• WITH EXECUTE AS can fall down if there are cross-database calls.

    To answer your question, yes, there is a way to setup your database security such that the Database User only has EXECUTE permissions on the stored procedure and no direct permissions to the underlying objects that procedure accesses. As for how to achieve that, it will depend on what the proc does. If you can post the code we can better assist. It could be as simple as changing TRUNCATE to DELETE if all objects are in the same database and owned by the same Database Principal, in which case Ownership Chaining will cover the necessary scenarios. If changing code is not an option and WITH EXECUTE AS will not work due to corss-database calls then you can look into impersonation or certificate signing.

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato