I'm trying to execute the following query through classic asp recordset -
SQL = "Select P_Name as P_Name, P_Description as P_Description
from L_PagePermission
inner join A_Permission on p_permissionID = pp_PermissionID
inner join A_Page on P_PageID = PP_PageID
where P_PageID = 85
order by p_Name"
Although I've ran into a problem with permissions. So the error that i am receiving is -
Microsoft OLE DB Provider for ODBC
Drivers error '80040e09'
[Microsoft][ODBC SQL Server
Driver][SQL Server]SELECT permission
denied on object 'A_Permission',
database 'HRWB_3_0', schema 'dbo'.
How would I go about executing this query without changing permission settings. How can I do this with a stored procedure? (Can someone provide an example too)
I can't change the database settings I have to deal with what I got. I've looked through a lot of the websites files and it seems to be mostly dependent on stored procedures.
You're not going to be able to get around that permissions error unless you grant select access on the L_PagePermission and A_Permission tables to the login that you are using to connect to the database, or unless you use a different login that already has select access to those tables.
Another approach would be to write a new stored procedure and grant EXECUTE access to that stored procedure. The SQL to grant permissions in either case is simple:
To grant SELECT access to a table:
GRANT SELECT ON [TableName] TO [loginName]
To grant EXECUTE access to a stored procedure:
GRANT EXECUTE ON [procedureName] TO [loginName]
One more approach that could work but has obvious security implications is to add the login you are using to the db_owner role for that database. That should work, but is NOT recommended unless you are comfortable with the security risks that presents.
If you don't have permission to select from the table, there won't be any way to work around the absence of permission other than connecting to the DBMS as a user who has permission to select from the table. That's the point of the permissions system - to prevent the unauthorized from doing what they are not allowed to do.
Related
I'm trying to figure out why a particular SQL Server database user that has db_datareader and db_datawriter membership, can't run a select statement that gets some check constraints on a particular table.
I run the select statement in my code, but it doesn't return any data. I thought maybe that in order to get constraint information, you might need different permissions. I've tried going out to look at some of the roles, and what they mean, but it's not clear what exactly the db_reader role can do.
string constraintCommand = #"SELECT tc.CONSTRAINT_NAME, CC.CHECK_CLAUSE
FROM[INFORMATION_SCHEMA].[CHECK_CONSTRAINTS as cc
INNER JOIN INFORMATION_SCHEMA.TABLE_CONSTRAINTS as tc ON cc.CONSTRAINT_NAME = tc.CONSTRAINT_NAME AND cc.CONSTRAINT_SCHEMA = tc.TABLE_SCHEMA
WHERE tc.TABLE_NAME = 'VideoSources'";
This is in C#. I run the SQL statement in SSMS as me (db_owner), and the SQL statement returns the data I need. I'm wondering if it's a permission problem of some sort.
To run a stored procedure the role needs Execute permissions.
I believe that permission Grant or Deny overrides the role membership. You may have to specifically Grant Select permission in the table.
I'll preface this with I've never been in charge of database security and this is all really new to me, so forgive the question if it's bad - I'll try to provide as much information as possible. I've searched around without much detail on my specific question.
I'm using a SQL Server 2008 R2 database and I am in need of the ability to restrict all domain users to be able to only execute certain stored procedures when explicitly defined. As in, DENY select/update/delete/etc on ALL database tables/views/stored procedures, except for SOME stored procedures where defined explicitly (grant execute on stored procedure to USER (domain users below)).
I thought this would be pretty easy with server roles but it appears custom server roles are only available in SQL Server 2012 and up and the public server role grants select access on all of my tables. I read that deny always takes precedent over grant so I setup a database role that has select access set to deny, but users are still able to query the tables.
Here is my current setup on 1 server that contains 2 databases:
Server Level:
Logins: [Domain Users] - AD group login so all users can CONNECT to the server. Has server role Public.
Database Level:
Users: [Domain Users] - AD group so all users can CONNECT to the database.
Database Roles: [SP_Reader] - [Domain Users] as a role member. Securables I have all tables set to deny access on select and my stored procedures that I want users to execute set to grant on execute.
The problem is users are still able to select from my tables as if the permissions don't exist. Any idea what I'm doing wrong here?
The problem turned out to be the 'db_datareader' role was assigned to the database user in addition to my custom database role (SP_Reader) which provides only execute on certain stored procedures.
The 'db_datareader' role went unnoticed as I was querying 'sys.database_permissions' which doesn't display permissions that are implicitly granted.
I ended up finding this Microsoft link which provides a query that returns the members of all database roles:
SELECT DP1.name AS DatabaseRoleName,
isnull (DP2.name, 'No members') AS DatabaseUserName
FROM sys.database_role_members AS DRM
RIGHT OUTER JOIN sys.database_principals AS DP1
ON DRM.role_principal_id = DP1.principal_id
LEFT OUTER JOIN sys.database_principals AS DP2
ON DRM.member_principal_id = DP2.principal_id
WHERE DP1.type = 'R'
ORDER BY DP1.name;
Alternatively this internal stored procedure returns results for whichever role you pass as a parameter:
EXEC sp_helprolemember 'db_datareader';
If I have two databases 'dbA' and 'dbB' using a normal account I know I can run a query such as
SELECT *
FROM dbA.dbo.TableA a
JOIN dbB.dbo.TableB b ON a.columnA=b.columnB
But I can not figure out how to grant permissions to a loginless account
USE dbA;
CREATE USER [test_user] WITHOUT LOGIN WITH DEFAULT_SCHEMA=[dbo]
GRANT SELECT ON DATABASE::dbA TO [test_user];
I receive an error when trying to give select permission to the loginless user 'test_user' on the other database.
