troubleshooting Question
Ownership Chaining from Views to Tables
asked on
I have a SQL Server 2005 database where there was a setup like this:
dbo.table1 - this is the base table.
schema1.view1 - created as select * from dbo.table1
Owner of schema1 is user1
A user is created (user2) and granted select on schema1.view1
An error is generated about lacking permissions on demo.dbo.table1
As I understand it the only way to make this work would be to also grant select on table1 to user2 (which bypasses the whole need for the view).
I've over simplified the example but let's say for the sake of argument that table1 is a table that contains all sorts of personally identifiable information for an employee. Things like Social Security Number, home address, date of birth maybe even how much they get paid.
I want to set up a view so that someone else can read their employee id, name and maybe their address. I don't want them to be able to see SSN, DOB etc.
Is there a way around it in the example above or should the views just be created in dbo.
Example code below to show how to set up the example.
Thanks
dbo.table1 - this is the base table.
schema1.view1 - created as select * from dbo.table1
Owner of schema1 is user1
A user is created (user2) and granted select on schema1.view1
An error is generated about lacking permissions on demo.dbo.table1
As I understand it the only way to make this work would be to also grant select on table1 to user2 (which bypasses the whole need for the view).
I've over simplified the example but let's say for the sake of argument that table1 is a table that contains all sorts of personally identifiable information for an employee. Things like Social Security Number, home address, date of birth maybe even how much they get paid.
I want to set up a view so that someone else can read their employee id, name and maybe their address. I don't want them to be able to see SSN, DOB etc.
Is there a way around it in the example above or should the views just be created in dbo.
Example code below to show how to set up the example.
Thanks
USE [master]
GO
CREATE LOGIN [user1] WITH PASSWORD=N'user1', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
CREATE LOGIN [user2] WITH PASSWORD=N'user2', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
use demo
go
create user user1 for login user1;
go
create user user2 for login user2;
go
create schema schema1 authorization user1;
go
create table dbo.table1 (col1 int)
go
create view schema1.view1 as select * from dbo.table1
go
insert into dbo.table1 values (1);
go
grant select on schema1.view1 to user2;
go
Connect as User2
select * from schema1.view1
Msg 229, Level 14, State 5, Line 1
The SELECT permission was denied on the object 'table1', database 'demo', schema 'dbo'.
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.
The Most Valuable Expert award recognizes technology experts who passionately share their knowledge with the community, demonstrate the core values of this platform, and go the extra mile in all aspects of their contributions. This award is based off of nominations by EE users and experts. Multiple MVEs may be awarded each year.
The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.