Are good security practices and auto identity range mgmt mutually exclusive?

試著忘記壹切 提交于 2019-12-10 18:11:36

问题


I'm trying to use Automatic Identity Range Management. However, the only way to ensure my users can INSERT records in tables with identity columns is to make them db_owner. Am I missing something?


For full background please refer to my earlier question: Allow non-db_owner INSERT permissions in merge replication with auto identity range mgmt


回答1:


Apparently they are mutually exclusive.

Here is an excerpt from a Microsoft employee blog (note, this is not "official" documentation, but it's about as close as it gets):

Common Identity Range Problems

1) Account that makes inserts to the publisher or subscribed tables is not db_owner.

SQL 2005/8 subscribers have merge replication triggers that can adjust an exhausted primary range onto the secondary auxiliary range if the account making inserts is a member of db_owner role. Publishers can also refresh the range (create new Primary and Secondary Ranges) if the account connected is a member of db_owner role. However, if the account making inserts into the tables does not belong to the db_owner role, the triggers cannot make such adjustments. In this case, the Merge Agent needs to execute in order to make those adjustments before the range exhausts to avoid new inserts to fail or a member of db_owner must manually run the system stored procedure sp_adjustpublisheridentityrange (Transact-SQL).

WHAT!?!?! Who is out there writing database applications where the only users inserting records are db_owners?



来源:https://stackoverflow.com/questions/6113915/are-good-security-practices-and-auto-identity-range-mgmt-mutually-exclusive

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!