Re: Security level to run SP_OA... Procedures

From: Dan Guzman (danguzman_at_nospam-earthlink.net)
Date: 08/07/03 

Date: Thu, 7 Aug 2003 08:22:44 -0500

I'm not sure why you are executing sp_OA* procs here since you can
access COM objects directly from DTS using VBScript. The only rationale
I can think of is that your DTS package runs on the client and you need
to invoke the object on the server for some reason.

Cross-database ownership chaining allows you to lock down access to the
sp_OA* procs as well as other master database stored procedures. You
can implement this as follows and should do so only if you fully trust
users with rights to create dbo-owned objects.

1) Encapsulate your T-SQL code in a stored procedure. The proc must be
owned by 'dbo' and the user database owned by 'sa'. You can change db
ownership with sp_changedbowner, if necessary.

2) If you are using SQL 2000 SP3, enable cross-database chaining in the
user database.

3) Configure the SQL Agent proxy account. You can do this from
Enterprise Manager under Management --> SQL Agent properties --> Job
System. Uncheck the 'Only users with sysadmin privileges...' checkbox.

4) No sp_OA* permissions are needed. Users need only execute
permission on your user procedure. 

-- 
Hope this helps.
Dan Guzman
SQL Server MVP
-----------------------
SQL FAQ links (courtesy  Neil Pike):
http://www.ntfaq.com/Articles/Index.cfm?DepartmentID=800
http://www.sqlserverfaq.com
http://www.mssqlserver.com/faq
-----------------------
"Ric Pullen" <Richard.Pullen-REMOVESPAM@Hospital.nhs.uk> wrote in
message news:unMtNJNXDHA.1900@TK2MSFTNGP10.phx.gbl...
> I have created a DTSpackageExecute (found on the web) that uses the
> sp_OACreate, spOA_Method, spOA_getproperty and spOA_Destroy.
>
> My application uses SQL authentication, and access levels are
determined
> within the application on who can run what.
>
> This sp executes a package for a couple of users only to extract data
in a
> CSV format for manual uploading to another system. (has to be this
way).
>
> Can anyone tell me where abouts do i need to set the security to run
this
> sp.
>
> What is the minimum level of access do i have to create to run the
sp_OA...
> procedures.
>
> Thanks for your help.
>
>
>

Relevant Pages

  • Re: LINQ Queries vs Stored Procs
    ... Stored Procedures, you can limit the user to only executing stored ... most sql injection attacks, which are more possible with dynamic sql. ... Also about the security aspects: it's not as you claim it to be: I can ... I as a user in Marketing have to use your app which uses procs and I ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: basic question
    ... Currently we have are doing calculations via stored procedures ... in which case *I* would like to have them run on the SQL server ... procs are doing. ...
    (microsoft.public.dotnet.general)
  • Re: Critique my LINQ to SQL strategy using stored procs, please
    ... LINQ to SQL seems like a good option for our data access needs, ... All business logic will reside in the stored procs (company ... Using LINQ to SQL, create a single LINQ to SQL dbml ... The power is the use of LINQ to work with the virtual database, which using all stored procedures defeats the purpose of using LINQ-To-SQL. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: SQL Injection Prevention
    ... executing select sql statement - its about feeding user input to SQL parser. ... vulnerable to sql injection. ... > Provided you don't use dynamic SQL in your stored procedures, AFAIK, you ...
    (microsoft.public.sqlserver.server)
  • Re: SQL Injection Prevention
    ... executing select sql statement - its about feeding user input to SQL parser. ... vulnerable to sql injection. ... > Provided you don't use dynamic SQL in your stored procedures, AFAIK, you ...
    (microsoft.public.dotnet.security)