Permission Denied When Using "WITH EXECUTE AS"

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQL Server 2008 » T-SQL (SS2K8) » Permission Denied When Using "WITH EXECUTE...

Permission Denied When Using "WITH EXECUTE AS"

Rate Topic

Display Mode

Topic Options

Author

Message

David-155102

Posted Tuesday, October 23, 2012 1:23 AM

SSC Veteran

Group: General Forum Members
Last Login: Monday, November 05, 2012 9:12 AM
Points: 293, Visits: 459

I have a stored procedure that uses "WITH EXECUTE AS" to allow the querying of some system views, the stripped down syntax is as follows:

CREATE PROCEDURE [dbo].[MyTestProc] 
	 

WITH EXECUTE AS 'DOMAIN\UserA'
AS

SET NOCOUNT ON;


	SELECT COUNT(*) 
	FROM msdb.dbo.sysjobs_view;

When I run this procedure I get the error message:

The SELECT permission was denied on the object 'sysjobs_view', database 'msdb', schema 'dbo'

UserA is a member of sysadmin so I would expect it to be able to access the view and in fact if I comment out the "WITH EXECUTE AS" line and run the stored procedure as UserA it works. Any ideas what might be happening?

Thanks

Post #1375865

Want a cool Sig

Posted Tuesday, October 23, 2012 8:17 AM

SSC Veteran

Group: General Forum Members
Last Login: Friday, April 26, 2013 2:58 PM
Points: 221, Visits: 452

Execute As doesn't go outside the local database without extended authentication from the other database. It's scope is within the local DB. I only recently learned this myself. I'm going through a series of online videos.
Here's where I ran into it:
http://technet.microsoft.com/en-us/sqlserver/gg545013.aspx

---------------------------------------------------------------
Mike Hahn - Future MCM 2025 Smile

Right way to ask for help!!
http://www.sqlservercentral.com/articles/Best+Practices/61537/
I post so I can see my avatar Hehe

I want a personal webpage Cool

I want to win the lotto BigGrin

I want a gf like Tiffa w00t

Post #1376081

Jeff Moden

Posted Tuesday, October 23, 2012 8:50 PM

SSC-Dedicated

Group: General Forum Members
Last Login: Today @ 2:32 PM
Points: 32,906, Visits: 26,792

If "SA" owns the database, you could just execute as OWNER.

--Jeff Moden

"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/

For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Post #1376307

David-155102

Posted Wednesday, October 24, 2012 1:14 AM

SSC Veteran

Group: General Forum Members
Last Login: Monday, November 05, 2012 9:12 AM
Points: 293, Visits: 459

I found the problem but still not sure why it doesn't work!

I used the USER_NAME() and SUSER_NAME() functions to check the before and after and found that SUSERNAME() returned dbo before the switch (EXECUTE AS) but returned Domain\UserA after the switch.

I moved the WITH EXECUTE AS into the procedure itself and changed it to EXECUTE AS USER 'Domain\UserA' but this still failed, however changing it to EXECUTE AS LOGIN 'Domain\UserA' worked.

Post #1376337

Jeff Moden

Posted Wednesday, October 24, 2012 5:57 AM

SSC-Dedicated

Group: General Forum Members
Last Login: Today @ 2:32 PM
Points: 32,906, Visits: 26,792

David-155102 (10/24/2012)

Just checking to make sure... I'd really like to suggest using user names/logins (whatever) for this type of thing unless they are very specifically NOT attached to human entities. They should be setup for this type of proxy only and no human should ever be allowed to login through them. Their password should be guarded as strictly as the SA password should be.

--Jeff Moden

Post #1376421

« Prev Topic | Next Topic »

Permissions