Re: Security context of stored procedure

From: SQL Dude (noreturn_at_hotmail.com)
Date: 03/02/04

• Next message: Baisong Wei[MSFT]: "RE: Security context of stored procedure"
• Previous message: SQL Dude: "Re: Removing Guest and BUILTIN\Administrator accounts"
• In reply to: A.M: "Security context of stored procedure"
• Next in thread: Baisong Wei[MSFT]: "RE: Security context of stored procedure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 1 Mar 2004 19:10:44 -0800

The user id of stored proc 1 is the owner of the sp.
Look in enterprise manager, list the procedures, there is a column for the
owner. it is recommended that all objects be owned by dbo, so my guess from
here is that the stored proc is dbo.StoredProc1, owned by dbo. If the proc
lists the contents of the table, then anyone with execute permissions can
run the proc and list the contents of the table. If you don't want this,
consider creating more than one proc, some that expose less of the table to
users that don't need to list the entire table.

Bill
"A.M" <IHateSpam@sapm123.com> wrote in message
news:ejI5HJ%23$DHA.552@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> I underestand that if UserA don't have access to Table1 but have access to
> StoredProc1, and StoredProc1 lists the content of Table1, then UserA can
> execute StoredProc1 and have Table1 listed.
>
> I also know this is prefered way to impliment security, so applications
> won't have direct access to sensetive tables.
>
> My question is if StoredProc1 is being run by UserA, What is the security
> context of StoredProc1? What is the UserId of StoredProc1? Can scripts in
> StoredProc1 manimpulate all tables in database?
>
> Any help would be apprecited,
> Ali
>
>

---

• Next message: Baisong Wei[MSFT]: "RE: Security context of stored procedure"
• Previous message: SQL Dude: "Re: Removing Guest and BUILTIN\Administrator accounts"
• In reply to: A.M: "Security context of stored procedure"
• Next in thread: Baisong Wei[MSFT]: "RE: Security context of stored procedure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: TableAdapter to create new SQL stored proc with different owne ... I actually believe it the wizard either needs a way to set a database owner ... or go ahead and allow a stored proc to be created with current credentials. ... Hitchhiker's Guide to Visual Studio and SQL Server ... (microsoft.public.dotnet.framework.adonet) Re: get some records and then call a stored proc once for each?? ... > "Keith Kratochvil" wrote in message ... > create proc foo ... > exec foo 3 ... >> I have a stored proc that gets some params. ... (microsoft.public.sqlserver.programming) Re: get some records and then call a stored proc once for each?? ... it sounds as though you may need to cursor through your temp ... create proc foo ... > I have a stored proc that gets some params. ... (microsoft.public.sqlserver.programming) Re: Dict sharing vs. duplication ... n/2+1 lists, where n is the number of items. ... It also regularizes the use of lsearch which has ... uniqueness if you use the addItem proc. ... interp alias magic1 do-magic ... (comp.lang.tcl) Re: using TCL with sqlite database... ... I am now able to read from and write to my database. ... is built around using lists with data... ... I'm trying to access an SQLite database via TCL. ... but fails when I open the db in proc open_sqlite_db and try to write ... (comp.lang.tcl)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.sqlserver.security  > 2004-03