Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Database Security Issue Expand / Collapse
Author
Message
Posted Tuesday, February 18, 2014 9:29 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Friday, November 14, 2014 8:48 AM
Points: 1,141, Visits: 355
I have a development named instance of SQL 2008R2 running on Windows 2008. I have a SQL Login that has access to two databases and logins are allowed to Impersonate the user. When running the Execute as User statement, the user is Impersonated correctly (verified with select SUSER_NAME (), USER_NAME()). I am getting the error The server principal "UserName" is not able to access the database "DatabaseName" under the current security context. I have done everything I can think of to resolve the error including, exec sp_change_users_login 'update_one', 'UserName', 'UserName', I ran a script to check the database mappings and the user is mapped in both databases, I copied the permissions from Production and Applied them to Development, I dropped and re-created the user and applied all of the permissions, I've verified the user Securables and still the account is not accessing the database. I even logged into the SQL Server with the account and was able to query both databases without a problem. Am I somehow missing an obvious step?
Post #1542650
Posted Tuesday, February 18, 2014 12:28 PM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Friday, November 14, 2014 8:48 AM
Points: 1,141, Visits: 355
This fix to the issue was to set the database to "Trustworthy"

alter database DatabaseName set Trustworthy on
Post #1542708
Posted Tuesday, February 18, 2014 2:59 PM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Friday, December 12, 2014 1:02 AM
Points: 823, Visits: 753
No, that was not the fix! That can be a huge security problem!

Setting a database as trustworthy is OK, if everyone who has db_owner or db_securityadmin access in the database, also has sysadmin permissions - and there will never be anyone in the future who will have limited permissions.

To wit, anyone who has db_owner, but is not sysadmin can do EXECUTE AS as a sysadmin user, and then have sysadmin access on the server.

It is not exactly clear what you are doing. The scheme you describe should work if the users are added in the database and you don't attempt to add resources outside the database. But maybe you should do EXECUTE AS LOGIN instead.

There is all reason to investigate if you can do it without TRUSTWORTHY.


Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Post #1542765
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse