Solved

SQL Stored Procedure permission chain issue

Posted on 2009-05-12
5
487 Views
Last Modified: 2012-06-27
I have a stored procedure that selects a field(ufilter) from a table.  The ufilter field contains a clause to use in a where statement to filter the records returned to the caller.  Example of contents of ufilter:  make='Oldsmobile'  .  The sp then should read the  content of the cars table, based on the the dymanically generated select statement

I grant Execute rights on the spGetCars stored procedure.  Runs fine when I execute it from my account.  However, when I use a less privileged account, tells me that select is not granted on Cars table.

I grant execute rights to the spGetCars for a less privilieged windows logon.  As the Cars table has the same owner (dbo) as the stored procedure, shouldn't the permission chain allow selecting from the Cars table without explicitly granting the select rights on the Cars table to the less privilieged windows logon account?

Thank you for any assitance you can provide.

spGetCars
 

set ANSI_NULLS ON

set QUOTED_IDENTIFIER ON

go
 
 

ALTER proc [dbo].[spGetCars]

(

@uid varchar(30)

)

as
 

set nocount on
 

DECLARE @ufilter varchar(200)

DECLARE @uexpdate datetime

DECLARE @cmd varchar(200)
 
 

select @ufilter=ufilter, @uexpdate=uexpdate from UFILTERS where uid=@uid
 
 

IF ISNULL(@ufilter, 'ZZTOP') = 'ZZTOP'

	BEGIN

		select * from Cars where 1 = 2

	END
 

IF @ufilter = 'NONE'

	BEGIN

		select * from Cars order by Make, Model

	END

ELSE

	BEGIN

		set @cmd = 'select * from Cars where ' + @ufilter

		exec (@cmd)

	END

Open in new window

0
Comment
Question by:JEClark
  • 2
  • 2
5 Comments
 
LVL 2

Accepted Solution

by:
dzex13 earned 250 total points
ID: 24366638

You need explicitly grant select permissions to the table Cars for the "less privileged"account and this should solve the problem.
0
 

Author Comment

by:JEClark
ID: 24367297
Thank you for the input.  I agree that solves the problem but is it necessary to explicitly grant the less privileged account select permission on the table Cars?  My understanding is that the execute permissions the less privlieged account on the stored procedure has should mean that it can select from the Cars table as the sp is using the table.  Thanks again.
0
 
LVL 75

Assisted Solution

by:Anthony Perkins
Anthony Perkins earned 250 total points
ID: 24371282
>> My understanding is that the execute permissions the less privlieged account on the stored procedure has should mean that it can select from the Cars table as the sp is using the table.<<
Nope.  That is the biggest drawback to using Dynamic SQL:  You need to give prmissions to any action in the Dynamic SQL.

Most people focus on the bad performance when using Dynamic SQL and overlook the fact that by its very nature and the permissions you have to grant it is a major security flaw.  To the point that in many shops it is not even allowed.
0
 

Author Closing Comment

by:JEClark
ID: 31580572
Thank you for clearing this up.  This certainly is a drawback in using dynamic SQL
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 24377491
For such a simple Stored Procedure there is probably no need to use Dynamic SQL.  Feel free to ask a new question as to how you can convert that to get away from using Dynamic SQL.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Composite queries are used to retrieve the results from joining multiple queries after applying any filters. UNION, INTERSECT, MINUS, and UNION ALL are some of the operators used to get certain desired results.​
This article describes some very basic things about SQL Server filegroups.
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now