分享方式:


授與 XML 結構描述集合的權限

適用於:SQL Server Azure SQL 資料庫 Azure SQL 受控執行個體

您可以授與建立 XML 結構描述集合的權限,也可以授與 XML 結構描述集合物件的權限。

授與建立 XML 結構描述集合的權限

若要建立 XML 結構描述集合,將需要下列權限:

  • 主體需要在資料庫層級的 CREATE XML SCHEMA COLLECTION 權限。

  • 因為 XML 結構描述集合是以關聯式結構描述限定範圍,主體也必須擁有關聯式結構描述的 ALTER 權限。

下列權限可讓主體在伺服器的資料庫中於關聯式結構描述內建立 XML 結構描述集合:

  • 伺服器的 CONTROL 權限

  • 伺服器的 ALTER ANY DATABASE 權限

  • 資料庫的 ALTER 權限

  • 資料庫的 CONTROL 權限

  • 資料庫的 ALTER ANY SCHEMA 權限和 CREATE XML SCHEMA COLLECTION 權限

  • 關聯式結構描述的 ALTER 或 CONTROL 權限和資料庫的 CREATE XML SCHEMA COLLECTION 權限

這個最後一個權限的方法用於下列範例中。

關聯式結構描述的擁有者變成在該結構描述中建立的 XML 結構描述集合的擁有者。 此擁有者對於 XML 結構描述集合擁有完整的控制權。 因此,此擁有者可修改 XML 結構描述集合、設定 xml 資料行的類型或是卸除 XML 結構描述集合。

授與 XML 結構描述集合物件的權限

下列權限可用於 XML 結構描述集合:

  • 當使用 ALTER XML SCHEMA COLLECTION 陳述式修改現有 XML 結構描述集合的內容時,就需要 ALTER 權限。

  • CONTROL 權限可讓使用者針對 XML 結構描述集合執行任何作業。

  • TAKE OWNERSHIP 權限需要從某個主體傳送 XML 結構描述集合的擁有權至另一個主體。

  • REFERENCES 權限可授權主體使用 XML 結構描述集合,以便約束資料表、檢視和參數中的 xml 類型資料行並設定其類型。 當 XML 結構描述集合參考另一個權限時,也需要 REFERENCES 權限。

  • 假設此主體擁有集合上的任一個 ALTER、REFERENCES 或 CONTROL 權限,VIEW DEFINITION 權限就可透過 XML_SCHEMA_NAMESPACE 或透過目錄檢視,讓主體查詢 XML 結構描述集合的內容。

  • 針對約束 xml 類型資料行、變數和參數並設定其類型的 XML 結構描述集合,來驗證主體所插入或更新的值時,將需要 EXECUTE 權限。 當您查詢儲存在這些資料行和變數的 XML 時,您也會需要此權限。

範例

下列範例中的狀況說明 XML 結構描述權限如何運作。 每個範例都會建立所需的測試資料庫、關聯式結構描述和登入。 將會授與這些登入必要的 XML 結構描述集合權限。 每個範例都會在結束時執行必要的清除。

A. 授與建立 XML 結構描述集合的權限

下列範例將示範如何授與權限,以便讓主體可建立 XML 結構描述集合。 此範例將建立範例資料庫和測試使用者 TestLogin1TestLogin1 接著會被授與關聯式結構描述的 ALTER 權限,而且被授與資料庫的 CREATE XML SCHEMA COLLECTION 權限。 透過這些權限, TestLogin1 可成功地建立範例 XML 結構描述集合。

