可以授予创建 XML 架构集合的权限,并授予对 XML 架构集合对象的权限。
授予创建 XML 架构集合的权限
若要创建 XML 架构集合,需要以下权限:
主体需要数据库级别的 CREATE XML SCHEMA COLLECTION 权限。
由于 XML 架构集合在关系架构范围内,因此主体还必须对关系架构拥有 ALTER 权限。
以下权限允许主体在服务器上的数据库中的关系架构中创建 XML 架构集合:
服务器上的控制权限
服务器上的 ALTER ANY DATABASE 权限
对数据库的 ALTER 权限
数据库中的控件权限
数据库中的 ALTER ANY SCHEMA 权限和 CREATE XML SCHEMA COLLECTION 权限
关系架构上的 ALTER 或 CONTROL 权限,以及数据库中 CREATE XML SCHEMA COLLECTION 的权限
以下示例使用了最后一种权限方法。
关系架构的所有者将成为在该架构中创建的 XML 架构集合的所有者。 然后,此所有者可以完全控制 XML 架构集合。 因此,此所有者可以修改 XML 架构集合、键入 xml 列或删除 XML 架构集合。
授予对 XML 架构集合对象的权限
XML 架构集合允许以下权限:
使用 ALTER XML SCHEMA COLLECTION 语句修改现有 XML 架构集合的内容时,需要 ALTER 权限。
CONTROL 权限允许用户对 XML 架构集合执行任何作。
需要 TAKE OWNERSHIP 权限才能将 XML 架构集合的所有权从一个主体转移到另一个主体。
REFERENCES 权限授权主体使用 XML 架构集合在表和视图和参数中键入或约束
xml类型列。 当一个 XML 架构集合引用另一个 XML 架构集合时,也需要 REFERENCES 权限。VIEW DEFINITION 权限允许主体通过XML_SCHEMA_NAMESPACE或通过目录视图查询 XML 架构集合的内容,前提是此主体还具有对该集合的 ALTER、REFERENCES 或 CONTROL 权限之一。
需要 EXECUTE 权限,以便根据 XML 架构集合来验证主体插入或更新的值,该集合对
xml类型的列、变量和参数进行类型定义或约束。 查询存储在这些列和变量中的 XML 时,还需要此权限。
例子
以下示例中的方案说明了 XML 架构权限的工作原理。 每个示例创建必要的测试数据库、关系架构和登录名。 这些登录名被授予必要的 XML 架构集合权限。 每个示例在结束时执行必要的清理工作。
答: 授予创建 XML 架构集合的权限
以下示例演示如何授予权限,以便主体可以创建 XML 架构集合。 该示例创建示例数据库和测试用户 TestLogin1。
TestLogin1 然后,为关系架构授予 ALTER 权限,并授予 CREATE XML SCHEMA COLLECTION 对数据库的权限。 使用这些权限, TestLogin1 成功创建示例 XML 架构集合。
SETUSER
GO
USE master
GO
CREATE LOGIN TestLogin1 WITH password='SQLSvrPwd1'
GO
CREATE DATABASE SampleDBForSchemaPermissions
GO
USE SampleDBForSchemaPermissions
GO
CREATE USER TestLogin1
GO
-- User must have ALTER permission on the relational schema in the database.
GRANT ALTER ON SCHEMA::dbo TO TestLogin1
GO
-- User also must have permission to create XML schema collections in the database.
GRANT CREATE XML SCHEMA COLLECTION
TO TestLogin1
GO
-- Execute CREATE XML SCHEMA COLLECTION.
SETUSER 'TestLogin1'
GO
CREATE XML SCHEMA COLLECTION myTestSchemaCollection AS '<?xml version="1.0" encoding="UTF-8" ?>
<xsd:schema targetNamespace="http://schemas.adventure-works.com/Additional/ContactInfo"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">
<xsd:element name="AdditionalContactInfo" >
<xsd:complexType mixed="true" >
<xsd:sequence>
<xsd:any processContents="strict"
namespace="http://schemas.adventure-works.com/Contact/Record
http://schemas.adventure-works.com/AdditionalContactTypes"
minOccurs="0" maxOccurs="unbounded" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="root" type="xsd:byte"/>
</xsd:schema>'
GO
-- Final cleanup
SETUSER
GO
USE master
GO
DROP DATABASE SampleDBForSchemaPermissions
GO
DROP LOGIN TestLogin1
GO
B. 授予使用现有 XML 架构集合的权限
以下示例进一步显示了 XML 架构集合的权限模型。 该示例演示创建和使用 XML 架构集合所需的不同权限。
该示例创建一个测试数据库和一个登录名 TestLogin1。
TestLogin1 在数据库中创建 XML 架构集合。 然后,登录过程创建一个表,并使用 XML 架构集合来创建一个具有类型的 xml 列。 然后,用户插入数据并对其进行查询。 所有这些步骤都需要必要的架构权限,如代码所示。
SETUSER
GO
USE master
GO
CREATE LOGIN TestLogin1 WITH password='SQLSvrPwd1'
GO
CREATE DATABASE SampleDBForSchemaPermissions
GO
USE SampleDBForSchemaPermissions
GO
CREATE USER TestLogin1
GO
-- Grant permission to the user.
