Re: sql2k5 security
- From: "David Browne" <davidbaxterbrowne no potted meat@xxxxxxxxxxx>
- Date: Fri, 16 Jun 2006 15:58:46 -0500
<param@xxxxxxxxxxxxxxxx> wrote in message news:uU1mUYYkGHA.1320@xxxxxxxxxxxxxxxxxxxxxxx
Hi all, I am having an issue with SQL2K5 security. Here is my setup.
Tables
dbo.Table1
dbo.Table2
dbo.Table3
Roles
db_web
Users
webuser - member of db_web
Schemas
myschema - Execute/Select/Insert/Delete permissions given to db_web role.
Stored Procedures
myschema.dosomething
When I login as webuser and execute myschema.dosomething I get a permissions error saying I do not have select and insert permissions on dbo.Table1
Essentially, I would like to shield all access by webuser to executing stored procedures and views only and let the stored procs fetch/insert the data from the base tables. This is considered good security for web apps.
How do I accomplish this?
You need to make dbo the owner of myschema and all the objects in it. Then ownership chaining will supress permission checks on the other objects owned by dbo.
To examine schema ownership:
select name, user_name(principal_id) from sys.schemas
To change it:
ALTER AUTHORIZATION ON SCHEMA::myschema TO dbo;
Remember you must not allow a low-privilege user to create views, synonyms or procedures in a schema owned by dbo. If you do then this same mechanism would allow them to access any dbo-owned object.
David
.
- Follow-Ups:
- Re: sql2k5 security
- From: param
- Re: sql2k5 security
- References:
- sql2k5 security
- From: param
- sql2k5 security
- Prev by Date: sql2k5 security
- Next by Date: sql2k5 schema qualifier
- Previous by thread: sql2k5 security
- Next by thread: Re: sql2k5 security
- Index(es):
Relevant Pages
|
