Home Forums Article Discussions Article Discussions by Author Discuss content posted by Patrick Cahill Execute As RE: Execute As

  • October 11, 2013 at 12:32 am

    #1657795

    First of all, congratulations. I'd always wanted to check out encryption and that article made my day! 🙂

    I know a little bit (a dangerous thing, I know!) about execute as, especially the joy of switching context across databases, but I digress... Anyway, just curious about your reasons for using impersonation (in the context of your example).

    >By using the "execute as" I am better able to control which users have access to the encrypted data

    If I follow your example correctly, anyone with execute rights on getDecryptionwithExecute gets the EncryptionUser permissions and hence full access to the decrypted data...

    I would have thought that the approach might be something like:

    Grant execute to getDecryption to EncryptionUser

    Deny execute on object::getDecryption to [MyUsers]

    then after that the only way to access the encrypted data would be to impersonate EncryptionUser

    execute as EncryptionUser

    exec getDecryption

    revert