SETUSER
GO
-- User must have ALTER permission on the relational schema in the database.
GRANT ALTER ON SCHEMA::dbo TO TestLogin1
GO
-- User also must have permission to create XML schema collections in the database.
GRANT CREATE XML SCHEMA COLLECTION
TO TestLogin1
GO
-- Now user can execute the previous CREATE XML SCHEMA COLLECTION statement.
SETUSER 'TestLogin1'
GO
CREATE XML SCHEMA COLLECTION myTestSchemaCollection AS '<?xml version="1.0" encoding="UTF-8" ?>
<xsd:schema targetNamespace="http://schemas.adventure-works.com/Additional/ContactInfo"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">
<xsd:element name="AdditionalContactInfo" >
<xsd:complexType mixed="true" >
<xsd:sequence>
<xsd:any processContents="strict"
namespace="http://schemas.adventure-works.com/Contact/Record
http://schemas.adventure-works.com/AdditionalContactTypes"
minOccurs="0" maxOccurs="unbounded" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="telephone" type="xsd:string" />
</xsd:schema>'
GO
-- Create a table by using the collection to type an XML column.
--TestLogin1 must have permission to create a table.
SETUSER
GO
GRANT CREATE TABLE TO TestLogin1
GO
-- The user also must have REFERENCES permission to use the XML schema collection
-- to create a typed XML column (REFERENCES permission on schema
-- collection is not needed).
GRANT REFERENCES ON XML SCHEMA COLLECTION::myTestSchemaCollection
TO TestLogin1
GO
-- Now user can create a table and use the XML schema collection to create
-- a typed XML column.
SETUSER 'TestLogin1'
GO
CREATE TABLE MyTestTable (xmlCol xml (dbo.myTestSchemaCollection))
GO
-- To insert data in the table, the user needs EXECUTE permission on the XML schema collection.
-- GRANT EXECUTE permission to TestLogin2 on the xml schema collection.
SETUSER
GO
GRANT EXECUTE ON XML SCHEMA COLLECTION::myTestSchemaCollection
TO TestLogin1
GO
-- TestLogin1 does not own the dbo schema. This user must have INSERT permission.
GRANT INSERT TO TestLogin1
GO
-- Now the user can insert data into the table.
SETUSER 'TestLogin1'
GO
INSERT INTO MyTestTable VALUES('
<telephone xmlns="http://schemas.adventure-works.com/Additional/ContactInfo">111-1111</telephone>
')
GO
-- To query the table, TestLogin1 must have permissions: SELECT on the table and EXECUTE on the XML schema collection.
SETUSER
GO
GRANT SELECT TO TestLogin1
GO
-- TestLogin1 already has EXECUTE permission on the schema (granted before inserting a record in the table).
SELECT xmlCol.query('declare default element namespace "http://schemas.adventure-works.com/Additional/ContactInfo" /telephone[1]')
FROM MyTestTable
GO
-- To show that the user must have EXECUTE permission to query, revoke the
-- previously granted permission and return the query.
SETUSER
GO
REVOKE EXECUTE ON XML SCHEMA COLLECTION::myTestSchemaCollection to TestLogin1
Go
-- Now TestLogin1 cannot execute the query.
SETUSER 'TestLogin1'
GO
SELECT xmlCol.query('declare default element namespace "http://schemas.adventure-works.com/Additional/ContactInfo" /telephone[1]')
FROM MyTestTable
GO
-- Final cleanup
SETUSER
GO
USE master
GO
DROP DATABASE SampleDBForSchemaPermissions
GO
DROP LOGIN TestLogin1
GO
C. 授予对 XML 架构集合的 ALTER 权限
用户必须具有 ALTER 权限才能修改数据库中的现有 XML 架构集合。 以下示例演示如何授予 ALTER 权限。
SETUSER
GO
USE master
GO
CREATE LOGIN TestLogin1 WITH password='SQLSvrPwd1'
GO
CREATE DATABASE SampleDBForSchemaPermissions
GO
USE SampleDBForSchemaPermissions
GO
CREATE USER TestLogin1
GO
-- Grant permission to the user.
