Solved

SQL Stored Procedure permission chain issue

Posted on 2009-05-12
5
499 Views
Last Modified: 2012-06-27
I have a stored procedure that selects a field(ufilter) from a table.  The ufilter field contains a clause to use in a where statement to filter the records returned to the caller.  Example of contents of ufilter:  make='Oldsmobile'  .  The sp then should read the  content of the cars table, based on the the dymanically generated select statement

I grant Execute rights on the spGetCars stored procedure.  Runs fine when I execute it from my account.  However, when I use a less privileged account, tells me that select is not granted on Cars table.

I grant execute rights to the spGetCars for a less privilieged windows logon.  As the Cars table has the same owner (dbo) as the stored procedure, shouldn't the permission chain allow selecting from the Cars table without explicitly granting the select rights on the Cars table to the less privilieged windows logon account?

Thank you for any assitance you can provide.

spGetCars
 
set ANSI_NULLS ON
set QUOTED_IDENTIFIER ON
go
 
 
ALTER proc [dbo].[spGetCars]
(
@uid varchar(30)
)
as
 
set nocount on
 
DECLARE @ufilter varchar(200)
DECLARE @uexpdate datetime
DECLARE @cmd varchar(200)
 
 
select @ufilter=ufilter, @uexpdate=uexpdate from UFILTERS where uid=@uid
 
 
IF ISNULL(@ufilter, 'ZZTOP') = 'ZZTOP'
	BEGIN
		select * from Cars where 1 = 2
	END
 
IF @ufilter = 'NONE'
	BEGIN
		select * from Cars order by Make, Model
	END
ELSE
	BEGIN
		set @cmd = 'select * from Cars where ' + @ufilter
		exec (@cmd)
	END

Open in new window

0
Comment
Question by:JEClark
  • 2
  • 2
5 Comments
 
LVL 2

Accepted Solution

by:
dzex13 earned 250 total points
ID: 24366638

You need explicitly grant select permissions to the table Cars for the "less privileged"account and this should solve the problem.
0
 

Author Comment

by:JEClark
ID: 24367297
Thank you for the input.  I agree that solves the problem but is it necessary to explicitly grant the less privileged account select permission on the table Cars?  My understanding is that the execute permissions the less privlieged account on the stored procedure has should mean that it can select from the Cars table as the sp is using the table.  Thanks again.
0
 
LVL 75

Assisted Solution

by:Anthony Perkins
Anthony Perkins earned 250 total points
ID: 24371282
>> My understanding is that the execute permissions the less privlieged account on the stored procedure has should mean that it can select from the Cars table as the sp is using the table.<<
Nope.  That is the biggest drawback to using Dynamic SQL:  You need to give prmissions to any action in the Dynamic SQL.

Most people focus on the bad performance when using Dynamic SQL and overlook the fact that by its very nature and the permissions you have to grant it is a major security flaw.  To the point that in many shops it is not even allowed.
0
 

Author Closing Comment

by:JEClark
ID: 31580572
Thank you for clearing this up.  This certainly is a drawback in using dynamic SQL
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 24377491
For such a simple Stored Procedure there is probably no need to use Dynamic SQL.  Feel free to ask a new question as to how you can convert that to get away from using Dynamic SQL.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article describes how to use the timestamp of existing data in a database to allow Tableau to calculate the prior work day instead of relying on case statements or if statements to calculate the days of the week.
As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question