Debian上SQL Server的权限管理策略
一 身份与授权模型
二 最小权限与角色设计
三 典型授权流程与T‑SQL示例
-- 1) 服务器级:创建登录名
CREATE LOGIN app_user WITH PASSWORD = 'StrongP@ssw0rd!';
-- 2) 数据库级:在目标库创建用户并映射
USE SalesDB;
CREATE USER app_user FOR LOGIN app_user;
-- 3) 通过固定角色授予读写
ALTER ROLE db_datareader ADD MEMBER app_user;
ALTER ROLE db_datawriter ADD MEMBER app_user;
-- 4) 细粒度:仅授予某表的特定权限
GRANT SELECT, INSERT, UPDATE ON dbo.Orders TO app_user;
-- 5) 回收与拒绝(示例)
REVOKE DELETE ON dbo.Orders FROM app_user;
-- DENY 优先级高于 GRANT/REVOKE,用于显式阻断
-- DENY SELECT ON dbo.Orders TO app_user;
-- 6) 验证:查看某用户的数据库级权限
SELECT *
FROM sys.database_permissions
WHERE grantee_principal_id = USER_ID('app_user');
四 审计与合规
-- 服务器级审计(Linux 路径示例)
CREATE SERVER AUDIT ServerAudit
TO FILE (FILEPATH = '/var/opt/mssql/data/audit/')
WITH (ON_FAILURE = CONTINUE);
ALTER SERVER AUDIT ServerAudit WITH (STATE = ON);
-- 数据库级审计规范:审计登录事件
CREATE DATABASE AUDIT SPECIFICATION DbLoginAudit
FOR SERVER AUDIT ServerAudit
ADD (FAILED_LOGIN_GROUP),
(SUCCESSFUL_LOGIN_GROUP)
WITH (STATE = ON);
五 网络与运维安全加固
sudo ufw allow from 192.168.1.0/24 to any port 1433 proto tcp
sudo ufw reload