SETUSER
GO
-- User must have ALTER permission on the relational schema in the database.
GRANT ALTER ON SCHEMA::dbo TO TestLogin1
GO
-- User also must have permission to create XML schema collections in the database.
GRANT CREATE XML SCHEMA COLLECTION
TO TestLogin1
GO
-- Now user can execute the previous CREATE XML SCHEMA COLLECTION statement.
SETUSER 'TestLogin1'
GO
CREATE XML SCHEMA COLLECTION myTestSchemaCollection AS '<?xml version="1.0" encoding="UTF-8" ?>
<xsd:schema targetNamespace="http://schemas.adventure-works.com/Additional/ContactInfo"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">
<xsd:element name="AdditionalContactInfo" >
<xsd:complexType mixed="true" >
<xsd:sequence>
<xsd:any processContents="strict"
namespace="http://schemas.adventure-works.com/Contact/Record
http://schemas.adventure-works.com/AdditionalContactTypes"
minOccurs="0" maxOccurs="unbounded" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="telephone" type="xsd:string" />
</xsd:schema>'
GO
-- Grant ALTER permission to TestLogin1.
setuser
GO
GRANT ALTER ON XML SCHEMA COLLECTION::myTestSchemaCollection TO TestLogin1
GO
-- TestLogin1 should be able to add components to the collection.
SETUSER 'TestLogin1'
GO
ALTER XML SCHEMA COLLECTION myTestSchemaCollection ADD '
<xsd:schema targetNamespace="http://schemas.adventure-works.com/Additional/ContactInfo"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.adventure-works.com/Additional/ContactInfo"
elementFormDefault="qualified">
<xsd:element name="pager" type="xsd:string"/>
</xsd:schema>
'
Go
-- Final cleanup
SETUSER
GO
USE master
GO
DROP DATABASE SampleDBForSchemaPermissions
GO
DROP LOGIN TestLogin1
GO
D. 授予对 XML 架构集合的 TAKE OWNERSHIP 权限
以下示例演示如何将 XML 架构所有权从一个用户转移到另一个用户。 为了使示例更有趣,此示例中的用户在不同的默认关系架构中工作。
本示例执行以下操作:
创建具有两个关系架构的数据库,
dbo以及myOtherDBSchema。创建两个用户,
TestLogin1以及TestLogin2。 将TestLogin2设为myOtherDBSchema关系架构的所有者。TestLogin1在关系架构中创建dboXML 架构集合。TestLogin1然后授予TAKE OWNERSHIP对 XML 架构集合TestLogin2的权限。TestLogin2成为 XML 架构集合myOtherDBSchema的所有者,而不更改 XML 架构集合的关系架构。
CREATE LOGIN TestLogin1 with password='SQLSvrPwd1'
GO
CREATE LOGIN TestLogin2 with password='SQLSvrPwd2'
GO
CREATE DATABASE SampleDBForSchemaPermissions
GO
USE SampleDBForSchemaPermissions
GO
-- Create another relational schema in the database.
CREATE SCHEMA myOtherDBSchema
GO
-- Create users in the database. Note TestLogin2's default schema is
-- myOtherDBSchema.
CREATE USER TestLogin1
GO
CREATE USER TestLogin2 WITH DEFAULT_SCHEMA=myOtherDBSchema
GO
-- TestLogin2 will own myOtherDBSchema relational schema.
ALTER AUTHORIZATION ON SCHEMA::myOtherDBSchema TO TestLogin2
GO
-- For TestLogin1 to create XML schema collection, the following
-- permission is required.
GRANT CREATE XML SCHEMA COLLECTION
TO TestLogin1
GO
GRANT ALTER ON SCHEMA::dbo TO TestLogin1
GO
-- Now TestLogin1 can create an XML schema collection.
setuser 'TestLogin1'
GO
CREATE XML SCHEMA COLLECTION myTestSchemaCollection AS '<?xml version="1.0" encoding="UTF-8" ?>
<xsd:schema targetNamespace="http://schemas.adventure-works.com/Additional/ContactInfo"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">
<xsd:element name="AdditionalContactInfo" >
<xsd:complexType mixed="true" >
<xsd:sequence>
<xsd:any processContents="strict"
namespace="http://schemas.adventure-works.com/Contact/Record
http://schemas.adventure-works.com/AdditionalContactTypes"
minOccurs="0" maxOccurs="unbounded" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="telephone" type="xsd:string" />
</xsd:schema>'
GO
-- Grant TAKE OWNERSHIP to TestLogin2.
