Re: Stored Procedure security
- From: "Russell Fields" <russellfields@xxxxxxxxxx>
- Date: Wed, 31 Oct 2007 16:15:56 -0400
JWOL,
Ownership chaining only applies to object permisions, such as SELECT,
UPDATE, DELETE, and INSERT. Although you might think that TRUNCATE TABLE is
just a fast DELETE, the permission needed is actually not to an object, but
to the ability to ALTER the object. This has its own permission structure.
Instead of TRUNCATE TABLE, you can simply DELETE FROM TABLE and get the same
results, with more logging.
If you are running SQL Server 2005, you can create a procedure which is
signed by a certificate. That certificate can have the rights you need to
do more powerful actions than ownership chaining support. See:
http://www.sommarskog.se/grantperm.html
RLF
"JWOL" <chairleg@xxxxxxxxx> wrote in message
news:1193851982.107373.169900@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
I have a stored procedure which inserts some data into a table and
then runs a select on the table. I have granted execute permissions
on the stored procedure to a user x. Although user x has no select or
insert permissions on the table the stored procedure will run, as I
expected. However, when I introduce a truncate table command into the
stored procedure the user can no longer execute it. It only works if
I grant ALTER permissions on the table to the user. What are the
rules for which permissions are inherited from stored procedures and
which aren't?
Thanks.
.
- References:
- Stored Procedure security
- From: JWOL
- Stored Procedure security
- Prev by Date: Stored Procedure Security Problem
- Next by Date: Re: Stored Procedure Security Problem
- Previous by thread: Stored Procedure security
- Next by thread: Stored Procedure Security Problem
- Index(es):
Relevant Pages
|
|
