Solved

SQL Stored Procedure permission chain issue

Posted on 2009-05-12
5
500 Views
Last Modified: 2012-06-27
I have a stored procedure that selects a field(ufilter) from a table.  The ufilter field contains a clause to use in a where statement to filter the records returned to the caller.  Example of contents of ufilter:  make='Oldsmobile'  .  The sp then should read the  content of the cars table, based on the the dymanically generated select statement

I grant Execute rights on the spGetCars stored procedure.  Runs fine when I execute it from my account.  However, when I use a less privileged account, tells me that select is not granted on Cars table.

I grant execute rights to the spGetCars for a less privilieged windows logon.  As the Cars table has the same owner (dbo) as the stored procedure, shouldn't the permission chain allow selecting from the Cars table without explicitly granting the select rights on the Cars table to the less privilieged windows logon account?

Thank you for any assitance you can provide.

spGetCars
 
set ANSI_NULLS ON
set QUOTED_IDENTIFIER ON
go
 
 
ALTER proc [dbo].[spGetCars]
(
@uid varchar(30)
)
as
 
set nocount on
 
DECLARE @ufilter varchar(200)
DECLARE @uexpdate datetime
DECLARE @cmd varchar(200)
 
 
select @ufilter=ufilter, @uexpdate=uexpdate from UFILTERS where uid=@uid
 
 
IF ISNULL(@ufilter, 'ZZTOP') = 'ZZTOP'
	BEGIN
		select * from Cars where 1 = 2
	END
 
IF @ufilter = 'NONE'
	BEGIN
		select * from Cars order by Make, Model
	END
ELSE
	BEGIN
		set @cmd = 'select * from Cars where ' + @ufilter
		exec (@cmd)
	END

Open in new window

0
Comment
Question by:JEClark
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 2

Accepted Solution

by:
dzex13 earned 250 total points
ID: 24366638

You need explicitly grant select permissions to the table Cars for the "less privileged"account and this should solve the problem.
0
 

Author Comment

by:JEClark
ID: 24367297
Thank you for the input.  I agree that solves the problem but is it necessary to explicitly grant the less privileged account select permission on the table Cars?  My understanding is that the execute permissions the less privlieged account on the stored procedure has should mean that it can select from the Cars table as the sp is using the table.  Thanks again.
0
 
LVL 75

Assisted Solution

by:Anthony Perkins
Anthony Perkins earned 250 total points
ID: 24371282
>> My understanding is that the execute permissions the less privlieged account on the stored procedure has should mean that it can select from the Cars table as the sp is using the table.<<
Nope.  That is the biggest drawback to using Dynamic SQL:  You need to give prmissions to any action in the Dynamic SQL.

Most people focus on the bad performance when using Dynamic SQL and overlook the fact that by its very nature and the permissions you have to grant it is a major security flaw.  To the point that in many shops it is not even allowed.
0
 

Author Closing Comment

by:JEClark
ID: 31580572
Thank you for clearing this up.  This certainly is a drawback in using dynamic SQL
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 24377491
For such a simple Stored Procedure there is probably no need to use Dynamic SQL.  Feel free to ask a new question as to how you can convert that to get away from using Dynamic SQL.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SQL Database - Move Tables from one Database to Another 4 50
SQL Query help 3 24
populate value based on what is selected in lov 2 37
Error 438 6 16
This article explains all about SQL Server Piecemeal Restore with examples in step by step manner.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question