问题描述
首先,作为sql Server的管理员,我试图使用标准数据库来屏蔽列。
CREATE TABLE [Person].[MyEmailAddress]
(
[MyBusinessEntityID] [int] NOT NULL,[MyEmailAddressID] [int] IDENTITY(1,1) NOT NULL,[EmailAddress] [nvarchar](50) MASKED WITH (FUNCTION = 'email()') NULL,--<== masked
[rowguid] [uniqueidentifier] ROWGUIDCOL NOT NULL,[ModifiedDate] [datetime] NOT NULL,CONSTRAINT [PK_MyEmailAddress_BusinessEntityID_EmailAddressID] PRIMARY KEY CLUSTERED (
[MyBusinessEntityID] ASC,[MyEmailAddressID] ASC
)
) ON [PRIMARY]
GO
然后,我创建了一个新的存储过程
CREATE PROCEDURE [Person].[Email_Address]
AS
BEGIN
SET NOCOUNT ON;
-- Insert statements for procedure here
SELECT * from [Person].[EmailAddress]
END
GO
create login AdvUserTest004
with password = 'Test123'
create user User004
for login AdvUserTest004
-- add user to the database owner role
exec sp_addrolemember N'db_owner',N'User004'
通过将此link引用到db_datawriter
和db_datareader
来设置用户角色。没有这两个成员资格,表就不会出现。
然后,我尝试使用sql Server身份验证模式登录“ AdvUserTest004”。试图执行选择语句
select * from [Person].[EmailAddress]
但是上面的存储过程没有出现。因此,通过引用此document,可以授予执行权限。
现在,存储过程将照常显示。然后,执行存储过程
exec [Person].[Email_Address]
结果如下:
问题是,
解决方法
您使用户成为db_owner
。如果您选中Chart of SQL Server Permissions:
您会看到此角色的成员可以UNMASK
的任何数据。可以使用以下代码轻松检查:
DROP TABLE IF EXISTS [dbo].[StackOverflow];
CREATE TABLE [dbo].[StackOverflow]
(
[email] NVARCHAR(128) MASKED WITH (FUNCTION = 'email()')
);
INSERT INTO [dbo].[StackOverflow] ([email])
VALUES ('text1@gmail.bg'),('text2@gmail.bg'),('text3@gmail.bg');
SELECT [email]
FROM [dbo].[StackOverflow];
GO
DROP USER IF EXISTS [Daleman];
CREATE USER [Daleman] WITHOUT LOGIN;
GRANT SELECT ON [dbo].[StackOverflow] TO [Daleman];
GO
EXECUTE AS USER = 'Daleman';
SELECT [email]
FROM [dbo].[StackOverflow];
REVERT;
GO
EXEC sp_addrolemember N'db_owner',N'Daleman';
EXECUTE AS USER = 'Daleman';
SELECT [email]
FROM [dbo].[StackOverflow];
REVERT;
我在哪里:
- 创建一个新表并对其进行查询(我
sys.admin
可以unmask
来 - 创建具有查询表访问权限的新用户(该用户无法
unmask
并看到被屏蔽的数据) - 使用户
db_owner
并现在显示用户可以看到原始数据
这是执行代码的输出:
所以,我想您在看到被掩盖的数据的情况下无法正确测试。
,我刚刚从此link
中获得了示例-- Demonstrate Dynamic Data Masking
--
-- Make sure to connect using a privileged user such as the database owner or sysadmin
IF NOT EXISTS (SELECT 1 FROM sys.server_principals WHERE name = N'GreatLakesUser')
BEGIN
CREATE LOGIN GreatLakesUser
WITH PASSWORD = N'SQLRocks!00',CHECK_POLICY = OFF,CHECK_EXPIRATION = OFF,DEFAULT_DATABASE = WideWorldImporters;
END;
GO
USE WideWorldImporters;
GO
IF NOT EXISTS(SELECT * FROM sys.database_principals WHERE name = N'GreatLakesUser')
BEGIN
CREATE USER GreatLakesUser FOR LOGIN GreatLakesUser;
END;
GO
ALTER ROLE [Great Lakes Sales] ADD MEMBER GreatLakesUser;
GO
-- grant SELECT rights to role principal
GRANT SELECT ON Purchasing.Suppliers TO [Great Lakes Sales];
GO
-- select with current UNMASK rights (NOTE row count and data values),assuming you are connected using a privileged user
SELECT SupplierID,SupplierName,BankAccountName,BankAccountBranch,BankAccountCode,BankAccountNumber FROM Purchasing.Suppliers;
-- impersonate the user GreatLakesUser
EXECUTE AS USER = 'GreatLakesUser';
GO
-- select with impersonated MASKED rights (NOTE row count and data values)
SELECT SupplierID,BankAccountNumber FROM Purchasing.Suppliers;
GO
REVERT;
GO
-- Clean-up (optional)
/*
REVOKE SELECT ON Purchasing.Suppliers TO [Great Lakes Sales];
GO
DROP USER GreatLakesUser;
GO
DROP LOGIN GreatLakesUser;
GO
*/