?
Solved

SQL Stored Procedure permission chain issue

Posted on 2009-05-12
5
Medium Priority
?
517 Views
Last Modified: 2012-06-27
I have a stored procedure that selects a field(ufilter) from a table.  The ufilter field contains a clause to use in a where statement to filter the records returned to the caller.  Example of contents of ufilter:  make='Oldsmobile'  .  The sp then should read the  content of the cars table, based on the the dymanically generated select statement

I grant Execute rights on the spGetCars stored procedure.  Runs fine when I execute it from my account.  However, when I use a less privileged account, tells me that select is not granted on Cars table.

I grant execute rights to the spGetCars for a less privilieged windows logon.  As the Cars table has the same owner (dbo) as the stored procedure, shouldn't the permission chain allow selecting from the Cars table without explicitly granting the select rights on the Cars table to the less privilieged windows logon account?

Thank you for any assitance you can provide.

spGetCars
 
set ANSI_NULLS ON
set QUOTED_IDENTIFIER ON
go
 
 
ALTER proc [dbo].[spGetCars]
(
@uid varchar(30)
)
as
 
set nocount on
 
DECLARE @ufilter varchar(200)
DECLARE @uexpdate datetime
DECLARE @cmd varchar(200)
 
 
select @ufilter=ufilter, @uexpdate=uexpdate from UFILTERS where uid=@uid
 
 
IF ISNULL(@ufilter, 'ZZTOP') = 'ZZTOP'
	BEGIN
		select * from Cars where 1 = 2
	END
 
IF @ufilter = 'NONE'
	BEGIN
		select * from Cars order by Make, Model
	END
ELSE
	BEGIN
		set @cmd = 'select * from Cars where ' + @ufilter
		exec (@cmd)
	END

Open in new window

0
Comment
Question by:JEClark
  • 2
  • 2
5 Comments
 
LVL 2

Accepted Solution

by:
dzex13 earned 1000 total points
ID: 24366638

You need explicitly grant select permissions to the table Cars for the "less privileged"account and this should solve the problem.
0
 

Author Comment

by:JEClark
ID: 24367297
Thank you for the input.  I agree that solves the problem but is it necessary to explicitly grant the less privileged account select permission on the table Cars?  My understanding is that the execute permissions the less privlieged account on the stored procedure has should mean that it can select from the Cars table as the sp is using the table.  Thanks again.
0
 
LVL 75

Assisted Solution

by:Anthony Perkins
Anthony Perkins earned 1000 total points
ID: 24371282
>> My understanding is that the execute permissions the less privlieged account on the stored procedure has should mean that it can select from the Cars table as the sp is using the table.<<
Nope.  That is the biggest drawback to using Dynamic SQL:  You need to give prmissions to any action in the Dynamic SQL.

Most people focus on the bad performance when using Dynamic SQL and overlook the fact that by its very nature and the permissions you have to grant it is a major security flaw.  To the point that in many shops it is not even allowed.
0
 

Author Closing Comment

by:JEClark
ID: 31580572
Thank you for clearing this up.  This certainly is a drawback in using dynamic SQL
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 24377491
For such a simple Stored Procedure there is probably no need to use Dynamic SQL.  Feel free to ask a new question as to how you can convert that to get away from using Dynamic SQL.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Instead of error trapping or hard-coding for non-updateable fields when using QODBC, let VBA automatically disable them when forms open. This way, users can view but not change the data. Part 1 explained how to use schema tables to do this. Part 2 h…
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
SQL Database Recovery Software repairs the MDF & NDF Files, corrupted due to hardware related issues or software related errors. Provides preview of recovered database objects and allows saving in either MSSQL, CSV, HTML or XLS format. Ensures recov…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question