SETUSER;
GO
USE master;
GO
CREATE LOGIN TestLogin1 WITH password='SQLSvrPwd1';
GO
CREATE DATABASE SampleDBForSchemaPermissions;
GO
USE SampleDBForSchemaPermissions;
GO
CREATE USER TestLogin1;
GO
-- User must have ALTER permission on the relational schema in the database.
GRANT ALTER ON SCHEMA::dbo TO TestLogin1;
GO
-- User also must have permission to create XML schema collections in the database.
GRANT CREATE XML SCHEMA COLLECTION
TO TestLogin1;
GO
-- Execute CREATE XML SCHEMA COLLECTION.
SETUSER 'TestLogin1';
GO
CREATE XML SCHEMA COLLECTION myTestSchemaCollection AS '<?xml version="1.0" encoding="UTF-8" ?>
<xsd:schema targetNamespace="https://schemas.adventure-works.com/Additional/ContactInfo"
            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">
<xsd:element name="AdditionalContactInfo" >
  <xsd:complexType mixed="true" >
    <xsd:sequence>
      <xsd:any processContents="strict"
               namespace="https://schemas.adventure-works.com/Contact/Record
                          https://schemas.adventure-works.com/AdditionalContactTypes"
               minOccurs="0" maxOccurs="unbounded" />
    </xsd:sequence>
  </xsd:complexType>
</xsd:element>
<xsd:element name="root" type="xsd:byte"/>
</xsd:schema>';
GO
-- Final cleanup
SETUSER;
GO
USE master;
GO
DROP DATABASE SampleDBForSchemaPermissions;
GO
DROP LOGIN TestLogin1;
GO

B. 授與使用現有 XML 結構描述集合的權限

下列範例進一步說明 XML 結構描述集合的權限模式。 此範例將說明建立和使用 XML 結構描述集合所需的不同權限。

此範例將建立測試資料庫與登入 TestLogin1TestLogin1 可在資料庫中建立 XML 結構描述集合。 該登入接著會建立資料表,並使用 XML 結構描述集合來建立具類型的 xml 資料行。 然後使用者會插入資料並查詢它。 所有的這些步驟需要必要的結構描述權限,如程式碼所示。

SETUSER
GO
USE master;
GO
CREATE LOGIN TestLogin1 WITH password='SQLSvrPwd1';
GO
CREATE DATABASE SampleDBForSchemaPermissions;
GO
USE SampleDBForSchemaPermissions;
GO
CREATE USER TestLogin1;
GO
-- Grant permission to the user.
SETUSER;
GO
-- User must have ALTER permission on the relational schema in the database.
GRANT ALTER ON SCHEMA::dbo TO TestLogin1;
GO
-- User also must have permission to create XML schema collections in the database.
GRANT CREATE XML SCHEMA COLLECTION
TO TestLogin1;
GO
-- Now user can execute the previous CREATE XML SCHEMA COLLECTION statement.
SETUSER 'TestLogin1';
GO
CREATE XML SCHEMA COLLECTION myTestSchemaCollection AS '<?xml version="1.0" encoding="UTF-8" ?>
<xsd:schema targetNamespace="https://schemas.adventure-works.com/Additional/ContactInfo"
            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">

<xsd:element name="AdditionalContactInfo" >
  <xsd:complexType mixed="true" >
    <xsd:sequence>
      <xsd:any processContents="strict"
               namespace="https://schemas.adventure-works.com/Contact/Record
                          https://schemas.adventure-works.com/AdditionalContactTypes"
               minOccurs="0" maxOccurs="unbounded" />
    </xsd:sequence>
  </xsd:complexType>
</xsd:element>
<xsd:element name="telephone" type="xsd:string" />
</xsd:schema>';
GO

