• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 298
  • Last Modified:

permission to run "execute as"

what permissions are needed to run the above clause?

thanks
0
anushahanna
Asked:
anushahanna
  • 5
  • 4
3 Solutions
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
see here in the docs:
http://technet.microsoft.com/en-us/library/ms188354.aspx

  Permissions

To execute a module specified with EXECUTE AS, the caller must have EXECUTE permissions on the module.

To execute a CLR module specified with EXECUTE AS that accesses resources in another database or server, the target database or server must trust the authenticator of the database from which the module originates (the source database). For more information about how to establish authenticator trust, see Extending Database Impersonation by Using EXECUTE AS.

To specify the EXECUTE AS clause when you create or modify a module, you must have IMPERSONATE permissions on the specified principal and also permissions to create the module. You can always impersonate yourself. When no execution context is specified or EXECUTE AS CALLER is specified, IMPERSONATE permissions are not required.

To specify a login_name or user_name that has implicit access to the database through a Windows group membership, you must have CONTROL permissions on the database.

Open in new window

0
 
chapmandewCommented:
impersonation permissions are required.
0
 
anushahannaAuthor Commented:
what is a 'module' in this context? what about in a tSQL window in SSMS- what category is that?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
anushahannaAuthor Commented:
>>impersonation permissions are required.
can you give that in a grant statement?
0
 
chapmandewCommented:
sure:

USE master;
GRANT IMPERSONATE ON LOGIN::WanidaBenshoof to [AdvWorks\YoonM];
GO
0
 
anushahannaAuthor Commented:
OK. Thanks.

In this case, what role/permissions does WanidaBenshoof have he is able to share with YoonM?
0
 
chapmandewCommented:
that account may have admin/special permissions that you want yoonM to be able to execute
0
 
anushahannaAuthor Commented:
OK. What if you do not want yoonM to have sa privileges but just be able to use"execute as" in his query?
0
 
chapmandewCommented:
allow them to impersonate a user w/ the permissions you want to mimic
0
 
anushahannaAuthor Commented:
could you do selective permissions on the impersonate command
what would you change in the following to just give that permissions to YoonM, and not anything else special?

USE master;
GRANT IMPERSONATE ON LOGIN::WanidaBenshoof to [AdvWorks\YoonM];
GO
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now