restrict sql login to execute store procedure in database that uses other databases

Posted on 2014-09-25
Last Modified: 2015-06-16
Hello ,

We have a view that is stored in a central DB that has tables that looks at a Human Resources db  ( on same server) and 3 different schemas. I want to lock it down so that the sql login i create only has access to run against that view - which i think is not possible so have instead created a store procedure that will do a simple select statement on the View but using a execute as

EG -
   ALTER PROCEDURE PR.[ANSL].[sp_An_Sal_EoY_Excel]



   EXECUTE AS LOGIN = 'datareporting';
    SELECT *
    FROM PR.[ANSL].[An_Sal_EoY]


I have logged into the sql server as user ANSL and tried to execute the store procedure ( [ANSL].[sp_An_Sal_EoY])  in the PR DataBase but getting error saying
Msg 15406, Level 16, State 1, Procedure sp_Annual_Salary_EoY_Excel, Line 18
Cannot execute as the server principal because the principal "datareporting" does not exist, this type of principal cannot be impersonated, or you do not have permission.
but the sql login datareporting has access as if i log in as that account i can run the store procedure?

any ideas?

Question by:deanmachine333
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
LVL 51

Expert Comment

by:Vitor Montalvão
ID: 40343918
Why not giving the SELECT permission on the VIEW for the user?
LVL 24

Accepted Solution

Phillip Burton earned 500 total points
ID: 40343933
I want to lock it down so that the sql login i create only has access to run against that view

You are right - it's not possible. You also have to give them access rights to the database as well.

But you can log everything else down. By default, they have no rights to anything. (Test that, and make sure it's correct). Then give them SELECT rights to this VIEW.

Author Comment

ID: 40344175
Hello ,

thanks for reply , the sql login i have created i only want it to run / select from one view but that view consists of tables from another database which i don't really want to give to the sql login i created  as this login will be used in spreadsheet and if somehow the spreadsheet gets compromised i dont want the login to be used to pull data from those tables in the   Human Resources database.

Kind regards
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

LVL 24

Expert Comment

by:Phillip Burton
ID: 40344184
Then you need to enable TRUSTWORTHY.
LVL 51

Expert Comment

by:Vitor Montalvão
ID: 40344255
Then you need to enable TRUSTWORTHY.
I think will be more secure if he gives only the necessary permissions.

why don't create a view in the another database and also give the SELECT permission for that login? Then in the main view you refer that new view instead of the tables.

Author Comment

ID: 40344285
Hiya Both the databases are set to TRUSTWORTHY :-)
LVL 51

Expert Comment

by:Vitor Montalvão
ID: 40345477
You tried to add a new view in the other database?
LVL 75

Expert Comment

by:Anthony Perkins
ID: 40348126
You will also need to set DB_CHAINING ON

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question