Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SQL Rights to Seperate DBs on Same Server

Posted on 2013-06-06
6
Medium Priority
?
290 Views
Last Modified: 2013-06-17
I have a single instance of SQL 2008R2.  I have two seperate databases...one ERP the other a CRM.  I have users who login to the ERP program and users who login to the CRM program.  I've created a view in the ERP database the queries a table in the CRM database.  And of course not all users in the ERP database have rights to the CRM database and when they run a report from the ERP system that uses that query they will get the following error.

The server principal "username" is not able to access the database "CRM" under the current security context.

I don't want to have to manage each user of the ERP database and give them rights to the CRM database.  So, I've been searching for a way to be able to run the report/query.  Here's what I have to work with...but still not working.
The ERP database has a database role that every user belongs to.
The SQL public server role has been granted 'select' rights to all the tables in CRM.

I know I can get it to work if I grant each user of the ERP database rights to the CRM database, but I was hoping I could do it without having to touch each user of the ERP system...as the accounts are being added/removed often.

Any insight would be greatly appreciated!
0
Comment
Question by:ClowWater
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Assisted Solution

by:ClowWater
ClowWater earned 0 total points
ID: 39227102
I've found this article that tells me I won't be able to do what I want unless I'm on 2012.  Any other ideas?

http://technet.microsoft.com/en-us/magazine/hh641407.aspx
0
 
LVL 20

Expert Comment

by:Marten Rune
ID: 39229222
You ought to be able to use a linked table like this:

USE [db2]
GO
CREATE SYNONYM [dbo].[tbl1]
FOR
[db1].[dbo].[tbl1]

Run as a user vith rights in both databases.
Now grant view to user/role in db2, and users belonging to db2 will be able to see data in db1.

Regards Marten
0
 
LVL 15

Expert Comment

by:jorge_toriz
ID: 39229307
1. Create a certificate
2. Create a login mapped to that certificate
3. Create a user for that login in each database
4. Give to that user the right permissions.
5. Create a stored procedure with elevation (SIGNATURE) to take user out from one database and take data from the other database.
6. Enable database ownership chaining
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 15

Accepted Solution

by:
jorge_toriz earned 1500 total points
ID: 39229410
I have done a sample
USE master
GO
CREATE DATABASE CRM
GO
CREATE DATABASE ERP
GO
CREATE CERTIFICATE CRM_ERP_Certificate
ENCRYPTION BY PASSWORD = 'certificate_password'
WITH SUBJECT = 'Cross DB'
GO
BACKUP CERTIFICATE CRM_ERP_Certificate
TO FILE = 'D:\Proyectos\Experts-Exchange\DB Ownership Chaining\Certificate.cer'
WITH PRIVATE KEY (
	FILE = 'D:\Proyectos\Experts-Exchange\DB Ownership Chaining\Private.key',
	ENCRYPTION BY PASSWORD = 'certificate_backup_password',
	DECRYPTION BY PASSWORD = 'certificate_password'
)
GO
CREATE LOGIN CRM_ERP
FROM CERTIFICATE CRM_ERP_Certificate
GO
sp_configure 'cross db ownership chaining', 1
GO
RECONFIGURE
GO
CREATE LOGIN CRM WITH PASSWORD = 'password', CHECK_POLICY = OFF
GO
CREATE LOGIN ERP WITH PASSWORD = 'password', CHECK_POLICY = OFF
GO
USE CRM
GO
CREATE USER CRM FOR LOGIN CRM
CREATE USER CRM_ERP FOR LOGIN CRM_ERP
GO
sp_addrolemember 'db_datareader', 'CRM'
GO
CREATE TABLE CRMTable(
	Id SMALLINT
)
GO
INSERT INTO CRMTable (Id)
VALUES (1), (2), (3), (4), (5)
GO
USE ERP
GO
CREATE USER ERP FOR LOGIN ERP
CREATE USER CRM_ERP FOR LOGIN CRM_ERP
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'ERP_master_key_password'
GO
CREATE CERTIFICATE CRM_ERP_Certificate
FROM FILE = 'D:\Proyectos\Experts-Exchange\DB Ownership Chaining\Certificate.cer'
WITH PRIVATE KEY (
	FILE = 'D:\Proyectos\Experts-Exchange\DB Ownership Chaining\Private.key',
	DECRYPTION BY PASSWORD = 'certificate_backup_password'
)
GO
sp_addrolemember 'db_datareader', 'ERP'
GO
CREATE TABLE ERPTable(
	Id SMALLINT
)
GO
INSERT INTO ERPTable (Id)
VALUES (10), (11), (12), (13), (14), (15)
GO
CREATE PROC pGetCRMERP
AS
BEGIN
	SELECT * FROM ERPTable
	UNION ALL
	SELECT * FROM CRM.dbo.CRMTable
END
GO
ADD SIGNATURE TO pGetCRMERP
BY CERTIFICATE CRM_ERP_Certificate
GO
GRANT EXECUTE
ON pGetCRMERP
TO ERP

Open in new window


If you connect to ERP database with ERP user and execute the pGetCRMCRP stored procedure before adding the signature you will get a permission error, but if you add the signature, then each user that can execute pGetCRMERP will get the permission needed to read the table in CRM database.
0
 

Author Comment

by:ClowWater
ID: 39242135
.
0
 

Author Closing Comment

by:ClowWater
ID: 39252590
Thanks jorge.  This is an extensive solution.  Not exactly what I had in mind...which is a good thing...it's a different approach.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have written a PowerShell script to "walk" the security structure of each SQL instance to find:         Each Login (Windows or SQL)             * Its Server Roles             * Every database to which the login is mapped             * The associated "Database User" for this …
Use this article to create a batch file to backup a Microsoft SQL Server database to a Windows folder.  The folder can be on the local hard drive or on a network share.  This batch file will query the SQL server to get the current date & time and wi…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question