Dear Group
I have found that table A had SELECT permissions for 'Public' but not table
B.
Giving 'Public' SELECT permissions on table B did the trick.
HOWEVER, I don't want anyone to be able to do a direct SELECT on table A or
B but only give them access to the data by using the stored procedures. Is
there any way this can be set up?
Thanks for your efforts!
Have a nice day!
Martin
"Martin Feuersteiner" <th************ @hotmail.com> wrote in message news:... Dear Group
I'm having two stored procedures, sp_a and sp_b
Content of stored procedure A: CREATE PROCEDURE dbo.sp_a SELECT * FROM a GO
Content of stored procedure B: CREATE PROCEDURE dbo.sp_b SELECT * FROM b GO
I have created a user that has execute permissions for both procedures. When I run procedure A, all works fine but when running procedure B I'm getting an error saying that the user must have SELECT permissions on table B.
Both tables are owned by dbo, and the security role for the user doesn't has any SELECT permission on table a and b. I'd be grateful if anyone could point me in a direction why this error might come up for procedure B but not for A, with a possible solution without giving the user SELECT permissions.
Thanks very much for your help!
Martin 6 1662
Martin Feuersteiner (th************ @hotmail.com) writes: "Martin Feuersteiner" <th************ @hotmail.com> wrote in message Content of stored procedure A: CREATE PROCEDURE dbo.sp_a SELECT * FROM a GO
Content of stored procedure B: CREATE PROCEDURE dbo.sp_b SELECT * FROM b GO I have found that table A had SELECT permissions for 'Public' but not table B. Giving 'Public' SELECT permissions on table B did the trick.
HOWEVER, I don't want anyone to be able to do a direct SELECT on table A or B but only give them access to the data by using the stored procedures. Is there any way this can be set up?
I have a strong feeling that you are not telling us the full story,
because what you have described is the typical usage of ownership
chaining, and users should indeed be able to access the data in the
tables through the stored procedures.
Is there by chance some dynamic SQL involved?
--
Erland Sommarskog, SQL Server MVP, es****@sommarsk og.se
Books Online for SQL Server SP3 at http://www.microsoft.com/sql/techinf...2000/books.asp
I also responded to your previous thread. As Erland said, this should work
as long as the objects are in the same database. If in different databases,
you'll need to enable cross-database chaining and the databases need to have
the same owner in order to maintain an unbroken ownership chain for
dbo-owned objects.
--
Hope this helps.
Dan Guzman
SQL Server MVP
"Martin Feuersteiner" <th************ @hotmail.com> wrote in message
news:cg******** **@sparta.btint ernet.com... Dear Group
I have found that table A had SELECT permissions for 'Public' but not
table B. Giving 'Public' SELECT permissions on table B did the trick.
HOWEVER, I don't want anyone to be able to do a direct SELECT on table A
or B but only give them access to the data by using the stored procedures. Is there any way this can be set up?
Thanks for your efforts! Have a nice day!
Martin
"Martin Feuersteiner" <th************ @hotmail.com> wrote in message
news:... Dear Group
I'm having two stored procedures, sp_a and sp_b
Content of stored procedure A: CREATE PROCEDURE dbo.sp_a SELECT * FROM a GO
Content of stored procedure B: CREATE PROCEDURE dbo.sp_b SELECT * FROM b GO
I have created a user that has execute permissions for both procedures. When I run procedure A, all works fine but when running procedure B I'm getting an error saying that the user must have SELECT permissions on table B.
Both tables are owned by dbo, and the security role for the user doesn't has any SELECT permission on table a and b. I'd be grateful if anyone could point me in a direction why this error might come up for procedure B but not for A, with a possible solution without giving the user SELECT permissions.
Thanks very much for your help!
Martin
Thanks for your help guys!
Well, as Erland suspected, I haven't given you the full story as I
thought it doesn't matter but as I found out the hard way, it was
indeed dynamic SQL that caused the problem.
Erland, please don't tell me off for using dynamic SQL! LOL
I've read your wonderful fantastic guides and obbey all rules on
dynamic SQL but although I'm not happy myself, I think I really can't
avoid it this time.
However, if you'd offer to have a look at my script and just tell me
whether it can be done without dynamic SQL then this would make me
very happy!
Anyway, I solved the permission problem by basing the stored
procedures that contain the dynamic SQL on Views and implementing row
level security in those.
Thanks again for your efforts!
Have a nice day!
Martin
"Dan Guzman" <da*******@nosp am-earthlink.net> wrote in message news:<07******* **********@news read2.news.pas. earthlink.net>. .. I also responded to your previous thread. As Erland said, this should work as long as the objects are in the same database. If in different databases, you'll need to enable cross-database chaining and the databases need to have the same owner in order to maintain an unbroken ownership chain for dbo-owned objects.
-- Hope this helps.
Dan Guzman SQL Server MVP
"Martin Feuersteiner" <th************ @hotmail.com> wrote in message news:cg******** **@sparta.btint ernet.com... Dear Group
I have found that table A had SELECT permissions for 'Public' but not table B. Giving 'Public' SELECT permissions on table B did the trick.
HOWEVER, I don't want anyone to be able to do a direct SELECT on table A or B but only give them access to the data by using the stored procedures. Is there any way this can be set up?
Thanks for your efforts! Have a nice day!
Martin
"Martin Feuersteiner" <th************ @hotmail.com> wrote in message news:... Dear Group
I'm having two stored procedures, sp_a and sp_b
Content of stored procedure A: CREATE PROCEDURE dbo.sp_a SELECT * FROM a GO
Content of stored procedure B: CREATE PROCEDURE dbo.sp_b SELECT * FROM b GO
I have created a user that has execute permissions for both procedures. When I run procedure A, all works fine but when running procedure B I'm getting an error saying that the user must have SELECT permissions on table B.
