情况:
在一个Windows用户是成员的多 AD组。 在每个广告组映射到SQL Server登录。 在每个SQL登录映射到的数据库用户。 在每个数据库用户都有特定的角色。 A Windows user is member in multiple AD groups. Every AD group is mapped to a SQL Server login. Every SQL login is mapped to a database user. Every database user has specific roles.问:
是否有可能在Windows用户登录到SQL Server(使用WinAuth),而且他得到的所有的角色,他可以得到由于他在多个AD组的成员?
Is it possible that a Windows user is logging into SQL Server (using WinAuth) and that he gets all roles which he could get due to his membership in multiple AD groups?
推荐答案
是的。在对象上的用户的权限是所有权限路径S中的工会/他有资格获得(包括任何DENY权限)。一个快速的方法来验证是使用sys.user_token和sys.login_token意见,以及在sys.fn_my_permissions功能。从管理的角度看,这些工作特别好,因为它们是在模拟准确。
Yes. A user's permissions on an object is the union of all permissions paths s/he qualifies for (including any DENY permissions). A quick way to verify is by using the sys.user_token and sys.login_token views as well as the sys.fn_my_permissions function. From an administrative perspective, these work especially well because they are accurate under impersonation (i.e. execute as login = 'yourDomainsomeUser'
).
相关推荐
最新文章