I am building an application consisting of an SQL Server 2008 R2 back-end and an MS Access front-end.
All data is kept in SQL Server.
MS Access is a just a bunch of forms, controls and VBA ADO objects that call stored procedures on the SQL server, ie. users interface with SQL server through stored procedures only.
These stored procedures are a combination of ones that don't alter the state of the database (eg. select from table/view/function) and some that do alter state (eg. insert/update/delete/merge)
On SQL Server, I have an AD Group called 'ADG', which is both a Server Login and a Database User. Users of the MS Access front-end are members of ADG.
All of the SQL Server database objects (tables, views, functions and stored procedures) are under a single, specific schema called 'ABC' that is owned by dbo. There are other schemas in the database, again, all owned by dbo.
I have been reading up on 'Ownership Chaining' and would like clarification of the following:
Is 'dbo' the 'owner' of the tables, views, functions and stored procedure under the 'ABC' schema by virtue of its ownership of the 'ABC' schema?
Given the above set up of the application and depending on the answer to 1., is 'EXECUTE' on the ABC schema, the only permission I
need granted to ADG or do I need any others?
Any help in clarification is appreciated.
Check out https://msdn.microsoft.com/en-us/library/ms191465.aspx for a good picture of the permission hierarchy.
If all your objects are in the same ABC schema, then the owner of the schema is effectively the owner of the underlying objects. Again, see the diagram in the link above for a clear picture.
EXECUTE is a specific permission to execute stored procedures. You can do the same for functions unless the function returns a table, then you need SELECT permissions. So if you GRANT EXECUTE on SCHEMA::ABC TO adg then you've just allowed adg to run sprocs. They still may not have access to data depending on how the sprocs were written. Look up details on permissions in SQL Server books online for details on what you need to grant (https://msdn.microsoft.com/en-us/library/ms191291.aspx)
Related
I have a scenario where I need to allow a user in one database access to objects in another database on the SAME SQL server.
SQL SERVER SETUP:
I have an SQL Server 2008 Express instance running.
Within that instance I have the following :
2 databases :
DATABASE1
DATABASE2
2 logins :
ADMIN1
ADMIN2
DATABASE1 has a user (USER1) created on ADMIN1 and has permissions on SELECT, UPDATE, DELETE, INSERT and GRANT EXECUTE on stored procedures in DATABASE1
DATABASE2 has a user (USER2) created on ADMIN2 and has permissions on SELECT, UPDATE, DELETE, INSERT and GRANT EXECUTE on stored procedures in DATABASE2
QUESTION :
What I require is to allow 'USER1' SELECT/EXECUTE permission to tables and stored procedures in DATABASE2
I have tried a few snippets of SQL from a few posts but I have no idea how to write the SQL.
I also tried doing it manually in the way of ticking checkboxes for permissions by right clicking the user and logins in Management Studio but
I need SQL to execute in my scripts.
THE REASON FOR MY QUESTION
I have tables in DATABASE1 and DATABASE2 which are related but obviously we cant create Foreign Key constraints across different databases.
The best way we have thought to handle the relationship between the 2 tables is to create a stored procedure in DATABASE1 to query the
relevant table in DATABASE2 and return a result.
Apologies for not being able to post any examples as I cannot find any examples out there through my searches which match the scenario I have described above.
If I can give any further information please let me know.
Many thanks
Kev
As long as your user is defined at the instance level, you can grant them whatever rights they need in each database. Create your users under the master, and then add them as users of each database granting them whatever rights are needed per the specific DB.
EDITED with more detail (based on comments):
First, you need to create a Database Login. This is a login that can then be added as a user to one or more databases on your instance.
Details Here (including SQL syntax): http://technet.microsoft.com/en-us/library/ms189751.aspx
Second, you need to provision the user in the database (Database1, Database2, etc...). You will want to have these users added identically to each of these product databases that gets installed. As long as the user is there, you will be able to query across the various DBs on your instance.
Details Here (Including SQL): http://technet.microsoft.com/en-us/library/aa337545.aspx
Good Luck!
I need to restrict user access to SELECT, INSERT, UPDATE and DELETE, so that user should manage data only using stored procedures I provide.
So, for instance
SELECT * FROM Table1
should return
The SELECT permission was denied on the object 'Table1'
however, if there is stored procedure SelectTable1 defined as
CREATE PROCEDURE SelectTable1
AS
BEGIN
SELECT * FROM Table1
END
(the real one contains filtering and parameters, so it is not meaningless, like the one above)
user should execute it successfully and get the resultset.
But obviously, I have no success implementing this set of permissions. Can anybody point me to some specific tutorial? MSDN was not very helpful.
Database is SQL Server 2012 and all objects (tables and stored procedures) are in custom schema.
You can do it using GRANT EXEC either on specific procedures or on schemas or on a database.
