Re: Security: Accessing data in another db

From: Dan Guzman (guzmanda_at_nospam-online.sbcglobal.net)
Date: 08/05/05

  • Next message: cs: "Can't View domain local group in SQL security list" 
    Date: Thu, 4 Aug 2005 19:05:41 -0500

    With SQL Server 2000 SP3, you can enable cross-database chaining in these
    databases. This will eliminate the need for permissions on indirectly
    referenced objects as long as the objects involved have the same owner
    (owners map to the same login).

    If your objects are owned by 'dbo', the database owners need to be the same
    so that the dbo user maps to the same login. You can execute
    sp_changedbowner if needed to specify the common database owner login,

    Note that you should enable cross-database chaining only if you fully trust
    those users that have permissions to create dbo-owned objects. In the case
    of sa-owned databases, only sysadmin role members should be permitted to
    create dbo-owned objects in those databases. 

    -- 
Hope this helps.
Dan Guzman
SQL Server MVP
"Craig HB" <CraigHB@discussions.microsoft.com> wrote in message 
news:7D9E8085-C017-4879-942C-EA903143DD94@microsoft.com...
> For all our ASP.Net applications we use a user called 'AppUser' to connect 
> to
> the database, which only has execute permissions on the stored procedures.
> This makes sure that client apps only connect to the server via stored
> procedures.
>
> I keep this up-to-date by running a stored procedure that revokes all
> permissions from AppUser and then grants execute permissions for AppUser 
> on
> stored procedures.
>
> The problem I am getting is when a stored procedure in one database needs 
> to
> access a table in another database. For this to work, AppUser needs SELECT
> permission on that table (in the other database), otherwise the stored
> procedure fails. But I want to try and keep AppUser's access limited to
> execute permissions on stored procedures.
>
> Is there a way that AppUser can access data from another database (and it
> only has exec permissions on that other database's stored procedures) ?
>
> Thanks,
> Craig
  • Next message: cs: "Can't View domain local group in SQL security list"

    Relevant Pages

    • Re: Execute Persmission denied on object sp_OACreate
      ... SQL Server doesn't check permissions on indirectly referenced objects as ... You can prevent ad-hoc execution of powerful master database procs while ... >I have a user who has execute permissions on a store procedure in a>database> which in turns executes 4 stored procedures in the master database. ...
      (microsoft.public.sqlserver.security)
    • Re: List Users Permissions down to table.column action
      ... THIS STORED PROCEDURE GENERATES COMMANDS ... -- FIXED PROBLEMS WITH STATEMENT LEVEL PERMISSIONS GRANTING. ... -- CREATE TABLE TO HOLD LIST OF USERS IN CURRENT DATABASE ... -- GRANT USER ACCESS TO SERVER ROLES ...
      (microsoft.public.sqlserver.security)
    • Re: User access on a company intranet
      ... Yes they need full permissions on the folder where the backend is. ... You wouldn't need to do this in your copy of the database. ... However you can toggle the shiftkey bypass from another mdb file. ... When you want to implement security, you create a new mdw file, ...
      (microsoft.public.access.security)
    • Re: Active directory corruption
      ... During an installation of PHP I accidentally changed permissions for the ... Active Directory database is unavailable because it is damaged, ... Open a command prompt and run NTDSUTIL to verify the paths for the ...
      (microsoft.public.windows.server.sbs)
    • Re: Active directory corruption
      ... default web site and copied the permissions to all the child ... as it may not be the database that is the problem. ... prompt, use the ESENTUTL to check the integrity of the database. ... To recover the database type the following at the command prompt: ...
      (microsoft.public.windows.server.sbs)