Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Permission Denied When Using "WITH EXECUTE AS" Expand / Collapse
Author
Message
Posted Tuesday, October 23, 2012 1:23 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, November 05, 2012 9:12 AM
Points: 293, Visits: 459
I have a stored procedure that uses "WITH EXECUTE AS" to allow the querying of some system views, the stripped down syntax is as follows:

CREATE PROCEDURE [dbo].[MyTestProc] 


WITH EXECUTE AS 'DOMAIN\UserA'
AS

SET NOCOUNT ON;


SELECT COUNT(*)
FROM msdb.dbo.sysjobs_view;

When I run this procedure I get the error message:

The SELECT permission was denied on the object 'sysjobs_view', database 'msdb', schema 'dbo'

UserA is a member of sysadmin so I would expect it to be able to access the view and in fact if I comment out the "WITH EXECUTE AS" line and run the stored procedure as UserA it works. Any ideas what might be happening?

Thanks
Post #1375865
Posted Tuesday, October 23, 2012 8:17 AM


SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, April 14, 2014 2:35 PM
Points: 285, Visits: 503
Execute As doesn't go outside the local database without extended authentication from the other database. It's scope is within the local DB. I only recently learned this myself. I'm going through a series of online videos.
Here's where I ran into it:
http://technet.microsoft.com/en-us/sqlserver/gg545013.aspx


---------------------------------------------------------------
Mike Hahn - Future MCM 2025
Right way to ask for help!!
http://www.sqlservercentral.com/articles/Best+Practices/61537/
I post so I can see my avatar
I want a personal webpage
I want to win the lotto
I want a gf like Tiffa
Post #1376081
Posted Tuesday, October 23, 2012 8:50 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Today @ 1:13 PM
Points: 35,969, Visits: 30,261
If "SA" owns the database, you could just execute as OWNER.

--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

"Change is inevitable. Change for the better is not." -- 04 August 2013
(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #1376307
Posted Wednesday, October 24, 2012 1:14 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, November 05, 2012 9:12 AM
Points: 293, Visits: 459
I found the problem but still not sure why it doesn't work!

I used the USER_NAME() and SUSER_NAME() functions to check the before and after and found that SUSERNAME() returned dbo before the switch (EXECUTE AS) but returned Domain\UserA after the switch.

I moved the WITH EXECUTE AS into the procedure itself and changed it to EXECUTE AS USER 'Domain\UserA' but this still failed, however changing it to EXECUTE AS LOGIN 'Domain\UserA' worked.

Post #1376337
Posted Wednesday, October 24, 2012 5:57 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Today @ 1:13 PM
Points: 35,969, Visits: 30,261
David-155102 (10/24/2012)
I found the problem but still not sure why it doesn't work!

I used the USER_NAME() and SUSER_NAME() functions to check the before and after and found that SUSERNAME() returned dbo before the switch (EXECUTE AS) but returned Domain\UserA after the switch.

I moved the WITH EXECUTE AS into the procedure itself and changed it to EXECUTE AS USER 'Domain\UserA' but this still failed, however changing it to EXECUTE AS LOGIN 'Domain\UserA' worked.


Just checking to make sure... I'd really like to suggest using user names/logins (whatever) for this type of thing unless they are very specifically NOT attached to human entities. They should be setup for this type of proxy only and no human should ever be allowed to login through them. Their password should be guarded as strictly as the SA password should be.


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

"Change is inevitable. Change for the better is not." -- 04 August 2013
(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #1376421
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse