DENY 服务器权限 (Transact-SQL)DENY Server Permissions (Transact-SQL)

适用对象:是SQL Server 是Azure SQL 数据库 否Azure Synapse Analytics (SQL DW) 否并行数据仓库 APPLIES TO: yesSQL Server yesAzure SQL Database noAzure Synapse Analytics (SQL DW) noParallel Data Warehouse

拒绝服务器的权限。Denies permissions on a server.

主题链接图标 Transact-SQL 语法约定Topic link icon Transact-SQL Syntax Conventions

语法Syntax

DENY permission [ ,...n ]   
    TO <grantee_principal> [ ,...n ]  
    [ CASCADE ]  
    [ AS <grantor_principal> ]   
  
<grantee_principal> ::= SQL_Server_login   
    | SQL_Server_login_mapped_to_Windows_login  
    | SQL_Server_login_mapped_to_Windows_group  
    | SQL_Server_login_mapped_to_certificate  
    | SQL_Server_login_mapped_to_asymmetric_key  
    | server_role  
  
<grantor_principal> ::= SQL_Server_login   
    | SQL_Server_login_mapped_to_Windows_login  
    | SQL_Server_login_mapped_to_Windows_group  
    | SQL_Server_login_mapped_to_certificate  
    | SQL_Server_login_mapped_to_asymmetric_key  
    | server_role  

参数Arguments

permission permission
指定可对服务器拒绝的权限。Specifies a permission that can be denied on a server. 有关权限的列表,请参阅本主题后面的“备注”部分。For a list of the permissions, see the Remarks section later in this topic.

CASCADECASCADE
指示拒绝授予指定主体该权限,同时,对该主体授予了该权限的所有其他主体,也拒绝授予该权限。Indicates that the permission is denied to the specified principal and to all other principals to which the principal granted the permission. 当主体具有带 GRANT OPTION 的权限时,为必选项。Required when the principal has the permission with GRANT OPTION.

TO <server_principal>TO <server_principal>
指定对其拒绝权限的主体。Specifies the principal to which the permission is denied.

AS <grantor_principal>AS <grantor_principal>
指定执行此查询的主体要从哪个主体派生其拒绝该权限的权利。Specifies the principal from which the principal executing this query derives its right to deny the permission. 使用 AS principal 子句指示:记录为权限的拒绝者的主体应为执行该语句的用户以外的主体。Use the AS principal clause to indicate that the principal recorded as the denier of the permission should be a principal other than the person executing the statement. 例如,假设用户 Mary 是 principal_id 12,用户 Raul 是主体 15。For example, presume that user Mary is principal_id 12 and user Raul is principal 15. Mary 执行 DENY SELECT ON OBJECT::X TO Steven WITH GRANT OPTION AS Raul; 现在,即使语句的实际执行者是用户 13 (Mary),sys.database_permissions 表仍将指示 deny 语句的 grantor_prinicpal_id 为 15 (Raul)。Mary executes DENY SELECT ON OBJECT::X TO Steven WITH GRANT OPTION AS Raul; Now the sys.database_permissions table will indicate that the grantor_prinicpal_id of the deny statement was 15 (Raul) even though the statement was actually executed by user 13 (Mary).

在此语句中使用 AS 并不意味着能够模拟其他用户。The use of AS in this statement does not imply the ability to impersonate another user.

SQL_Server_login SQL_Server_login
指定 SQL ServerSQL Server 登录名。Specifies a SQL ServerSQL Server login.

SQL_Server_login_mapped_to_Windows_login SQL_Server_login_mapped_to_Windows_login
指定映射到 Windows 登录名的 SQL ServerSQL Server 登录名。Specifies a SQL ServerSQL Server login mapped to a Windows login.

SQL_Server_login_mapped_to_Windows_group SQL_Server_login_mapped_to_Windows_group
指定映射到 Windows 组的 SQL ServerSQL Server 登录名。Specifies a SQL ServerSQL Server login mapped to a Windows group.

