTable
SET SomeString = 'abcdefg'; --this will update every row
GO
REVERT;
GO
SELECT *
FROM SomeTable;
GO
--Trigger technique (not what I recommend)
CREATE TRIGGER LimitToOne ON SomeTable
INSTEAD OF UPDATE
AS
IF (SELECT COUNT(*) FROM inserted) > 1 BEGIN
--Should raise an error here, but soing a PRINT for speed
PRINT 'Can''t update more than one row at a time';
END ELSE BEGIN
UPDATE ST
SET SomeString = i.SomeString
FROM inserted i
JOIN SomeTable ST On i.ID = ST.ID
END
GO
UPDATE SomeTable
SET SomeString = '123456'; --this won't work
SELECT *
FROM SomeTable;
UPDATE SomeTable
SET SomeString = '123456'
WHERE ID = 1; --this will work
SELECT *
FROM SomeTable;
GO
--Allow use of SP's only (the better solution, in my opinion)
--Cleanup previous example
DROP TRIGGER LimitToOne;
REVOKE UPDATE ON SomeTable TO TestUser;
GO
--Check we can't update
EXECUTE AS USER = 'TestUser';
UPDATE SomeTable
SET SomeString = 'abcdefg'; --this will fail, as we revoked the permissions
GO
REVERT;
GO
SELECT *
FROM SomeTable;
GO
--Create the SP
CREATE PROC Update_SomeTable @ID int, @String varchar(100) AS
UPDATE SomeTable
SET SomeString = @String
WHERE ID = @ID;
GO
--Give Permissions
GRANT EXECUTE ON Update_SomeTable TO TestUser;
GO
--Test
EXECUTE AS USER = 'TestUser';
EXEC Update_SomeTable 3,'Did this work?'; --Op is forced to only supply one value
GO
REVERT;
GO
SELECT *
FROM SomeTable;
GO
--Clean up
DROP PROC Update_SomeTable;
DROP TABLE SomeTable;
DROP USER TestUser;
当然,用户可以依次更新多行;通过使用多个语句(可能通过使用
游标CREATE TRIGGER dbo.u_yourtable ON dbo.yourtable
FOR UPDATE AS
IF (ROWCOUNT_BIG() > 1) AND (SUSER_SNAME() IN (N'yourdomain\specificuser'))
BEGIN
RAISERROR ('You are not allowed to update more than one record at a time.', 16, 1);
ROLLBACK TRAN;
END
GO
不。不能那样做。有什么特别的原因要这样做吗?措辞拙劣的问题-如果您试图说您只想在有多行时更新,您可以通过不让他们直接更新表来执行子查询,而是强制他们通过存储过程执行数据访问,您可以将
TOP 1设置行数