Solved

Stored Procedure check Permissions SQL Server 2000

Posted on 2004-03-31
6
1,586 Views
Last Modified: 2012-05-04
I have a stored procedure that I pass a table name into as a parameter from vb.net.  I could also pass in user name if I cannot get it from sql server.

Is it possible for me to see if a user executing the stored procedure has select rights on the table and exit if not?

My table permissions are set by roles (ie. I have three users in a role)  I have granted permissions to the role and not each of the three users.

Thanks
0
Comment
Question by:barnetjeb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 2

Expert Comment

by:kiprimshot
ID: 10725925
sp_helprotect 'table_name' will tell you the permissions for a table...by permission group
0
 
LVL 2

Assisted Solution

by:kiprimshot
kiprimshot earned 100 total points
ID: 10726131
sp_helprolemember 'RoleName' will tell you all the members of a role

both together could get you what you want... but there may be a better way
0
 
LVL 7

Expert Comment

by:Lori99
ID: 10726582
How about this.  Execute a simple SELECT against the table requested and check for a 'permission denied' error message.  I think the message number you want would be 229.  It would probably be more efficient and easier than executing multiple stored procedures to determine the user's permissions.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:barnetjeb
ID: 10727027
I have a stored proc like this

Set @strsql = 'delete from ' + @table_name + ' where ' + @id_field + ' = ' +  @id_value
exec @strsql

I think I ran into it before that it would just go ahead and execute this if the user had execute permissions on the stored procedure even though he did not have delete permissions on the table.

I was thinking I could do some sort of check first to make sure the user has delete permissions, if not exit my stored proc.



0
 
LVL 7

Expert Comment

by:Lori99
ID: 10727179
Good point.  Even though you mentioned this was a stored procedure, I didn't take that into account.  You could use SYSTEM_USER to determine who is executing the procedure.  Then do as kiprimshot mentions above and use sp_helprotect and sp_helprolemember to figure out if they are allowed to delete from the table.  It seems like there should be a better way.  I'll keep thinking about it.
0
 
LVL 7

Accepted Solution

by:
Lori99 earned 400 total points
ID: 10727370
I found something you can use.  There is a PERMISSIONS function that will validate a user's object permissions.  The syntax is something like this.

if PERMISSIONS(OBJECT_ID(@table_name)) &0x10 = 0x10
  <user can delete, go ahead and delete>
else
  <user can't delete, kick them out of here>

The bitmap used varies based on what object permissions you want to check.  See this link for more information on syntax and usage.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_pa-pz_6f78.asp
0

Featured Post

Webinar: Choosing a MySQL HA Solution

Join Percona’s Principal Technical Services Engineer, Marcos Albe as he presents Choosing a MySQL High Availability Solution on Thursday, June 29, 2017 at 10:00 am PDT / 2:00 pm EDT (UTC-7).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question