Solved

SQL Stored Procedure permission chain issue

Posted on 2009-05-12
5
497 Views
Last Modified: 2012-06-27
I have a stored procedure that selects a field(ufilter) from a table.  The ufilter field contains a clause to use in a where statement to filter the records returned to the caller.  Example of contents of ufilter:  make='Oldsmobile'  .  The sp then should read the  content of the cars table, based on the the dymanically generated select statement

I grant Execute rights on the spGetCars stored procedure.  Runs fine when I execute it from my account.  However, when I use a less privileged account, tells me that select is not granted on Cars table.

I grant execute rights to the spGetCars for a less privilieged windows logon.  As the Cars table has the same owner (dbo) as the stored procedure, shouldn't the permission chain allow selecting from the Cars table without explicitly granting the select rights on the Cars table to the less privilieged windows logon account?

Thank you for any assitance you can provide.

spGetCars
 
set ANSI_NULLS ON
set QUOTED_IDENTIFIER ON
go
 
 
ALTER proc [dbo].[spGetCars]
(
@uid varchar(30)
)
as
 
set nocount on
 
DECLARE @ufilter varchar(200)
DECLARE @uexpdate datetime
DECLARE @cmd varchar(200)
 
 
select @ufilter=ufilter, @uexpdate=uexpdate from UFILTERS where uid=@uid
 
 
IF ISNULL(@ufilter, 'ZZTOP') = 'ZZTOP'
	BEGIN
		select * from Cars where 1 = 2
	END
 
IF @ufilter = 'NONE'
	BEGIN
		select * from Cars order by Make, Model
	END
ELSE
	BEGIN
		set @cmd = 'select * from Cars where ' + @ufilter
		exec (@cmd)
	END

Open in new window

0
Comment
Question by:JEClark
  • 2
  • 2
5 Comments
 
LVL 2

Accepted Solution

by:
dzex13 earned 250 total points
ID: 24366638

You need explicitly grant select permissions to the table Cars for the "less privileged"account and this should solve the problem.
0
 

Author Comment

by:JEClark
ID: 24367297
Thank you for the input.  I agree that solves the problem but is it necessary to explicitly grant the less privileged account select permission on the table Cars?  My understanding is that the execute permissions the less privlieged account on the stored procedure has should mean that it can select from the Cars table as the sp is using the table.  Thanks again.
0
 
LVL 75

Assisted Solution

by:Anthony Perkins
Anthony Perkins earned 250 total points
ID: 24371282
>> My understanding is that the execute permissions the less privlieged account on the stored procedure has should mean that it can select from the Cars table as the sp is using the table.<<
Nope.  That is the biggest drawback to using Dynamic SQL:  You need to give prmissions to any action in the Dynamic SQL.

Most people focus on the bad performance when using Dynamic SQL and overlook the fact that by its very nature and the permissions you have to grant it is a major security flaw.  To the point that in many shops it is not even allowed.
0
 

Author Closing Comment

by:JEClark
ID: 31580572
Thank you for clearing this up.  This certainly is a drawback in using dynamic SQL
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 24377491
For such a simple Stored Procedure there is probably no need to use Dynamic SQL.  Feel free to ask a new question as to how you can convert that to get away from using Dynamic SQL.
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I'm trying, I really am. But I've seen so many wrong approaches involving date(time) boundaries I despair about my inability to explain it. I've seen quite a few recently that define a non-leap year as 364 days, or 366 days and the list goes on. …
I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question