SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


SQL User to Delete from several databases on instance


SQL User to Delete from several databases on instance

Author
Message
zoggling
zoggling
Ten Centuries
Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)

Group: General Forum Members
Points: 1353 Visits: 121
We have a number of T-SQL statements contained in a variable @SQL nvarchar(MAX) which need to be executed within a stored procedure at runtime. For example:

CREATE mysproc AS
DECLARE @SQL nvarchar(MAX);
SELECT @SQL = 'DELETE FROM db1.dbo.Table1;'
SELECT @SQL += 'DELETE FROM db2.dbo.Table1'
SELECT @SQL += 'DELETE FROM db3.dbo.Table1'
EXEC (@SQL);
GO

However, we are receiving errors relating to security around this.

We suspect we may need to create a SQL login, which is mapped to all relevant databases within the instance, and then create individual users within each database which map to this login, before applying the db_datareader database role to each user.

We have done this, however this is returnning the following error message:

The server principal "S-1-9-3-1979612751-1205369817-371524777-3428266560." is not able to access the database "db1" under the current security context.

Is anyone please able to detail what we need to do to achieve this? We don't want to open up any vulnerabilities, but require the stored procedure to be able to delete data from tables across several databases as detailed above.

Many thanks
John Mitchell-245523
John Mitchell-245523
SSC Guru
SSC Guru (106K reputation)SSC Guru (106K reputation)SSC Guru (106K reputation)SSC Guru (106K reputation)SSC Guru (106K reputation)SSC Guru (106K reputation)SSC Guru (106K reputation)SSC Guru (106K reputation)

Group: General Forum Members
Points: 106222 Visits: 18610
zoggling - Tuesday, February 6, 2018 3:31 AM
We have a number of T-SQL statements contained in a variable @SQL nvarchar(MAX) which need to be executed within a stored procedure at runtime. For example:

CREATE mysproc AS
DECLARE @SQL nvarchar(MAX);
SELECT @SQL = 'DELETE FROM db1.dbo.Table1;'
SELECT @SQL += 'DELETE FROM db2.dbo.Table1'
SELECT @SQL += 'DELETE FROM db3.dbo.Table1'
EXEC (@SQL);
GO

However, we are receiving errors relating to security around this.

We suspect we may need to create a SQL login, which is mapped to all relevant databases within the instance, and then create individual users within each database which map to this login, before applying the db_datareader database role to each user.

We have done this, however this is returnning the following error message:

The server principal "S-1-9-3-1979612751-1205369817-371524777-3428266560." is not able to access the database "db1" under the current security context.

Is anyone please able to detail what we need to do to achieve this? We don't want to open up any vulnerabilities, but require the stored procedure to be able to delete data from tables across several databases as detailed above.

Many thanks

If you want to delete, you'll need more than db_datareader. But I don't think that's the cause of your error message. I take it the login you created isn't called S-1-9-3-1979612751-1205369817-371524777-3428266560? Do you get the same error in every database? What do you get if you run this query (it's from memory so the columns and syntax may not be 100% correct)?

SELECT * FROM sys.server_principals l
JOIN db1.sys.database_principals u ON l.sid = u.sid
WHERE l.name = 'MyLoginName'


John

zoggling
zoggling
Ten Centuries
Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)

Group: General Forum Members
Points: 1353 Visits: 121
Hi John,

Thank you for your reply, yes apologies you have spotted two typos of mine:
- The login is called something very simple (e.g. "DeleteMyRows") rather than the string of numbers and letters I posted. This was a hangover from a "SQL user without login" test we ran, but we suspect this will not work since the stored procedure needs to delete from (and authenticate with) multiple databases.
- I meant db_datawriter rather than db_datareader, apologies.

Do we need to grant explicit DELETE permissions on each of the tables the database User needs to delete from?

What steps do we essentially need to take to get a stored procedure to be able to delete from tables in multiple databases in the way I mentioned previously?
John Mitchell-245523
John Mitchell-245523
SSC Guru
SSC Guru (106K reputation)SSC Guru (106K reputation)SSC Guru (106K reputation)SSC Guru (106K reputation)SSC Guru (106K reputation)SSC Guru (106K reputation)SSC Guru (106K reputation)SSC Guru (106K reputation)

Group: General Forum Members
Points: 106222 Visits: 18610
You didn't post the results of the query I posted, but I suspect the user doesn't exist in the target database, or is orphaned.

USE db1
CREATE USER DeleteMyRows FROM LOGIN DeleteMyRows


or

USE db1
ALTER USER DeleteMyRows WITH LOGIN = DeleteMyRows


I've never tried creating a stored procedure to do operations in more than one database at a time. Have a read about cross-database ownership chaining and see what works for you. Don't enable CDOC if you can avoid it - it's a security minefield!

John

zoggling
zoggling
Ten Centuries
Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)

Group: General Forum Members
Points: 1353 Visits: 121
Apologies for the delayed response. Not wanting to resort to CDOC, we found a workaround as follows:
- We split the stored procedure into two, the first with hard-coded delete statements against a different database (not requiring any additional security), the second with dynamic statements against the main database using EXEC(@SQL); Create both procedures on the main database.
- Create a user without login on the main database and add to the db_datareader and db_datawriter database roles.
- Run the second stored procedure in the context of this new user (i.e. EXECUTE AS 'MyUser').
This seems to have been the workaround for us, but I am sure CDOC could have been of help too so I will mark both as part of the answer, thank you for your help.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum








































































































































































SQLServerCentral


Search