SQL_Server_login_mapped_to_certificate SQL_Server_login_mapped_to_certificate
指定映射到证书的 SQL ServerSQL Server 登录名。Specifies a SQL ServerSQL Server login mapped to a certificate.

SQL_Server_login_mapped_to_asymmetric_key SQL_Server_login_mapped_to_asymmetric_key
指定映射到非对称密钥的 SQL ServerSQL Server 登录名。Specifies a SQL ServerSQL Server login mapped to an asymmetric key.

server_role server_role
指定服务器角色。Specifies a server role.

备注Remarks

只有在当前数据库为 master 时,才可拒绝其服务器范围内的权限。Permissions at the server scope can be denied only when the current database is master.

可以在 sys.server_permissions 目录视图中查看有关服务器权限的信息;在 sys.server_principals 目录视图中查看有关服务器主体的信息。Information about server permissions can be viewed in the sys.server_permissions catalog view, and information about server principals can be viewed in the sys.server_principals catalog view. 以及在 sys.server_role_members 目录视图中查看有关服务器角色成员身份的信息。Information about membership of server roles can be viewed in the sys.server_role_members catalog view.

服务器是权限层次结构的最高级别。A server is the highest level of the permissions hierarchy. 下表列出了可拒绝的对服务器最为具体的限定权限。The most specific and limited permissions that can be denies on a server are listed in the following table.

服务器权限Server permission 服务器权限隐含的权限Implied by server permission
ADMINISTER BULK OPERATIONSADMINISTER BULK OPERATIONS CONTROL SERVERCONTROL SERVER
ALTER ANY AVAILABILITY GROUPALTER ANY AVAILABILITY GROUP

适用范围SQL ServerSQL ServerSQL Server 2012 (11.x)SQL Server 2012 (11.x)当前版本)。Applies to: SQL ServerSQL Server (SQL Server 2012 (11.x)SQL Server 2012 (11.x) through current version).
CONTROL SERVERCONTROL SERVER
ALTER ANY CONNECTIONALTER ANY CONNECTION CONTROL SERVERCONTROL SERVER
ALTER ANY CREDENTIALALTER ANY CREDENTIAL CONTROL SERVERCONTROL SERVER
ALTER ANY DATABASEALTER ANY DATABASE CONTROL SERVERCONTROL SERVER
ALTER ANY ENDPOINTALTER ANY ENDPOINT CONTROL SERVERCONTROL SERVER
ALTER ANY EVENT NOTIFICATIONALTER ANY EVENT NOTIFICATION CONTROL SERVERCONTROL SERVER
ALTER ANY EVENT SESSIONALTER ANY EVENT SESSION CONTROL SERVERCONTROL SERVER
ALTER ANY LINKED SERVERALTER ANY LINKED SERVER CONTROL SERVERCONTROL SERVER
ALTER ANY LOGINALTER ANY LOGIN CONTROL SERVERCONTROL SERVER
ALTER ANY SERVER AUDITALTER ANY SERVER AUDIT CONTROL SERVERCONTROL SERVER
ALTER ANY SERVER ROLEALTER ANY SERVER ROLE

适用范围SQL ServerSQL ServerSQL Server 2012 (11.x)SQL Server 2012 (11.x)当前版本)。Applies to: SQL ServerSQL Server (SQL Server 2012 (11.x)SQL Server 2012 (11.x) through current version).
CONTROL SERVERCONTROL SERVER
ALTER RESOURCESALTER RESOURCES CONTROL SERVERCONTROL SERVER
ALTER SERVER STATEALTER SERVER STATE CONTROL SERVERCONTROL SERVER
ALTER SETTINGSALTER SETTINGS CONTROL SERVERCONTROL SERVER
ALTER TRACEALTER TRACE CONTROL SERVERCONTROL SERVER
AUTHENTICATE SERVERAUTHENTICATE SERVER CONTROL SERVERCONTROL SERVER
CONNECT ANY DATABASECONNECT ANY DATABASE

适用范围SQL ServerSQL ServerSQL Server 2014 (12.x)SQL Server 2014 (12.x)当前版本)。Applies to: SQL ServerSQL Server (SQL Server 2014 (12.x)SQL Server 2014 (12.x) through current version).
CONTROL SERVERCONTROL SERVER
CONNECT SQLCONNECT SQL CONTROL SERVERCONTROL SERVER
CONTROL SERVERCONTROL SERVER CONTROL SERVERCONTROL SERVER
CREATE ANY DATABASECREATE ANY DATABASE ALTER ANY DATABASEALTER ANY DATABASE
CREATE AVAILABILITY GROUPCREATE AVAILABILITY GROUP

适用范围SQL ServerSQL ServerSQL Server 2012 (11.x)SQL Server 2012 (11.x)当前版本)。Applies to: SQL ServerSQL Server (SQL Server 2012 (11.x)SQL Server 2012 (11.x) through current version).
ALTER ANY AVAILABILITY GROUPALTER ANY AVAILABILITY GROUP
CREATE DDL EVENT NOTIFICATIONCREATE DDL EVENT NOTIFICATION ALTER ANY EVENT NOTIFICATIONALTER ANY EVENT NOTIFICATION
CREATE ENDPOINTCREATE ENDPOINT ALTER ANY ENDPOINTALTER ANY ENDPOINT
CREATE SERVER ROLECREATE SERVER ROLE

适用范围SQL ServerSQL ServerSQL Server 2012 (11.x)SQL Server 2012 (11.x)当前版本)。Applies to: SQL ServerSQL Server (SQL Server 2012 (11.x)SQL Server 2012 (11.x) through current version).
ALTER ANY SERVER ROLEALTER ANY SERVER ROLE
CREATE TRACE EVENT NOTIFICATIONCREATE TRACE EVENT NOTIFICATION ALTER ANY EVENT NOTIFICATIONALTER ANY EVENT NOTIFICATION
EXTERNAL ACCESS ASSEMBLYEXTERNAL ACCESS ASSEMBLY CONTROL SERVERCONTROL SERVER
IMPERSONATE ANY LOGINIMPERSONATE ANY LOGIN

适用范围SQL ServerSQL ServerSQL Server 2014 (12.x)SQL Server 2014 (12.x)当前版本)。Applies to: SQL ServerSQL Server (SQL Server 2014 (12.x)SQL Server 2014 (12.x) through current version).
CONTROL SERVERCONTROL SERVER
SELECT ALL USER SECURABLESSELECT ALL USER SECURABLES

适用范围SQL ServerSQL ServerSQL Server 2014 (12.x)SQL Server 2014 (12.x)当前版本)。Applies to: SQL ServerSQL Server (SQL Server 2014 (12.x)SQL Server 2014 (12.x) through current version).
CONTROL SERVERCONTROL SERVER
关机SHUTDOWN CONTROL SERVERCONTROL SERVER
UNSAFE ASSEMBLYUNSAFE ASSEMBLY CONTROL SERVERCONTROL SERVER
VIEW ANY DATABASEVIEW ANY DATABASE VIEW ANY DEFINITIONVIEW ANY DEFINITION
VIEW ANY DEFINITIONVIEW ANY DEFINITION CONTROL SERVERCONTROL SERVER
VIEW SERVER STATEVIEW SERVER STATE ALTER SERVER STATEALTER SERVER STATE

备注Remarks

SQL Server 2014 (12.x)SQL Server 2014 (12.x) 中添加了以下三个服务器权限。The following three server permissions were added in SQL Server 2014 (12.x)SQL Server 2014 (12.x).

CONNECT ANY DATABASE 权限 CONNECT ANY DATABASE Permission
将 CONNECT ANY DATABASE 授予某个登录名,该登录名必须连接到当前存在的所有数据库和将来可能创建的任何新数据库。 Grant CONNECT ANY DATABASE to a login that must connect to all databases that currently exist and to any new databases that might be created in future. 不要在任何数据库中授予超过连接的任何权限。Does not grant any permission in any database beyond connect. 与 SELECT ALL USER SECURABLES 或 VIEW SERVER STATE 结合使用,可审核进程查看所有数据或 实例上的所有数据库状态。 SQL ServerSQL ServerCombine with SELECT ALL USER SECURABLES or VIEW SERVER STATE to allow an auditing process to view all data or all database states on the instance of SQL ServerSQL Server.

IMPERSONATE ANY LOGIN 权限 IMPERSONATE ANY LOGIN Permission
授予后,当连接到数据库时,允许中间层进程模拟连接到它的客户端帐户。When granted, allows a middle-tier process to impersonate the account of clients connecting to it, as it connects to databases. 被拒绝时,高特权的登录名可以阻止模拟其他登录名。When denied, a high privileged login can be blocked from impersonating other logins. 例如,可通过模拟其他登录名来阻止具有 CONTROL SERVER 权限的登录名。 For example, a login with CONTROL SERVER permission can be blocked from impersonating other logins.

SELECT ALL USER SECURABLES 权限 SELECT ALL USER SECURABLES Permission
授予后,作者等登录名可以查看用户可连接到的所有数据库中的数据。When granted, a login such as an auditor can view data in all databases that the user can connect to. 被拒绝时,阻止访问对象,除非这些对象处于 sys 架构中。 When denied, prevents access to objects unless they are in the sys schema.

权限Permissions

要求具有 CONTROL SERVER 权限或者安全对象的所有权。Requires CONTROL SERVER permission or ownership of the securable. 如果使用 AS 子句,则指定的主体必须拥有要对其拒绝权限的安全对象。If you use the AS clause, the specified principal must own the securable on which permissions are being denied.

示例Examples

A.A. 对 SQL Server 登录名和该登录名重新授予 CONNECT SQL 权限的主体拒绝该权限Denying CONNECT SQL permission to a SQL Server login and principals to which the login has regranted it

以下示例对 CONNECT SQL 登录名 SQL ServerSQL Server 以及该登录名授予 Annika 权限的主体拒绝该权限。The following example denies CONNECT SQL permission to the SQL ServerSQL Server login Annika and to the principals to which she has granted the permission.

USE master;  
DENY CONNECT SQL TO Annika CASCADE;  
GO  

B.B. 使用 AS 选项对 SQL Server 登录名拒绝 CREATE ENDPOINT 权限Denying CREATE ENDPOINT permission to a SQL Server login using the AS option

以下示例对用户 CREATE ENDPOINT 拒绝 ArifS 权限。The following example denies CREATE ENDPOINT permission to the user ArifS. 该示例使用 AS 选项指定 MandarP 作为执行主体从中派生执行权限的主体。The example uses the AS option to specify MandarP as the principal from which the executing principal derives the authority to do so.

USE master;  
DENY CREATE ENDPOINT TO ArifS AS MandarP;  
GO  

另请参阅See Also

GRANT (Transact-SQL) GRANT (Transact-SQL)
DENY (Transact-SQL) DENY (Transact-SQL)
DENY 服务器权限 (Transact-SQL) DENY Server Permissions (Transact-SQL)
REVOKE 服务器权限 (Transact-SQL) REVOKE Server Permissions (Transact-SQL)
权限层次结构(数据库引擎) Permissions Hierarchy (Database Engine)
sys.fn_builtin_permissions (Transact-SQL) sys.fn_builtin_permissions (Transact-SQL)
sys.fn_my_permissions (Transact-SQL) sys.fn_my_permissions (Transact-SQL)
HAS_PERMS_BY_NAME (Transact-SQL)HAS_PERMS_BY_NAME (Transact-SQL)