-- Create a table by using the collection to type an XML column.
--TestLogin1 must have permission to create a table.
SETUSER;
GO
GRANT CREATE TABLE TO TestLogin1;
GO
-- The user also must have REFERENCES permission to use the XML schema collection
-- to create a typed XML column (REFERENCES permission on schema
-- collection is not needed).
GRANT REFERENCES ON XML SCHEMA COLLECTION::myTestSchemaCollection
TO TestLogin1;
GO
-- Now user can create a table and use the XML schema collection to create
-- a typed XML column.
SETUSER 'TestLogin1';
GO
CREATE TABLE MyTestTable (xmlCol xml (dbo.myTestSchemaCollection));
GO
-- To insert data in the table, the user needs EXECUTE permission on the XML schema collection.
-- GRANT EXECUTE permission to TestLogin2 on the xml schema collection.
SETUSER;
GO
GRANT EXECUTE ON XML SCHEMA COLLECTION::myTestSchemaCollection
TO TestLogin1;
GO
-- TestLogin1 does not own the dbo schema. This user must have INSERT permission.
GRANT INSERT TO TestLogin1;
GO
-- Now the user can insert data into the table.
SETUSER 'TestLogin1';
GO
INSERT INTO MyTestTable VALUES('
<telephone xmlns="http://schemas.adventure-works.com/Additional/ContactInfo">111-1111</telephone>
');
GO
-- To query the table, TestLogin1 must have permissions: SELECT on the table and EXECUTE on the XML schema collection.
SETUSER
GO
GRANT SELECT TO TestLogin1;
GO
-- TestLogin1 already has EXECUTE permission on the schema (granted before inserting a record in the table).
SELECT xmlCol.query('declare default element namespace "https://schemas.adventure-works.com/Additional/ContactInfo"; /telephone[1]')
FROM MyTestTable;
GO
-- To show that the user must have EXECUTE permission to query, revoke the
-- previously granted permission and return the query.
SETUSER;
GO
REVOKE EXECUTE ON XML SCHEMA COLLECTION::myTestSchemaCollection to TestLogin1;
GO
-- Now TestLogin1 cannot execute the query.
SETUSER 'TestLogin1';
GO
SELECT xmlCol.query('declare default element namespace "https://schemas.adventure-works.com/Additional/ContactInfo"; /telephone[1]')
FROM MyTestTable;
GO
-- Final cleanup
SETUSER;
GO
USE master;
GO
DROP DATABASE SampleDBForSchemaPermissions;
GO
DROP LOGIN TestLogin1;
GO

C. 授與 XML 結構描述集合的 ALTER 權限

使用者必須擁有 ALTER 權限,才能修改資料庫中的現有 XML 結構描述集合。 下列範例將示範如何授與 ALTER 權限。

SETUSER;
GO
USE master;
GO
CREATE LOGIN TestLogin1 WITH password='SQLSvrPwd1';
GO
CREATE DATABASE SampleDBForSchemaPermissions;
GO
USE SampleDBForSchemaPermissions;
GO
CREATE USER TestLogin1;
GO
-- Grant permission to the user.
SETUSER;
GO
-- User must have ALTER permission on the relational schema in the database.
GRANT ALTER ON SCHEMA::dbo TO TestLogin1;
GO
-- User also must have permission to create XML schema collections in the database.
GRANT CREATE XML SCHEMA COLLECTION
TO TestLogin1;
GO
-- Now user can execute the previous CREATE XML SCHEMA COLLECTION statement.
SETUSER 'TestLogin1';
GO
CREATE XML SCHEMA COLLECTION myTestSchemaCollection AS '<?xml version="1.0" encoding="UTF-8" ?>
<xsd:schema targetNamespace="https://schemas.adventure-works.com/Additional/ContactInfo"
            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">

<xsd:element name="AdditionalContactInfo" >
  <xsd:complexType mixed="true" >
    <xsd:sequence>
      <xsd:any processContents="strict"
               namespace="https://schemas.adventure-works.com/Contact/Record
                          https://schemas.adventure-works.com/AdditionalContactTypes"
               minOccurs="0" maxOccurs="unbounded" />
    </xsd:sequence>
  </xsd:complexType>
</xsd:element>
<xsd:element name="telephone" type="xsd:string" />
</xsd:schema>';
GO
-- Grant ALTER permission to TestLogin1.
SETUSER;
GO
GRANT ALTER ON XML SCHEMA COLLECTION::myTestSchemaCollection TO TestLogin1;
GO
-- TestLogin1 should be able to add components to the collection.
SETUSER 'TestLogin1';
GO
ALTER XML SCHEMA COLLECTION myTestSchemaCollection ADD '
<xsd:schema targetNamespace="https://schemas.adventure-works.com/Additional/ContactInfo"
            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
            xmlns="http://schemas.adventure-works.com/Additional/ContactInfo"
elementFormDefault="qualified">
<xsd:element name="pager" type="xsd:string"/>
</xsd:schema>';
GO
-- Final cleanup
SETUSER;
GO
USE master;
GO
DROP DATABASE SampleDBForSchemaPermissions;
GO
DROP LOGIN TestLogin1;
GO

