在rdsuser主账号下创建并管理子账号
适用场景
为了用户能够更好的使用和理解华为云 RDS for SQL Server ,rdsuser账号的权限边界如表1所示。
用户可以通过给出的脚本在rdsuser下创建子账号并进行有效管理。
rdsuser权限
创建子账号
通过如下脚本,可快速的通过rdsuser创建子账号。
说明:
本脚本只适用于SQL Server 2014及以上版本,2008R2需要修改一些地方,请自行判断处理。
use [master]
DECLARE @DBName NVARCHAR(128)
DECLARE @SQL NVARCHAR(max)
DECLARE @Login_Name nvarchar(128)
DECLARE @Login_Password nvarchar(128)
set @Login_Name = 'TestLogin3' --change your login name
set @Login_Password = '1qaz!QAZ'
SET @SQL='
USE [master]
CREATE LOGIN '+@Login_name+' WITH PASSWORD=N'''+ @Login_Password +''', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
alter server role [processadmin] add member '+@Login_name+'
alter server role [setupadmin] add member '+@Login_name+'
GRANT VIEW SERVER STATE TO '+@Login_name+' WITH GRANT OPTION
GRANT VIEW ANY DEFINITION TO '+@Login_name+' WITH GRANT OPTION
GRANT VIEW ANY DATABASE TO '+@Login_name+' WITH GRANT OPTION
GRANT CREATE ANY DATABASE TO '+@Login_name+' WITH GRANT OPTION
GRANT ALTER SERVER STATE TO '+@Login_name+' WITH GRANT OPTION
GRANT ALTER TRACE TO '+@Login_name+' WITH GRANT OPTION
GRANT ALTER ANY SERVER ROLE TO '+@Login_name+' WITH GRANT OPTION
GRANT ALTER ANY LOGIN TO '+@Login_name+' WITH GRANT OPTION
GRANT ALTER ANY CONNECTION TO '+@Login_name+' WITH GRANT OPTION
GRANT CONNECT SQL TO '+@Login_name+' WITH GRANT OPTION
GRANT VIEW SERVER STATE TO '+@Login_name+' WITH GRANT OPTION
'
print @SQL
exec (@SQL)
SET @SQL='
use [msdb]
if exists(select top 1 1 from sys.sysusers where name = '''+ @Login_Name +''')
begin
ALTER USER '+@Login_name+' with login = '+@Login_name+';
end
else
begin
CREATE USER '+@Login_name+' FOR LOGIN '+@Login_name+';
end
ALTER ROLE [SQLAgentUserRole] ADD MEMBER '+@Login_name+'
GRANT ALTER ON ROLE::[SQLAgentUserRole] TO '+@Login_name+' WITH GRANT OPTION
GRANT ALTER ANY USER TO '+@Login_name+' WITH GRANT OPTION
GRANT EXEC ON msdb.dbo.sp_delete_database_backuphistory TO '+@Login_name+' WITH GRANT OPTION
GRANT EXEC ON msdb.dbo.sp_purge_jobhistory TO '+@Login_name+' WITH GRANT OPTION
GRANT SELECT ON msdb.dbo.sysjobs TO '+@Login_name+' WITH GRANT OPTION;
GRANT SELECT ON msdb.dbo.sysschedules TO '+@Login_name+' WITH GRANT OPTION;
GRANT SELECT ON msdb.dbo.sysjobsteps TO '+@Login_name+' WITH GRANT OPTION;
GRANT SELECT ON msdb.dbo.sysjobhistory TO '+@Login_name+' WITH GRANT OPTION;
GRANT SELECT ON msdb.dbo.syscategories TO '+@Login_name+' WITH GRANT OPTION;
GRANT SELECT ON msdb.dbo.sysjobschedules TO '+@Login_name+' WITH GRANT OPTION;
'
print @SQL
exec (@SQL)
SET @SQL='
use [tempdb]
if exists(select top 1 1 from sys.sysusers where name = '''+ @Login_Name +''')
begin
ALTER USER '+@Login_name+' with login = '+@Login_name+';
end
else
begin
CREATE USER '+@Login_name+' FOR LOGIN '+@Login_name+';
end
GRANT CONTROL TO '+@Login_name+'
'
print @SQL
exec (@SQL)
declare DBName_Cursor cursor for
select quotename(name) from sys.databases where database_id > 4 and state = 0
and name not like '%$%'
and name <> 'rdsadmin'
open DBName_Cursor
fetch next from DBName_Cursor into @DBName
WHILE @@FETCH_STATUS = 0
begin
SET @SQL=' USE ' + (@DBName) + '
if exists(select top 1 1 from sys.sysusers where name = '''+ @Login_Name +''')
begin
ALTER USER '+@Login_name+' with login = '+@Login_name+';
ALTER ROLE [db_owner] ADD MEMBER '+@Login_name+';
end
else
begin
CREATE USER '+@Login_name+' FOR LOGIN '+@Login_name+';
ALTER ROLE [db_owner] ADD MEMBER '+@Login_name+';
end
'
print @SQL
EXEC (@SQL)
fetch next from DBName_Cursor into @DBName
end
close DBName_Cursor
deallocate DBName_Cursor
