Re: simple security question (need refresher)

From: Dan Guzman (guzmanda_at_nospam-online.sbcglobal.net)
Date: 10/05/05 

Date: Wed, 5 Oct 2005 08:00:54 -0500

If IIS is configured for anonymous access and you connect to SQL Server
using Windows authentication, the IIS anonymous account (e.g. IUSR_MYSERVER)
is used. Database object access is limited to the permissions granted to
this account or roles that this account is a member of. If the IIS security
context is established using Windows or Basic authentication, then the end
user's account (e.g. 'MyDomain\UserA') is used. You can execute sp_who to
determine the actual account used for the connection.

Permissions are required only on objects directly accessed by the
application as long as the ownership chain is unbroken. With an unbroken
chain (all objects owned by same user), permissions on indirectly referenced
objects are not checked. Consequently, if all your objects are owned by
'dbo', only execute permissions on the procedures executed by the
application are needed. Note that dynamic SQL within procs breaks the
ownership chain so this is considered direct object access for security
purposes. See Ownership Chains in the Books Online for more information.

> 2) what security context do stored procedures run under?

Procs execute under the normal security context of the database connection.
However, as I previously mentioned, permissions are not checked when the
ownership chain is unbroken. 

-- 
Hope this helps.
Dan Guzman
SQL Server MVP
"djc" <noone@nowhere.com> wrote in message 
news:%23JwzrSayFHA.3312@TK2MSFTNGP09.phx.gbl...
> sql server 2000 sp3
>
> sample scenario: 1 user called userA. A few tables and a few stored
> procedures. SQL configured for mixed mode auth. userA is a windows account
> added to the database. IIS 5 configured for integrated windows auth.
>
> 1) If userA has execute permission on the stored procedures that do the
> actual inserting/updating/deleting does userA still have to have those
> permissions assigned at the table level (insert/update/delete)?
>
> 2) what security context do stored procedures run under?
>
> any input is greatly appreciated. Thanks.
>
>

Relevant Pages

  • Consider Windows XP File Security and Group Policies
    ... If you are running Windows XP and are using the NTFS file system, ... Account from being able to purge its history footprint files. ... Changing Folder permissions to Read-Execute instead of Full ... you globally apply Full Control for the Administrators group and the SYSTEM ...
    (microsoft.public.windowsxp.general)
  • Re: Cannot copy and paste
    ... - click on all of them and make sure your account hasn't been denied any ... - I think that if there are no permissions listed then it uses a default ... if this is the cause then add the everyone group to all six security windows ... my computer is virus free. ...
    (microsoft.public.win2000.general)
  • Re: VS2005: SQL Debugging "T-SQL execution ended without debugging. You may not have sufficient
    ... > account also must be a member of the sysadmin role in the target SQL ... and the Windows firewall is disabled on both client & server. ... to the remote SQL Server 2005. ... But I'm still getting the "T-SQL execution ended without debugging. ...
    (microsoft.public.vsnet.debugging)
  • Re: Server Unavailable - ASP.NET 2.0 on Windows XP
    ... Try granting access permissions to the appropiate account, ... I have a ASP.NET 2.0 site that works on the Windows 2000 Server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Execute Persmission denied on object sp_OACreate
    ... If so what access and permissions. ... The account is a windows account. ... One method to test permissions is to log in to your SQL Server box using the ... >>> SA account password and gaining access to the database. ...
    (microsoft.public.sqlserver.security)