1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
syntax = "proto3";
package yandex.cloud.mdb.sqlserver.v1;
import "yandex/cloud/validation.proto";
option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/mdb/sqlserver/v1;sqlserver";
option java_outer_classname = "PSU";
option java_package = "yandex.cloud.api.mdb.sqlserver.v1";
// An SQL Server user.
message User {
// Name of the SQL Server user.
string name = 1;
// ID of the SQL Server cluster the user belongs to.
string cluster_id = 2;
// Set of permissions granted to the user.
repeated Permission permissions = 3;
//Set of server roles granted to the login.
repeated ServerRole server_roles = 4;
}
message Permission {
// Role granted to the user within the database.
enum Role {
ROLE_UNSPECIFIED = 0;
// Members of this fixed database role can perform all configuration and maintenance activities on a database and can also drop a database in SQL Server.
DB_OWNER = 1;
// Members of this fixed database role can modify role membership for custom roles only and manage permissions. They can potentially elevate their privileges and their actions should be monitored.
DB_SECURITYADMIN = 2;
// Members of this fixed database role can add or remove access to a database for Windows logins, Windows groups, and SQL Server logins.
DB_ACCESSADMIN = 3;
// Members of this fixed database role can back up the database.
DB_BACKUPOPERATOR = 4;
// Members of this fixed database role can run any Data Definition Language (DDL) command in a database.
DB_DDLADMIN = 5;
// Members of this fixed database role can add, delete, or change data in all user tables.
DB_DATAWRITER = 6;
// Members of this fixed database role can read all data from all user tables.
DB_DATAREADER = 7;
// Members of this fixed database role cannot add, modify, or delete any data in the user tables within a database. A denial has a higher priority than a grant, so you can use this role to quickly restrict one's privileges without explicitly revoking permissions or roles.
DB_DENYDATAWRITER = 8;
// Members of this fixed database role cannot read any data in the user tables within a database. A denial has a higher priority than a grant, so you can use this role to quickly restrict one's privileges without explicitly revoking permissions or roles.
DB_DENYDATAREADER = 9;
}
// Name of the database the permission grants access to.
string database_name = 1;
// Roles granted to the user within the database.
repeated Role roles = 2 [(size) = ">=1"];
}
message UserSpec {
// Name of the SQL Server user.
string name = 1 [(required) = true, (length) = "<=32", (pattern) = "[a-zA-Z0-9_]*"];
// Password of the SQL Server user.
string password = 2 [(required) = true, (length) = "8-128"];
// Set of permissions to grant to the user.
repeated Permission permissions = 3;
// Set of server roles.
repeated ServerRole server_roles = 4;
}
// Set of server roles.
enum ServerRole {
SERVER_ROLE_UNSPECIFIED = 0;
// Effectively grants VIEW SERVER STATE to the login.
//
// That gives an ability to use various dynamic management views to monitor server state, including Activity Monitor tool that is built-in into SSMS.
//
// No intrusive actions are allowed, so this is pretty safe to grant.
MDB_MONITOR = 1;
}
|
