问题
We have an SSDT project which includes users, roles and permissions. It was working very nicely, but a recent move to Azure has caused, or possibly highlighted, a problem with deployment.
Before Azure, certain project members had a user on the master db with sufficient permissions to publish databases. In Azure SQL Db, there is only one admin user, and those credentials shouldn't be shared around. So instead we thought we'd use sufficiently permissioned contained database users to publish. This doesn't work for permissions granted on schemas and types.
To give an example, say we have the following in our project:
CREATE USER Bob;
CREATE ROLE WhatARole;
ALTER ROLE WhatARole ADD member Bob;
CREATE PROCEDURE dbo.DoStuff
AS SELECT 1;
GO
GRANT EXECUTE ON OBJECT::dbo.DoStuff TO WhatARole AS dbo; // <-- works fine
CREATE TYPE dbo.SomeType AS TABLE
(
Name varchar(50) NOT NULL
);
GO
GRANT EXECUTE ON TYPE::dbo.SomeType TO WhatARole AS dbo; // <-- doesn't work well
CREATE SCHEMA Blah;
GO
GRANT SELECT ON SCHEMA::Blah TO WhatARole AS dbo; // <-- also doesn't work well
The problem is the publish plays up when granting permissions on schemas and types. Without there being any project changes since the last deployment, the publish script revokes permissions and then grants them again, for no apparent reason. (It was doing this on object permissions too, but we found we could prevent it by specifying as dbo after each grant). This adds a lot of noise and churn to each db deployment, it's something we want to avoid. And it doesn't happen if I use the Azure SQL Server admin login to publish.
Any help much appreciated. What types of users, with what permissions, do people use to publish from SSDT to Azure SQL Db, when roles and permissions are included in the project?
UPDATE
An example user that authenticates at the database used for publishing, which sees permissions on types and schemas being needlessly dropped and recreated on each publish:
CREATE USER OpsPerson1
WITH PASSWORD = 'some password';
GO
ALTER ROLE db_owner add member OpsPerson1;
I've tried several things to try to make it work, e.g. specifying a default schema, adding the user to db_ddladmin and db_securityadmin, but no dice.
来源:https://stackoverflow.com/questions/60490589/ssdt-dropping-and-recreating-permissions-when-deploying-to-azure-as-database-use