The following example grants EXECUTE permission on stored procedure
HumanResources.uspUpdateEmployeeHireInfo to an application role called
Recruiting11.
USE AdventureWorks2012;
GRANT EXECUTE ON OBJECT::HumanResources.uspUpdateEmployeeHireInfo
TO Recruiting11;
GO
Thanks to Igor I've got to the right MSDN page, and followed rights links.
However, using ownership chains suggested was too complicated for me, so I used
WITH EXECUTE AS OWNER
on my stored procedures and that works very good. When I log on using restricted user I see only procedures, no tables at all and I can execute procedures, but not even select from tables.
Also, I want to mention this concept is very similar to setuid and thus was familiar to me.
I mark Igors reply as answer, because ownership chains seem to be more generic way, just wanted to share info I found.
There is no built in database role that allows this kind of access. The db_datareader wouldn’t allow a user to see stored procedures or functions at all. The ddladmin database role would provide access to see the objects, but also to change them as well, which is not the intent here. To accomplish the desired result of this type of request requires that a new database role be created?
How to give full access on a particular stored procedure in SQL Server 2000? Example I have a stored procedure called sp_prg1 in database db1. I need to give full access only on sp_prg1 (which include altering the stored procedure) to a user.
how to give only alter permissions to only one stored procedure
this GRANT alter on [db].[dbo].[storedprocedure1] TO SingleObjectRole is not working
I wish to grant a stored procedure read access to a table in SQL Server 2008 R2
I will then grant a user access only to the stored procedure, not to the table itself.
How do I do this?
Grant EXEC access to the single stored procedure and no permissions to the table.
Grant EXECUTE On [SpName] To [Principal]
There is no such concept as a read permissions to a table for a stored procedure. Stored procedure permissions are separate from other objects. If a user has permission to run a stored procedure, they can run it no matter what it does, even if they don't have permission to the underlying objects.
The following article is a very detailed look at several different methods for granting permissions using stored procedures. It's definitely worth a read.
http://www.sommarskog.se/grantperm.html
Most of the time, ownership chaining will take care of permissions problems. As long as the stored procedure and the underlying table have the same owner, the user only needs permission to EXECUTE the stored procedure.
In a comment to another answer, you mention that the stored procedure is in a different database from the table. You might look at module signing as a method for allowing access only through the stored procedure. Another alternative, if possible, is to create the stored procedure in the same database as the table, then grant access to users in the other database. That way, ownership chaining will take effect.
I have several stored procedures in my database that are used to load data from a datamart that is housed in a separate database. These procedures are, generally, in the form:
CREATE PROCEDURE load_stuff
WITH EXECUTE AS OWNER AS
INSERT INTO my_db.dbo.report_table
(
column_a
)
SELECT
column_b
FROM data_mart.dbo.source_table
WHERE
foo = 'bar';
These run fine when I execute the query in SQL Server Management Studio. When I try to execute them using EXEC load_stuff, the procedure fails with a security warning:
The server principal "the_user" is not able to access the database "data_mart" under the current security context.
The OWNER of the sproc is dbo, which is the_user (for the sake of our example). The OWNER of both databases is also the_user and the_user is mapped to dbo (which is what SQL Server should do).
Why would I be seeing this error in SQL Server? Is this because the user in question is being aliased as dbo and I should use a different user account for my cross-database data access?
Edit
I understand that this is because SQL Server disables cross database ownership chaining by default, which is good. However, I'm not sure of the best practice in this situation. If anyone has any input on the best practice for this scenario, it would be greatly appreciated.
Edit 2
The eventual solution was to set TRUSTWORTHY ON on both of the databases. This allows for limited ownership chaining between the two databases without resorting to full database ownership chaining.
Why not remove EXECUTE AS OWNER?
Usually, my user executing the SP would have appropriate rights in both databases, and I don't have to do that at all.
There is no need to create login, you can just enable guest user in target DB.
grant connect to guest
This allows executing user to enter DB under guest context, and when "db chaining is ON access will not be checked in target DB.
Actually, DBO is a role (you can consider it as a group of users), not a user in himself. (Unless you can connect to SQL SERVER using dbo:passwordfordbo it's not a user).
Usually, in the wonderful world of SQL Server, if you grant userX right to execute storedprocY then X gets the right to perform all the task Y contains even if he doesn't have all the permission on all the objects used in Y.
That's an extremely useful feature to encapsulate business logic in a stored procedure. (Your user have NO access on the table but they do can EXECUTE one stored proc).
When we talk about "ownership chaining" it means the following (please correct me if I am wrong though)
- If ownership chaining is disabled: the right to execute procedureX will work as long as all the required objects are in the same database
- Of chaining is enabled: That "privilege" will expands towards all databases.
Hope that helps,