D. 授予 XML 結構描述集合的 TAKE OWNERSHIP 權限

下列範例將示範如何從某個使用者傳送 XML 結構描述的擁有權至另一個使用者。 為了使範例更加有趣,本範例中的使用者分別在不同的預設關聯式結構描述中運作。

此範例會執行下列各項:

  • 使用兩個關聯式結構描述 dbomyOtherDBSchema建立資料庫。

  • 建立兩個使用者, TestLogin1TestLogin2TestLogin2 會成為 myOtherDBSchema 關聯式結構描述的擁有者。

  • TestLogin1 會在 dbo 關聯式結構描述中建立 XML 結構描述集合。

  • TestLogin1 然後會提供 XML 結構描述集合的 TAKE OWNERSHIP 權限給 TestLogin2

  • TestLogin2 將會變成 myOtherDBSchema中 XML 結構描述集合的擁有者,而不需變更 XML 結構描述集合的關聯式結構描述。

CREATE LOGIN TestLogin1 with password='SQLSvrPwd1';
GO
CREATE LOGIN TestLogin2 with password='SQLSvrPwd2';
GO
CREATE DATABASE SampleDBForSchemaPermissions;
GO
USE SampleDBForSchemaPermissions;
GO
-- Create another relational schema in the database.
CREATE SCHEMA myOtherDBSchema;
GO
-- Create users in the database. Note TestLogin2's default schema is
-- myOtherDBSchema.
CREATE USER TestLogin1;
GO
CREATE USER TestLogin2 WITH DEFAULT_SCHEMA=myOtherDBSchema;
GO
-- TestLogin2 will own myOtherDBSchema relational schema.
ALTER AUTHORIZATION ON SCHEMA::myOtherDBSchema TO TestLogin2;
GO

-- For TestLogin1 to create XML schema collection, the following
-- permission is required.
GRANT CREATE XML SCHEMA COLLECTION
TO TestLogin1;
GO
GRANT ALTER ON SCHEMA::dbo TO TestLogin1;
GO
-- Now TestLogin1 can create an XML schema collection.
SETUSER 'TestLogin1';
GO
CREATE XML SCHEMA COLLECTION myTestSchemaCollection AS '<?xml version="1.0" encoding="UTF-8" ?>
<xsd:schema targetNamespace="https://schemas.adventure-works.com/Additional/ContactInfo"
            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">

<xsd:element name="AdditionalContactInfo" >
<xsd:complexType mixed="true" >
    <xsd:sequence>
      <xsd:any processContents="strict"
               namespace="https://schemas.adventure-works.com/Contact/Record
                          https://schemas.adventure-works.com/AdditionalContactTypes"
               minOccurs="0" maxOccurs="unbounded" />
    </xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="telephone" type="xsd:string" />
</xsd:schema>';
GO

-- Grant TAKE OWNERSHIP to TestLogin2.
SETUSER;
GO
GRANT TAKE OWNERSHIP ON XML SCHEMA COLLECTION::dbo.myTestSchemaCollection
TO TestLogin2;
GO
-- Verify the owner. Note the UserName and Principal_id is null.
SELECT user_name(sys.xml_schema_collections.principal_id) as UserName,
       sys.schemas.name as RelSchemaName,*
FROM   sys.xml_schema_collections
      JOIN sys.schemas
      ON sys.schemas.schema_id=sys.xml_schema_collections.schema_id;
GO
-- TestLogin2 can take ownership now.
SETUSER 'TestLogin2';
GO
ALTER AUTHORIZATION ON XML SCHEMA COLLECTION::dbo.myTestSchemaCollection
TO TestLogin2;
GO
-- Note that although TestLogin2 is the owner,the XML schema collection
-- is still in dbo.
SELECT user_name(sys.xml_schema_collections.principal_id) as UserName,
      sys.schemas.name as RelSchemaName,*
FROM sys.xml_schema_collections JOIN sys.schemas
     ON sys.schemas.schema_id=sys.xml_schema_collections.schema_id;
GO

