restrict sql login to execute store procedure in database that uses other databases

Hello ,

We have a view that is stored in a central DB that has tables that looks at a Human Resources db  ( on same server) and 3 different schemas. I want to lock it down so that the sql login i create only has access to run against that view - which i think is not possible so have instead created a store procedure that will do a simple select statement on the View but using a execute as

EG -
   ALTER PROCEDURE PR.[ANSL].[sp_An_Sal_EoY_Excel]

AS
BEGIN

      SET NOCOUNT ON;

   EXECUTE AS LOGIN = 'datareporting';
    SELECT *
    FROM PR.[ANSL].[An_Sal_EoY]

END

I have logged into the sql server as user ANSL and tried to execute the store procedure ( [ANSL].[sp_An_Sal_EoY])  in the PR DataBase but getting error saying
-------------------------------------------
Msg 15406, Level 16, State 1, Procedure sp_Annual_Salary_EoY_Excel, Line 18
Cannot execute as the server principal because the principal "datareporting" does not exist, this type of principal cannot be impersonated, or you do not have permission.
--------------------------------------------
but the sql login datareporting has access as if i log in as that account i can run the store procedure?

any ideas?

thanks
deanmachine333Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vitor MontalvãoMSSQL Senior EngineerCommented:
Why not giving the SELECT permission on the VIEW for the user?
0
Phillip BurtonDirector, Practice Manager and Computing ConsultantCommented:
`
I want to lock it down so that the sql login i create only has access to run against that view

You are right - it's not possible. You also have to give them access rights to the database as well.

But you can log everything else down. By default, they have no rights to anything. (Test that, and make sure it's correct). Then give them SELECT rights to this VIEW.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
deanmachine333Author Commented:
Hello ,

thanks for reply , the sql login i have created i only want it to run / select from one view but that view consists of tables from another database which i don't really want to give to the sql login i created  as this login will be used in spreadsheet and if somehow the spreadsheet gets compromised i dont want the login to be used to pull data from those tables in the   Human Resources database.

Kind regards
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Phillip BurtonDirector, Practice Manager and Computing ConsultantCommented:
Then you need to enable TRUSTWORTHY.
0
Vitor MontalvãoMSSQL Senior EngineerCommented:
Then you need to enable TRUSTWORTHY.
I think will be more secure if he gives only the necessary permissions.

@deanmachine
why don't create a view in the another database and also give the SELECT permission for that login? Then in the main view you refer that new view instead of the tables.
0
deanmachine333Author Commented:
Hiya Both the databases are set to TRUSTWORTHY :-)
0
Vitor MontalvãoMSSQL Senior EngineerCommented:
You tried to add a new view in the other database?
0
Anthony PerkinsCommented:
You will also need to set DB_CHAINING ON
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server

From novice to tech pro — start learning today.