GRANT SELECT ON DATABASE::dbB TO [test_user];
Is it possible to do a database join using loginless users? If so what should the grant statement look like for setting correct permissions?
A user without a login can only access other databases that have the guest user enabled. You might consider using a certificate-mapped user instead if you have a cross-database requirement. See http://www.sommarskog.se/grantperm.html for code.
Users exist at the database level. Only logins exist at the server level.
I believe you can create a view in dbA like so:
use dbA;
create view dbB_TableB as
select *
from dbB.dbo.TableB;
And you can then assign SELECT permissions for the user in dbA to the view.
I am in the process of configuring database users for some new developers and I am running into some difficulties as I am reading lots of articles and it's not working out too well for me. I have tried various configurations manually and with T-SQL but I need a more efficient method.
My objective:
Some TSQL I can launch to give a database user the following permissions:
Grant permission to execute all Stored Procedures within the Database
Deny permission to View Definition of all of these stored procedures
Grant permission to SELECT, UPDATE, INSERT, DELETE from all tables within the database
Deny permission to View Definition of all of the tables in the database (I don't want them to view the data)
What I have tried:
I have achieved this manually but I have 200+ stored procedures and 100+ tables so I don't want to do it manually. From the T-SQL aspect I have managed to get the following to work:
USE database_name;
GRANT EXECUTE TO [security_account];
This works and allows the users to run the stored procedures but they cannot view the actual query code. I need the same logic for the tables as described above.
Thank you for your help.
I am not quite sure if this is a viable solution to your problem. But maybe it will get you at least closer to what you want. So, here is the setup I'd propose:
Do not grant anybody any permissions on any table.
Use stored procedures for DML.
Grant execute on all these stored procedures to public.
Setup one table in your database which lists all users which have access to your database including their login (suser_sname()) and their permissions (for example MayAlterTableUsers).
Implement into all stored procedures a check similar to this
if (
select isnull(MayAlterTableUsers, 0)
from tblUsers
where LoginName = suser_sname()
) > 0
begin
select N'Implementing the requested changes to tblUsers.'
end
else
begin
select N'You don''t have the required permission.'
end
Setup you views similar and grant select on all views to public
create view vShowAllUsers as
select *
from dbo.tblUsers
cross apply (
select MaySeeAllUsers
from dbo.tblUsers
where LoginName = suser_sname()
) as p
where p.MaySeeAllUsers = 1
In the end all views and all stored procedures will be publicly available but the handling of permission will be within each one of them. All permissions themselves will be within this table tblUsers. Since nobody has the possibility to alter this table tblUsers unless (of course) they are in this table with the appropriate permission, this DB setup is self-contained.
I have two databases.
Databases:
1. DB1
2. DB2
I have created two new logins.
Logins:
1. DB1_login
2. DB2_login
Next, I created user for each database mapped to the above logins.
create user DB1_login1_user1 for login DB1_login;
create user DB2_login2_user2 for login DB2_login;
So, DB1_login1_user1 user of DB1 database will be mapped to DB1_login1 login and DB2_login2_user2 user of DB2 database will be mapped to DB2_login2 login.
Granted database role permissions for both users is db_datareader and db_datawriter.
In DB2, I have a table named dbo.sample_table.
My requirement:
Let us consider that I have logged in as DB1_login1.
In this login, I have granted permissions for DB1_login1_user1 user to DB1 database.
Now from DB1, I have to select a table dbo.sample_table at DB2, which was mapped to another login DB2_login2.
Below is the query what am I trying to do is.
--CURRENTLY LOGGED IN AS DB1_LOGIN1
USE DB1;
EXECUTE as login='DB2_login2'
select * from DB2.dbo.sample_table
GO
I tried GRANT IMPERSONATE on LOGIN::DB2_login2 to DB1_login1, but it didn't work and also, I'm not aware about granting permissions across logins. I think granting permissions matters and I need help in doing that.
How can I execute the above query successfully?
Any help would be appreciable.
The users you created exist only in their respective databases, so what you're trying to do is not possible. Even if it were, or you allow acces (create users for login) in both databases and give then permissions and enable cross-database access, it would be too much of a security risk.
I'd suggest using stored procedures to acces data cross database. Stored procedure should be signed with a certificate, and the same certificate created in both databases. I've had it implemented on various occasions and it works flawlessly.
There is a great sample of this by Erland Sommarskog here.
I did granting permissions on login.
From administrator login "Sa", I executed the below query.
GRANT IMPERSONATE ON LOGIN::DB2_login to DB1_login;
And then from DB1_login, executed the below query for accessing DB across logins.
USE MASTER;
EXECUTE as login='DB2_login';
SELECT * FROM DB2.dbo.sample_table;
REVERT;
GO
Finally for my situation, I have solved the problem.