Re: Execute Persmission denied on object 'sp_OACreate'
From: Dan Guzman (guzmanda_at_nospam-online.sbcglobal.net)
Date: 02/05/05
- Next message: WhiskyRomeo: "Re: Execute Persmission denied on object 'sp_OACreate'"
- Previous message: William Stacey [MVP]: "Re: I have been asked to leave the company for having spotted serious security breaches"
- In reply to: WhiskyRomeo: "Execute Persmission denied on object 'sp_OACreate'"
- Next in thread: WhiskyRomeo: "Re: Execute Persmission denied on object 'sp_OACreate'"
- Reply: WhiskyRomeo: "Re: Execute Persmission denied on object 'sp_OACreate'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 5 Feb 2005 08:49:12 -0600
> How can get a user permissions to execute these stored procedures without
> assigning the dbo role. Surely I do not have to assign persmissions in
> the
> master database.
SQL Server doesn't check permissions on indirectly referenced objects as
long as the ownership chain is unbroken. For dbo-owned objects in different
databases, the databases involved need to be owned by the same user. If you
are running SQL 2000 SP3+, the databases involved also need to have the 'db
chaining' option enabled. See Cross Db Ownership Chaining
<adminsql.chm::/ad_config_8d7m.htm> in the SQL Server 2000 Books Online for
more information.
You can prevent ad-hoc execution of powerful master database procs while
providing the needed functionality as follows. Your user database needs to
be owned by 'sa' so that the ownership chain is unbroken for the dbo-owned
sp_OA* procs in the sa-owned master database. You'll also need to specify
the proxy account security context for non-sysadmin users from Enterprise
Manager under SQL Server Agent --> Job System. This account is used as the
OS security context for processes invoked by non-sysadmin users and should
have the minimum permissions needed by your application.
It is important to note that you should enable 'db chaining' in an sa-owned
database when only sysadmin role members have permissions to create
dbo-owned objects in that database. Also, ensure that parameters passed to
your proc is can't be used to inject unintended commands.
-- Hope this helps. Dan Guzman SQL Server MVP "WhiskyRomeo" <WhiskyRomeo@discussions.microsoft.com> wrote in message news:0D0422D2-0350-46B7-A963-7AAE1011EEC3@microsoft.com... >I have a user who has execute permissions on a store procedure in a >database > which in turns executes 4 stored procedures in the master database. These > 4 > stored procedures execute a DTS package. > > Users, when given the dbo role, have no problem. Users who only have the > Public role but execute permissions on the parent stored procedure get the > following error. > > Execute Persmission denied on object 'sp_OACreate', database 'master', > owner > 'dbo' > > How can get a user permissions to execute these stored procedures without > assigning the dbo role. Surely I do not have to assign persmissions in > the > master database. > > Any help would be appreciated. > > WR >
- Next message: WhiskyRomeo: "Re: Execute Persmission denied on object 'sp_OACreate'"
- Previous message: William Stacey [MVP]: "Re: I have been asked to leave the company for having spotted serious security breaches"
- In reply to: WhiskyRomeo: "Execute Persmission denied on object 'sp_OACreate'"
- Next in thread: WhiskyRomeo: "Re: Execute Persmission denied on object 'sp_OACreate'"
- Reply: WhiskyRomeo: "Re: Execute Persmission denied on object 'sp_OACreate'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
