Steve Wales
asked on
Ownership Chaining from Views to Tables
I have a SQL Server 2005 database where there was a setup like this:
dbo.table1 - this is the base table.
schema1.view1 - created as select * from dbo.table1
Owner of schema1 is user1
A user is created (user2) and granted select on schema1.view1
An error is generated about lacking permissions on demo.dbo.table1
As I understand it the only way to make this work would be to also grant select on table1 to user2 (which bypasses the whole need for the view).
I've over simplified the example but let's say for the sake of argument that table1 is a table that contains all sorts of personally identifiable information for an employee. Things like Social Security Number, home address, date of birth maybe even how much they get paid.
I want to set up a view so that someone else can read their employee id, name and maybe their address. I don't want them to be able to see SSN, DOB etc.
Is there a way around it in the example above or should the views just be created in dbo.
Example code below to show how to set up the example.
Thanks
dbo.table1 - this is the base table.
schema1.view1 - created as select * from dbo.table1
Owner of schema1 is user1
A user is created (user2) and granted select on schema1.view1
An error is generated about lacking permissions on demo.dbo.table1
As I understand it the only way to make this work would be to also grant select on table1 to user2 (which bypasses the whole need for the view).
I've over simplified the example but let's say for the sake of argument that table1 is a table that contains all sorts of personally identifiable information for an employee. Things like Social Security Number, home address, date of birth maybe even how much they get paid.
I want to set up a view so that someone else can read their employee id, name and maybe their address. I don't want them to be able to see SSN, DOB etc.
Is there a way around it in the example above or should the views just be created in dbo.
Example code below to show how to set up the example.
Thanks
USE [master]
GO
CREATE LOGIN [user1] WITH PASSWORD=N'user1', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
CREATE LOGIN [user2] WITH PASSWORD=N'user2', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
use demo
go
create user user1 for login user1;
go
create user user2 for login user2;
go
create schema schema1 authorization user1;
go
create table dbo.table1 (col1 int)
go
create view schema1.view1 as select * from dbo.table1
go
insert into dbo.table1 values (1);
go
grant select on schema1.view1 to user2;
go
Connect as User2
select * from schema1.view1
Msg 229, Level 14, State 5, Line 1
The SELECT permission was denied on the object 'table1', database 'demo', schema 'dbo'.
ASKER
Well, the name of the schema is the same as the name of the owner user. I was just trying to be generic in my question since I try to hide my real database and object names.
I can't change the owner of the tables, I'm afraid.
Unfortunately this database was setup years ago and was one of our first forays into SQL Server after years in Oracle so I think some things were not done as well as they could have been.
I have a question out to the user reporting the access issue.
I'm beginning to think that there's no real way around this. There's a reporting tool that logs in as the use that owns the schema, so we can't change any of those settings.
Looking at the views in the database, there's a second set of views that seem to be the same, owned by dbo - I guess I should just have him use those instead.
The main goal of the question was to make sure that there wasn't an easy way around it, and that seems to be the state of things, right ?
I can't change the owner of the tables, I'm afraid.
Unfortunately this database was setup years ago and was one of our first forays into SQL Server after years in Oracle so I think some things were not done as well as they could have been.
I have a question out to the user reporting the access issue.
I'm beginning to think that there's no real way around this. There's a reporting tool that logs in as the use that owns the schema, so we can't change any of those settings.
Looking at the views in the database, there's a second set of views that seem to be the same, owned by dbo - I guess I should just have him use those instead.
The main goal of the question was to make sure that there wasn't an easy way around it, and that seems to be the state of things, right ?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks for confirming my suspicions
ALTER AUTHORIZATION ON dbo.table1 TO user2;
[This won't work/isn't allowed if there are indexed views on the table.]
You have to decide if you want to go that route, given the unusualness of making the owner different from the schema. And obviously this can only work for one user (unless you want to change the owner back and forth :-)).