DENY table SELECT, GRANT stored proc EXEC, but EXECUTE a string

From: Dave (davena@my-deja.com)
Date: 07/09/02 

From: davena@my-deja.com (Dave)
Date: 9 Jul 2002 10:04:36 -0700

I am trying to prevent access to a SQL Server 2000 database from other
than our web app. Our users have a long history of linking tables
from Access and other such tools, but in this particular database
there is some legally confidential data, such as names of kids up for
adoption.

I have a Windows group named CPS_ILP. I have a server group named the
same [qa-web-1\cps_ilp]. I wrote a script that GRANTS EXECUTE to
every stored procedure in the database to [qa-web-1\cps_ilp] and DENY
SELECT, INSERT, UPDATE, DELETE on all tables TO [qa-web-1\cps_ilp].
So members of the cps_ilp global group are able to run our web app
which executes stored procs but are not able to get anything with
query analyzer or Access. The trouble we are having is that the
programmer EXECUTEs a string dynamically to get data out of tables,
like so:

SET @Str = 'SELECT Name, Address, Phone FROM tblHousing'
EXECUTE @Str

Access is denied because SQL Server thinks we are SELECTing directly.
There is a statement somewhere earlier on usenet that says that if we
were using static statements in our stored procs instead of EXECUTE,
we wouldn't be having this problem. It doesn't say why or give a
workaround. We really need to be able to EXECUTE like we are now.
Any ideas how we can accomplish this? Thanks, Dave

Relevant Pages

  • Re: Execute Persmission denied on object sp_OACreate
    ... > SQL Server is creating a job behind the scenes. ... > permissions. ... > SA account password and gaining access to the database. ... >>> How can get a user permissions to execute these stored procedures ...
    (microsoft.public.sqlserver.security)
  • RE: xp_cmdshell, ownership chaining, sql 2000
    ... Cross database ownership chaining enabled ... The procedure is called by a crystal report. ... If I log in to SQL Server through SSMS 2005 using the same user as the ... I get the following error when attempting to execute ...
    (microsoft.public.sqlserver.programming)
  • xp_cmdshell, ownership chaining, sql 2000
    ... Cross database ownership chaining enabled ... The procedure is called by a crystal report. ... If I log in to SQL Server through SSMS 2005 using the same user as the ... I get the following error when attempting to execute ...
    (microsoft.public.sqlserver.programming)
  • Re: Data migration questions?
    ... Use SSIS or the SqlBulkCopy class to import the data into SQL Server. ... Anyone who has read my books knows that I'm not in favor of including BLOBs in the database. ... "Mervin Williams" wrote in message ... should I use a DataSet to bring the data down to the local machine that will run the code and execute the transformation logic from it. ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Problem with bulk load security.
    ... Then I defined the procedure using 'with execute as self'. ... database is trustworthy, you cannot get rights outside the database. ... One is to make the database trustworthy, ... Links for SQL Server Books Online: ...
    (microsoft.public.sqlserver.security)