Post reply

User Can delete rows from a table by Calling Stored procedure SP While User doesn't Permission To delete from Table

  • July 27, 2015 at 6:37 am

    #320076

    Hi

    I am confused .

    I deny Delete Permission on a table for a user.

    But user also delete records from the app !!!

    I checked it from sql server console :

    I login with the User. Then execute a stored procedure that delete records from that table. And sql server doesnt check user permission on table.

    Why It is happened?

    Thank you

  • July 27, 2015 at 6:41 am

    #1815105

    that is normal, expected behavior.

    by design, you can grant a person access to a stored procedure which may affect objects the enduser does not have access to. .

    using ownership chaining,The stored procedure runs under the context of the owner of the procedure, who DOES have access to the underlying objects.

    so the end user may have access to a handful of procedures for insert/update/delete/select, but not the underlying objects.

    if your user should not delete data, you remove access tot eh procedure in question, so he can still use other procedures instead.

    Lowell

    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • July 27, 2015 at 7:03 am

    #1815111

    Thank you

    But This problem should have a solution.

    As you say. Probably in app is a bog that delete records from this table by this sp or another ?

    In first step I denied execute Permission user on this sp. And I should hope that there isnot any another sp .

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply