本篇文章是有关sybase安全相关的管理中不容易明白的地方——角色分层和互斥,了解了下面的实验并实现之,你就过关了。
本节中,你将通过三个实验来理解互斥、分层的概念以及相关命令的使用。实验环境要求你拥有系统管理员和安全管理员的角色,有权访问数据库,有用户和权限管理的基础知识。
步骤:
【实验一】角色互斥(用户级)
1、创建角色
create role intern_role
create role doctor_role with passwd "physician"
create role specialist_role
2、增加角色的互斥
alter role intern_role add exclusive membership specialist_role
3、了解登录用户信息
select * from syslogins
4、增加新的登录
sp_addlogin lg1,"okokok"
5、为新的帐户授予intern_role角色和specialist_role角色
sp_role "grant","intern_role","lg1"
sp_role "grant","specialist_role","lg1"
提示信息:
server message: number 11151, severity 16
procedure ''sp_role'', line 36:
cannot grant the role ''specialist_role'' because it is mutually exclusive with role ''intern_role'' which is possessed by grantee ''lg1''. remove the exclusivity and try again.
(1 row affected)
(return status = 1)
【实验二】定义sso_role和sa_role在活动级互斥
1、使角色sso_role和sa_role角色在活动级互斥
alter role sso_role add exclusive activation sa_role
显示提示信息:
server message: number 11126, severity 16
line 1:
cannot add the ''activation'' exclusivity between role ''sso_role'' and role ''sa_role'' because it already exists for this server.
2、为将角色分离创建两个登录用户
sp_addlogin aca_sa,"okokok"
sp_addlogin aca_sso,"okokok"
3、分别为其授予系统员和安全员的角色
sp_role "grant","sa_role","aca_sa"
sp_role "grant","sso_role","aca_sso"
4、锁定超级帐户sa
sp_locklogin "sa","lock"(自己不能锁自己)
以aca_sso"从新登录后再锁定sa用户
sp_locklogin "sa","lock"