Stored Procedure permissions--does Execute give proxy to all tables?
Posted on 2011-09-28
I have a general question about permissions within sql server, version 2008 or 2005.
I have a server login called kang who only has server role public and nothing else.
In one of the databases on this server I have a user kang mapped to this login kang.
The kang user in the database has Execute permission on a stored procedure, but kang has no explicit permissions on any tables in the database and is not db_datareader or any other role. Now, in this procedure, I have a simple select statement on a table.
When I use ADO using this user in the connection string to open a recordset based on this procedure I get data.
So my question is, as long as a user has Execute on the sp then by proxy he can access any object referenced in that procedure?
I'm not complaining, this works out because I don't want to have to give explicit pemrissions to this user for the tables in question, but I do want him to see them when he goes through the stored procedure.
The reason I ask is because I've read about the "With Execute As" clause and it would appear that any procedure alrady has "With Execute as Owner" by default. Is this true? And is is normal that the aforementioned user kang should access any object that I put in the procedure as long as he has permissions on that procedure?