Re: Exec permissions on Stored Procedure
- From: Erland Sommarskog <esquel@xxxxxxxxxxxxx>
- Date: Wed, 06 Aug 2008 14:30:01 -0700
Mark B (mark_bert@xxxxxxxxx) writes:
I'm still fuzzy on one thing if you could explain. Say you have a
situation where a stored procedure is performing an insert to a table
with a different owner and / or schema. Because of this the user (In
my case the aspnet machine account for a web app) must have insert
permission to the underlying table as well as execute permission to
the SP. With the SP, I can control what that account can insert, but
it seems if that account has insert permission to the table, if
someone got control of the account, would they not have a lot more
control over the table?
They would, and therefore you should be restrictive with granting direct
permissions on tables, particularly INSERT, DELETE and UPDATE and stick
to stored procedures. With the same owner as the tables.
Or use any of the new mechanisms in SQL Server 2005, which I describe
in my article.
--
Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
.
- References:
- Exec permissions on Stored Procedure
- From: gv
- Re: Exec permissions on Stored Procedure
- From: Mark B
- Re: Exec permissions on Stored Procedure
- From: Erland Sommarskog
- Re: Exec permissions on Stored Procedure
- From: Mark B
- Exec permissions on Stored Procedure
- Prev by Date: Locked Out of Local Instance
- Next by Date: Re: Exec permissions on Stored Procedure
- Previous by thread: Re: Exec permissions on Stored Procedure
- Next by thread: RE: MS08-040
- Index(es):
Relevant Pages
|
