September 17, 2005 at 2:08 pm
Hello,
I want to give NON sysadmin users (regular users) permissions to execute this stored procedure "sp_OaCreate" and also "sp_OaMethod".
Is it possible to do this using "Proxy Accounts" ?. Can anybody explain me the steps to do so?.
Thanks,
Ganesh
September 19, 2005 at 11:16 am
You need three steps:
1) Add this login to master db
2) GRANT EXECUTE sp_OACareate on [user name of the login in master db]
3) define a proxy account for non-sysadmin login
September 19, 2005 at 11:21 am
Forget one thing. If u just need to use sp_OA.. sps, not the xp_cmdShell and you do not have ActivX script job owned by the login, the proxy account is not necessary.
September 19, 2005 at 11:49 am
Thanks for the reply, Peter. That was the only way I would make it work; treat the Sp_Oa SPs like any other SP for permissions. But why does BOL says that "Sp_OA" requires "sysadmin" role then, when I can simply grant execute to any regular user?.
Also, why is this proxy account limited to only ActiveScripting and xp_cmdshell?. I thought I could use the proxy accounts for anything that requires a sysadmin role.
BTW, am I exposing the database for attacks by allowing execute permission on sp_Oa methods?.
Thanks,
Ganesh
September 19, 2005 at 12:19 pm
1) "But why does BOL says that "Sp_OA" requires "sysadmin" role then, when I can simply grant execute to any regular user?"
What BOL said is the DEFAULT permission.
2) "Also, why is this proxy account limited to only ActiveScripting and xp_cmdshell?"
I don't know the background why MS had this decision. Maybe MS thought commmand shell and activex script is more risky than sp_OA..
3) "BTW, am I exposing the database for attacks by allowing execute permission on sp_Oa methods?"
kinda becuase now if a person can hack the password of that user, he can create and run whatever com objects and methods on your server via TSQL.
But I don't think you need to worry about this too much. And it depends on how important/critical the system is.
Viewing 5 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply