SQL Server 2008 Impersonation
Posted on 2011-02-21
I am using impersonation to give my web server user limited rights to my database.
I am grant execute on stored procedure for the web server to use.
I then created a login name limited with datareader and datawriter roles to access the data within my stored procedure.
I am using Execute as user = 'limited' in my t-sql to perform the actions that I need.
My question is, since no password is required when using the "Execute as user" statement, what is to stop a unauthorized user from including this and executing SQL with the rights of the "limited" user?