Solved

restrict sql login to execute store procedure in database that uses other databases

Posted on 2014-09-25
8
115 Views
Last Modified: 2015-06-16
Hello ,

We have a view that is stored in a central DB that has tables that looks at a Human Resources db  ( on same server) and 3 different schemas. I want to lock it down so that the sql login i create only has access to run against that view - which i think is not possible so have instead created a store procedure that will do a simple select statement on the View but using a execute as

EG -
   ALTER PROCEDURE PR.[ANSL].[sp_An_Sal_EoY_Excel]

AS
BEGIN

      SET NOCOUNT ON;

   EXECUTE AS LOGIN = 'datareporting';
    SELECT *
    FROM PR.[ANSL].[An_Sal_EoY]

END

I have logged into the sql server as user ANSL and tried to execute the store procedure ( [ANSL].[sp_An_Sal_EoY])  in the PR DataBase but getting error saying
-------------------------------------------
Msg 15406, Level 16, State 1, Procedure sp_Annual_Salary_EoY_Excel, Line 18
Cannot execute as the server principal because the principal "datareporting" does not exist, this type of principal cannot be impersonated, or you do not have permission.
--------------------------------------------
but the sql login datareporting has access as if i log in as that account i can run the store procedure?

any ideas?

thanks
0
Comment
Question by:deanmachine333
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 45

Expert Comment

by:Vitor Montalvão
Comment Utility
Why not giving the SELECT permission on the VIEW for the user?
0
 
LVL 24

Accepted Solution

by:
Phillip Burton earned 500 total points
Comment Utility
`
I want to lock it down so that the sql login i create only has access to run against that view

You are right - it's not possible. You also have to give them access rights to the database as well.

But you can log everything else down. By default, they have no rights to anything. (Test that, and make sure it's correct). Then give them SELECT rights to this VIEW.
0
 

Author Comment

by:deanmachine333
Comment Utility
Hello ,

thanks for reply , the sql login i have created i only want it to run / select from one view but that view consists of tables from another database which i don't really want to give to the sql login i created  as this login will be used in spreadsheet and if somehow the spreadsheet gets compromised i dont want the login to be used to pull data from those tables in the   Human Resources database.

Kind regards
0
 
LVL 24

Expert Comment

by:Phillip Burton
Comment Utility
Then you need to enable TRUSTWORTHY.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 45

Expert Comment

by:Vitor Montalvão
Comment Utility
Then you need to enable TRUSTWORTHY.
I think will be more secure if he gives only the necessary permissions.

@deanmachine
why don't create a view in the another database and also give the SELECT permission for that login? Then in the main view you refer that new view instead of the tables.
0
 

Author Comment

by:deanmachine333
Comment Utility
Hiya Both the databases are set to TRUSTWORTHY :-)
0
 
LVL 45

Expert Comment

by:Vitor Montalvão
Comment Utility
You tried to add a new view in the other database?
0
 
LVL 75

Expert Comment

by:Anthony Perkins
Comment Utility
You will also need to set DB_CHAINING ON
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

'Between' is such a common word we rarely think about it but in SQL it has a very specific definition we should be aware of. While most database vendors will have their own unique phrases to describe it (see references at end) the concept in common …
Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now