Advertisement
PavloSerg

ProtectDB_Laba1

Sep 24th, 2023
1,324
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
T-SQL 3.70 KB | None | 0 0
  1. --Создание таблицы с данными
  2. drop table DataTable;
  3. create table DataTable
  4. (
  5.     id    int primary key identity,
  6.     name  nvarchar(20) not null,
  7.     level nvarchar(20) not null
  8. );
  9. insert into DataTable
  10. values ('Ivan Petrov', 'SECRET'),
  11.        ('Peter Petrov', 'TOP SECRET'),
  12.        ('Michael Sidorov', 'UNCLASSIFIED');
  13. --select * from DataTable
  14.  
  15.  
  16. --Создание таблицы уровней доступа
  17. drop table Classifications;
  18. create table Classifications
  19. (
  20.     name  nvarchar(20) primary key not null,
  21.     level int                      not null
  22. );
  23. insert into Classifications
  24. values ('TOP SECRET', 1),
  25.        ('SECRET', 2),
  26.        ('UNCLASSIFIED', 3);
  27.  
  28.  
  29. --Создание таблицы пользователей
  30. drop table Users;
  31. create table Users
  32. (
  33.     name      nvarchar(20) primary key not null,
  34.     clearance nvarchar(20) default ('UNCLASSIFIED')
  35. );
  36. insert into Users
  37. values ('Anna', 'SECRET'),
  38.        ('Alex', 'UNCLASSIFIED');
  39.  
  40. --Создаем роль laba_reader и выдаем права на select on DataTable
  41. create role [laba_reader]
  42. grant select on DataTable to [laba_reader]
  43.  
  44. --Триггер на регистрацию новых пользователей в таблицу Users
  45. --drop trigger NewUserAdditionTrigger
  46. CREATE OR ALTER TRIGGER NewUserAdditionTrigger
  47.     ON DATABASE
  48.     after CREATE_USER
  49.     AS
  50. BEGIN
  51.     DECLARE @created_user NVARCHAR(2000) = EVENTDATA()
  52.         .value('(/EVENT_INSTANCE/ObjectName)[1]', 'nvarchar(256)')
  53.     insert into Users
  54.     values (@created_user, 'UNCLASSIFIED')
  55.  
  56.     --declare @sqlCommand nvarchar(255)
  57.     --set @sqlCommand = 'alter role [laba_reader] add member ['+@created_user+']'
  58.     --EXECUTE @sqlCommand
  59.  
  60. END;
  61.  
  62. --Добавляем пользователей, повышаем доступ Anna
  63. --drop user [Alex]
  64. --drop user [Anna]
  65. --delete from Users where name is not null
  66. create user [Alex] without login;
  67. alter role [laba_reader] add member [Alex]
  68. create user [Anna] without login;
  69. alter role [laba_reader] add member [Anna]
  70. update Users
  71. set clearance = 'SECRET'
  72. where name = 'Anna';
  73.  
  74. --select * from Users
  75. --Создаем функцию для политики
  76. create schema Security
  77. go;
  78.  
  79. create or alter function [Security].[fn_DataTable_read](@clearance as nvarchar(20))
  80.     returns table
  81.         with schemabinding--привязка к схеме, чтобы система следила чтоб функцию не поломали из-за изменений названия колонки, удаление таблицы и т.п.
  82.         as
  83.         return
  84.         with cte_row_level as (select top 1 C.level as row_level
  85.                                from [dbo].Classifications C
  86.                                where C.name = @clearance),
  87.              cte_user_level as (select top 1 C.level as user_level
  88.                                 from [dbo].Classifications C
  89.                                          join [dbo].Users U on C.name = U.clearance
  90.                                 where U.name = CURRENT_USER)
  91.         select 1 as fn_result
  92.         from cte_row_level, cte_user_level
  93.         where cte_row_level.row_level >= cte_user_level.user_level
  94. go;
  95. --return select 1 as fn_result
  96. --where 'dbo' = CURRENT_USER
  97. --end
  98. -- Создаем политику безопасности
  99. create security policy [Security].P_RLS_DataTable_read
  100. add filter predicate [Security].[fn_DataTable_read]([level])--1 фильтрпредикат на 1 таблицу
  101. on [dbo].[DataTable]
  102. with (state=on)
  103.  
  104.  
  105. -- Проверка
  106. execute as user = 'Anna'
  107. select * from [dbo].[DataTable]
  108. revert
  109.  
  110. execute as user = 'Alex'
  111. select * from [dbo].[DataTable]
  112. revert
  113.  
  114.  
  115.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement