Re: datareader doing updates


"Randy" <Randy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0EA38A7F-70DF-44D3-91C0-6555FB42A4FA@xxxxxxxxxxxxxxxx
We created a Role (Alpha) and made it a member of the datareader Role.
Our
hope was that members of this role would only be able to preform data
reads.

On a test we granted Alpha exec rights to an update Stored Procedure. The
members of Alpha are now able to run the Stored Procedure and do updates
even
thought they are NOT members of datawriter. Further testing showed the
same
for insert and delete stored procedures.

Does this sound right?



Yes. Look up "ownership chains" in BOL. If the user can run the
procedure, then permission checks on all objects owned by the owner of the
stored procedure are supressed.

David


.

Relevant Pages

  • Re: Tracking users when browser is closing
    ... solution was to use an IFrame with an ASP page that I called ... This is a self refreshing page that refreshes every 30 ... The page executes a stored procedure on SQL Server that modifies and ... plugs in the members id and date visited (or updates the record if the ...
    (microsoft.public.inetserver.asp.general)
  • RE: Sql To Active Directory Quickie
    ... list of our groups and their members. ... Is there a way to pull a list of groups and their memebers? ... > Server is it possible to create a stored procedure that will take a username ... > find what active directory groups the user is a member of, ...
    (microsoft.public.sqlserver.programming)
  • Re: Oracle RAC Stored Procedure scalability
    ... Just wonder how the oracle rac facilitate the stored procedure ... procedure call on different members of cluster. ...
    (comp.databases.oracle.server)
  • How to view #temp tables in vs.net (stored procedures)
    ... When you step into a stored procedure using vs.net, you get all the debug ... members WHERE...). ... Is it possible to view the temp tables? ...
    (microsoft.public.dotnet.framework.aspnet)