-- TestLogin2 moves the collection from dbo to myOtherDBSchema relational schema.
-- TestLogin2 already has all necessary permissions.
-- 1) TestLogin2 owns the destination relational schema so he can alter it.
-- 2) TestLogin2 owns the XML schema collection (therefore, has CONTROL permission).
ALTER SCHEMA myOtherDBSchema
TRANSFER XML SCHEMA COLLECTION::dbo.myTestSchemaCollection;
GO

SELECT user_name(sys.xml_schema_collections.principal_id) as UserName,
       sys.schemas.name as RelSchemaName,*
FROM   sys.xml_schema_collections JOIN sys.schemas
       ON sys.schemas.schema_id=sys.xml_schema_collections.schema_id;
GO
-- Final cleanup
SETUSER;
GO
USE master;
GO
DROP DATABASE SampleDBForSchemaPermissions;
GO
DROP LOGIN TestLogin1;
DROP LOGIN TestLogin2;
GO

E. 授與 XML 結構描述集合的 VIEW DEFINITION 權限

下列範例將示範如何授與 XML 結構描述集合的 VIEW DEFINITION 權限。

SETUSER;
GO
USE master;
GO
IF EXISTS( SELECT * FROM sysdatabases WHERE name='permissionsDB' )
   DROP DATABASE permissionsDB;
GO
IF EXISTS( SELECT * FROM sys.sql_logins WHERE name='schemaUser' )
   DROP LOGIN schemaUser;
GO
CREATE DATABASE permissionsDB;
GO
CREATE LOGIN schemaUser WITH PASSWORD='Pass#123',DEFAULT_DATABASE=permissionsDB;
GO
GRANT CONNECT SQL TO schemaUser;
GO
USE permissionsDB;
GO
CREATE USER schemaUser WITH DEFAULT_SCHEMA=dbo;
GO
CREATE XML SCHEMA COLLECTION MySC AS '
<schema xmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="http://ns"
xmlns:ns="http://ns">
   <simpleType name="ListOfIntegers">
      <list itemType="integer"/>
   </simpleType>
   <element name="root" type="ns:ListOfIntegers"/>
   <element name="gRoot" type="gMonth"/>
</schema>';
GO
-- schemaUser cannot see the contents of the collection.
SETUSER 'schemaUser';
GO
SELECT XML_SCHEMA_NAMESPACE(N'dbo',N'MySC');
GO

-- Grant schemaUser VIEW DEFINITION and REFERENCES permissions
-- on the XML schema collection.
SETUSER;
GO
GRANT VIEW DEFINITION ON XML SCHEMA COLLECTION::dbo.MySC TO schemaUser;
GO
GRANT REFERENCES ON XML SCHEMA COLLECTION::dbo.MySC TO schemaUser;
GO
-- Now schemaUser can see the content of the collection.
SETUSER 'schemaUser';
GO
SELECT XML_SCHEMA_NAMESPACE(N'dbo',N'MySC');
GO
-- Revoke schemaUser VIEW DEFINITION permissions
-- on the XML schema collection.
SETUSER;
GO
REVOKE VIEW DEFINITION ON XML SCHEMA COLLECTION::dbo.MySC FROM schemaUser;
GO
-- Now schemaUser cannot see the contents of
-- the collection.
SETUSER 'schemaUser';
GO
SELECT XML_SCHEMA_NAMESPACE(N'dbo',N'MySC');
GO

另請參閱