SETUSER
GO
GRANT TAKE OWNERSHIP ON XML SCHEMA COLLECTION::dbo.myTestSchemaCollection
TO TestLogin2
GO
-- Verify the owner. Note the UserName and Principal_id is null.
SELECT user_name(sys.xml_schema_collections.principal_id) as UserName,
sys.schemas.name as RelSchemaName,*
FROM sys.xml_schema_collections
JOIN sys.schemas
ON sys.schemas.schema_id=sys.xml_schema_collections.schema_id
GO
-- TestLogin2 can take ownership now.
setuser 'TestLogin2'
GO
ALTER AUTHORIZATION ON XML SCHEMA COLLECTION::dbo.myTestSchemaCollection
TO TestLogin2
GO
-- Note that although TestLogin2 is the owner,the XML schema collection
-- is still in dbo.
SELECT user_name(sys.xml_schema_collections.principal_id) as UserName,
sys.schemas.name as RelSchemaName,*
FROM sys.xml_schema_collections JOIN sys.schemas
ON sys.schemas.schema_id=sys.xml_schema_collections.schema_id
GO
-- TestLogin2 moves the collection from dbo to myOtherDBSchema relational schema.
-- TestLogin2 already has all necessary permissions.
-- 1) TestLogin2 owns the destination relational schema so he can alter it.
-- 2) TestLogin2 owns the XML schema collection (therefore, has CONTROL permission).
ALTER SCHEMA myOtherDBSchema
TRANSFER XML SCHEMA COLLECTION::dbo.myTestSchemaCollection
GO
SELECT user_name(sys.xml_schema_collections.principal_id) as UserName,
sys.schemas.name as RelSchemaName,*
FROM sys.xml_schema_collections JOIN sys.schemas
ON sys.schemas.schema_id=sys.xml_schema_collections.schema_id
GO
-- Final cleanup
SETUSER
GO
USE master
GO
DROP DATABASE SampleDBForSchemaPermissions
GO
DROP LOGIN TestLogin1
DROP LOGIN TestLogin2
go
E. 授予对 XML 架构集合的 VIEW DEFINITION 权限
以下示例演示如何为 XML 架构集合授予 VIEW DEFINITION 权限。
SETUSER
GO
USE master
GO
IF EXISTS( SELECT * FROM sysdatabases WHERE name='permissionsDB' )
DROP DATABASE permissionsDB
GO
IF EXISTS( SELECT * FROM sys.sql_logins WHERE name='schemaUser' )
DROP LOGIN schemaUser
GO
CREATE DATABASE permissionsDB
GO
CREATE LOGIN schemaUser WITH PASSWORD='Pass#123',DEFAULT_DATABASE=permissionsDB
GO
GRANT CONNECT SQL TO schemaUser
GO
USE permissionsDB
GO
CREATE USER schemaUser WITH DEFAULT_SCHEMA=dbo
GO
CREATE XML SCHEMA COLLECTION MySC AS '
<schema xmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="http://ns"
xmlns:ns="http://ns">
<simpleType name="ListOfIntegers">
<list itemType="integer"/>
</simpleType>
<element name="root" type="ns:ListOfIntegers"/>
<element name="gRoot" type="gMonth"/>
</schema>
'
GO
-- schemaUser cannot see the contents of the collection.
SETUSER 'schemaUser'
GO
SELECT XML_SCHEMA_NAMESPACE(N'dbo',N'MySC')
GO
-- Grant schemaUser VIEW DEFINITION and REFERENCES permissions
-- on the XML schema collection.
SETUSER
GO
GRANT VIEW DEFINITION ON XML SCHEMA COLLECTION::dbo.MySC TO schemaUser
GO
GRANT REFERENCES ON XML SCHEMA COLLECTION::dbo.MySC TO schemaUser
GO
-- Now schemaUser can see the content of the collection.
SETUSER 'schemaUser'
GO
SELECT XML_SCHEMA_NAMESPACE(N'dbo',N'MySC')
GO
-- Revoke schemaUser VIEW DEFINITION permissions
-- on the XML schema collection.
SETUSER
GO
REVOKE VIEW DEFINITION ON XML SCHEMA COLLECTION::dbo.MySC FROM schemaUser
GO
-- Now schemaUser cannot see the contents of
-- the collection.
setuser 'schemaUser'
GO
SELECT XML_SCHEMA_NAMESPACE(N'dbo',N'MySC')
GO
另请参阅
XML 数据 (SQL Server)
类型化的 XML 与非类型化的 XML 的比较
XML 架构集合 (SQL Server)
服务器上的 XML 架构集合的要求和限制