Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

permission issue with sql login Expand / Collapse
Author
Message
Posted Friday, March 08, 2013 11:49 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Saturday, April 12, 2014 10:28 AM
Points: 313, Visits: 809
I have a stored proc that gets executed by SQL login which has execute access to the schema owned by stored proc.

Inside the stored proc, it has insert statement to another DB which this sql login doesn't have access to. How do I get around it?

Third party app calls the stored proc.

Thanks for your help.
Post #1428720
Posted Friday, March 08, 2013 12:48 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 9:25 AM
Points: 7,070, Visits: 12,523
SQL_Surfer (3/8/2013)
I have a stored proc that gets executed by SQL login which has execute access to the schema owned by stored proc.

Inside the stored proc, it has insert statement to another DB which this sql login doesn't have access to. How do I get around it?

Third party app calls the stored proc.

Thanks for your help.

This constitutes a broken ownership chain. You can look into cross-database ownership chaining and the use of EXECUTE AS. You can also explore signing the procedure with a certificate that has access to all underlying resources.


__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato

Believe you can and you're halfway there. --Theodore Roosevelt

Everything Should Be Made as Simple as Possible, But Not Simpler --Albert Einstein

The significant problems we face cannot be solved at the same level of thinking we were at when we created them. --Albert Einstein

1 apple is not exactly 1/8 of 8 apples. Because there are no absolutely identical apples. --Giordy
Post #1428739
Posted Friday, March 08, 2013 1:31 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Saturday, April 12, 2014 10:28 AM
Points: 313, Visits: 809
But he second db's table where the insert is going to take palce is owned by different schema.
Post #1428753
Posted Friday, March 08, 2013 1:35 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 9:25 AM
Points: 7,070, Visits: 12,523
Schemas do not own things, but I know what you mean.

In that case you can look into certificate signing or EXECUTE AS. I would go for certificate signing, it's a bit cleaner and you do not need to deal with impersonation.


__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato

Believe you can and you're halfway there. --Theodore Roosevelt

Everything Should Be Made as Simple as Possible, But Not Simpler --Albert Einstein

The significant problems we face cannot be solved at the same level of thinking we were at when we created them. --Albert Einstein

1 apple is not exactly 1/8 of 8 apples. Because there are no absolutely identical apples. --Giordy
Post #1428757
Posted Sunday, March 10, 2013 12:56 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Saturday, April 12, 2014 10:28 AM
Points: 313, Visits: 809
Thanks I got it working using certificate. Question though...How about linked server? If I have the proc loads records in a table in different server?
Post #1429008
Posted Sunday, March 10, 2013 6:53 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 9:25 AM
Points: 7,070, Visits: 12,523
It depends on how the Linked Server is configured. If you have the certificate working then it should be a trivial thing to test using a Linked Server from inside a certificate-signed stored procedure. If you run into errors, post your Linked Server definition and the error message.

__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato

Believe you can and you're halfway there. --Theodore Roosevelt

Everything Should Be Made as Simple as Possible, But Not Simpler --Albert Einstein

The significant problems we face cannot be solved at the same level of thinking we were at when we created them. --Albert Einstein

1 apple is not exactly 1/8 of 8 apples. Because there are no absolutely identical apples. --Giordy
Post #1429047
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse