Re: Viewing object owner in SQL 2005 - ownership chaining

This helps a lot. I hadn't mentioned that I also had come across a mention of the login being tangled into ownership.

One question in particular remains in my mind:
I see that the owner is not the schema itself, so it must be a USER entity, or a LOGIN entity, or some dynamic combination of them (e.g. join the user to the current login and make the comparision based on the login).

Which type of entity / expression is the owner? Or can it be sometimes one and sometimes another?
If I get this sorted out into a set of steps minus fluff, any suggestions on where I might post a "How To" on Ownership Chaining?

Thanks again!

---Wayne
"Dan Guzman" <guzmanda@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:26A475ED-7BAA-4494-ABDE-704F6BC848D4@xxxxxxxxxxxxxxxx

> Msg 916, Level 14, State 1, Line 1
> The server principal "HFDB_2_0_readonly" is not able to access the
> database "Hotfix_data" under the current security context.
> which I believe means that Ownership Chaining failed to "kick in", so that
> the SELECT looked at the permissions on the target table.

To add on to Erland's response, the user needs a security context in both
databases, even if no permissions are granted. You either need to add the
user to the other database or enable the guest user in that database.

--
Hope this helps.

Dan Guzman
SQL Server MVP

"Wayne Erfling" <wayne_erfling@xxxxxxxxxxxxxx> wrote in message
news:%23B1bryXPIHA.292@xxxxxxxxxxxxxxxxxxxxxxx
I'm trying to set up Ownership Chaining (though I would have preferred it if
SQL 2005 supported EXECUTE AS for views).

When I set up both a table and view from one logon (mine) and granted
permissions to the view it didn't work, evidently because "creating user" is
not equivalent to OWNER. I understand (including the potential risks) and
enabled Cross Database Ownership Chaining.

I'm beginning to understand that OWNER lives somewhere between the schema
and the USER, but I'm having trouble finding two things:

1) What entity (and what type of entity) is the OWNER of an object such as a
VIEW, to which Ownership Chaining applies?

(i.e. the precise definition - is the schema the owner or is a USER the
owner, or is the login associated with a USER the owner, etc.)

2) How can I most easily LOOK AT the owner? The Properties for most objects
includes a "User" entry but not an "Owner" entry




Unfortunately (before you tell me to look at the page!) the Ownership
Chaining example in the books online introduces a bit too much "fluff" in
the way of setting up users with default schemas and such, and for me this
obscures the definition of who / what the OWNER is.

The basic idea of Ownership Chaining is clear to me, but Owner is simply not
defined in the overview, the example or the Books Online Glossary (or on the
Internet, so far I've only found references to how owner is used, not the
definition).

Many thanks in advance.

---Wayne

P.S. The error message that my "read permission" user gets is:

Msg 916, Level 14, State 1, Line 1
The server principal "HFDB_2_0_readonly" is not able to access the database
"Hotfix_data" under the current security context.
which I believe means that Ownership Chaining failed to "kick in", so that
the SELECT looked at the permissions on the target table.

I'm sure I can resolve this easily once I understand who the owner is of the
VIEW and TABLE so that I can make them match (since it is clearly not the
creating login).

Relevant Pages

  • RE: Windows Vista
    ... Can you please let me know whether you are currently able to login to the ... If yes then you can go ahead and take the ownership of the drive and apply. ... Then Click on Security Tab. ... Select you user name in the cahge owner to tab. ...
    (microsoft.public.win2000.security)
  • Re: Adding XP in another partition users into Vi$ta
    ... If Windows didn't support some mechanism for allowing a group of users to set the owner on a file, the Windows backup program could not correctly restore backups. ... If that were possible, an unscrupulous user could take ownership, do something wrong, and then cover his tracks by giving ownership to someone else. ... It is true that a program can write new information in the Owner field of an objects security descriptor if the process has WRITE_OWNER access to the object, but WRITE_OWNER access permits the caller to change ownership only to the user SID in the callers access token or, if the user is a member of the Administrators group, to the Administrators SID. ... When logged in as a standard user, when you elevate you are logging in with the credentials you supply to the elevation prompt and the elevated program is running under those credentials. ...
    (microsoft.public.windows.vista.security)
  • Re: Firefox lock file?
    ... You may want to just change all ownership of everything in your *home* ... your files via Nautilus is to add the 'Owner' column to your Nautilus ... Research it first, read 'man chown' etc., *and backup your home folder ...
    (Ubuntu)
  • Re: OT: Fotopic
    ... the legal position over the ownership of images contained on their ... regardless of the original ownership. ... back to the actual owner, ...
    (uk.railway)
  • Re: Adding XP in another partition users into Vi$ta
    ... "The Owner tab shown in Figure 12.19 has no option for giving ownership ... Administrators group, to the Administrators SID. ... When logged in as a standard user, when you elevate you are logging ...
    (microsoft.public.windows.vista.security)