SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Database Security Issue


Database Security Issue

Author
Message
cathy.baker
cathy.baker
Ten Centuries
Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)

Group: General Forum Members
Points: 1256 Visits: 396
I have a development named instance of SQL 2008R2 running on Windows 2008. I have a SQL Login that has access to two databases and logins are allowed to Impersonate the user. When running the Execute as User statement, the user is Impersonated correctly (verified with select SUSER_NAME (), USER_NAME()). I am getting the error The server principal "UserName" is not able to access the database "DatabaseName" under the current security context. I have done everything I can think of to resolve the error including, exec sp_change_users_login 'update_one', 'UserName', 'UserName', I ran a script to check the database mappings and the user is mapped in both databases, I copied the permissions from Production and Applied them to Development, I dropped and re-created the user and applied all of the permissions, I've verified the user Securables and still the account is not accessing the database. I even logged into the SQL Server with the account and was able to query both databases without a problem. Am I somehow missing an obvious step?Crazy
cathy.baker
cathy.baker
Ten Centuries
Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)

Group: General Forum Members
Points: 1256 Visits: 396
This fix to the issue was to set the database to "Trustworthy"

alter database DatabaseName set Trustworthy on
Erland Sommarskog
Erland Sommarskog
SSCrazy
SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)

Group: General Forum Members
Points: 2103 Visits: 872
No, that was not the fix! That can be a huge security problem!

Setting a database as trustworthy is OK, if everyone who has db_owner or db_securityadmin access in the database, also has sysadmin permissions - and there will never be anyone in the future who will have limited permissions.

To wit, anyone who has db_owner, but is not sysadmin can do EXECUTE AS as a sysadmin user, and then have sysadmin access on the server.

It is not exactly clear what you are doing. The scheme you describe should work if the users are added in the database and you don't attempt to add resources outside the database. But maybe you should do EXECUTE AS LOGIN instead.

There is all reason to investigate if you can do it without TRUSTWORTHY.

Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search