Both tables are owned by dbo, and the security role for the user doesn't has any SELECT permission on table a and b. I'd be grateful if anyone could point me in a direction why this error might come up for procedure B but not for A, with a possible solution without giving the user SELECT permissions.
Thanks very much for your help!
Martin
Martin (th************ @hotmail.com) writes: Erland, please don't tell me off for using dynamic SQL! LOL I've read your wonderful fantastic guides and obbey all rules on dynamic SQL but although I'm not happy myself, I think I really can't avoid it this time. However, if you'd offer to have a look at my script and just tell me whether it can be done without dynamic SQL then this would make me very happy!
Well, there are cases where dynamic SQL is the best solution and there
are cases where dynamic SQL is a really poor choice.
The whole message of http://www.sommarskog.se/dyn-search.html is that
for dynamic search conditions is "use dynamic SQL, if you can handle
the security issues". If you can make it with views, then you should
be fine.
Beware though, that a very skilled person can be able to cram out
information from a view for row-based security that he is not supposed
to have access to. It is not that he can actually get to see the rows,
but he can make conclusions from query plans statistical IO and such.
--
Erland Sommarskog, SQL Server MVP, es****@sommarsk og.se
Books Online for SQL Server SP3 at http://www.microsoft.com/sql/techinf...2000/books.asp
Thanks very much Erland! It is not that he can actually get to see the rows, but he can make conclusions from query plans statistical IO and such.
Do you know any source with more information on this view security issue?
What harm can it do? It's a CRM app, not a top secret military app.
Thanks for your efforts!
M
Erland Sommarskog <es****@sommars kog.se> wrote in message news:<Xn******* *************** @127.0.0.1>... Martin (th************ @hotmail.com) writes: Erland, please don't tell me off for using dynamic SQL! LOL I've read your wonderful fantastic guides and obbey all rules on dynamic SQL but although I'm not happy myself, I think I really can't avoid it this time. However, if you'd offer to have a look at my script and just tell me whether it can be done without dynamic SQL then this would make me very happy!
Well, there are cases where dynamic SQL is the best solution and there are cases where dynamic SQL is a really poor choice.
The whole message of http://www.sommarskog.se/dyn-search.html is that for dynamic search conditions is "use dynamic SQL, if you can handle the security issues". If you can make it with views, then you should be fine.
Beware though, that a very skilled person can be able to cram out information from a view for row-based security that he is not supposed to have access to. It is not that he can actually get to see the rows, but he can make conclusions from query plans statistical IO and such.
Martin (th************ @hotmail.com) writes: Do you know any source with more information on this view security issue? What harm can it do? It's a CRM app, not a top secret military app.
As long as you don't let SQL Server MVP Steve Kass anywhere near the
database, I think your data is fairly safe. :-) That is, Steve Kass was
the one who discovered this issue, and to exploit you would need to
a query tool like Query Analyzer, and you would probably have to have
some knowledge about the schema. And you need a very good understanding
of SQL Server. Finally a good dosis of patience is good for the task.
--
Erland Sommarskog, SQL Server MVP, es****@sommarsk og.se
Books Online for SQL Server SP3 at http://www.microsoft.com/sql/techinf...2000/books.asp This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Nashat Wanly |
last post by:
HOW TO: Call a Parameterized Stored Procedure by Using ADO.NET and
Visual C# .NET
View products that this article applies to.
This article was previously published under Q310070
For a Microsoft Visual Basic .NET version of this article, see 308049.
For a Microsoft Visual C++ .NET version of this article, see 310071.
For a Microsoft Visual J# .NET version of this article, see 320627.
This article refers to the following Microsoft .NET...
|
by: Martin Feuersteiner |
last post by:
Dear Group
I'm having two stored procedures, sp_a and sp_b
Content of stored procedure A:
CREATE PROCEDURE dbo.sp_a
SELECT * FROM a
GO
Content of stored procedure B:
|
by: Nikolay Petrov |
last post by:
How to fill DataSet from stored procedure?
|
by: Steven Blair |
last post by:
I am using an objectdatasource and binding to an aggregate data type.
My aggregate data type is ebing populated like:
http://www.rafb.net/paste/results/6WeLS821.html
Is there some way of automatically doing this?
Something like:
MyClass = myDataSet; //yes I want to be lazy :P
|
by: James Wong |
last post by:
Hi,
I am writing a vb.net2005 program that needs to create a stored procedure
with SqlServerProject Template.
Now, I have two questions for this stored procedure.
1) How can I import and execute the .dll in this Stored Procedures?
2) How can I connect the Web Service and get the result in this Stored
Procedures?
| |
by: Siv |
last post by:
Hi,
I have a stored procedure that I want to execute and then wait in a loop
showing a timer whilst it completes and then carry on once I get
notification that it has completed. The main reason for this being to stop
the user thinking the application has frozen when in fact it is just waiting
for a long SP to complete. Another reason for doing it like this is that I
also have had a problem in the past where the SP takes longer than the...
|
by: Roger |
last post by:
I have a stored procedure running on DB2 V7 Z/os calling a COBOL
program to do some inserts. The stored procedure have 3 input columns
and one column is of varchar(32648)
The stored procedure is being called from a V7 DB2 connect client.
The stored procedure is giving SQL0104N An unexpected token was found
if my varchar data goes beyond 1024 bytes. Anything under 1025 bytes
on that column is working perfectly.
Does anybody know of...
|
by: Roger |
last post by:
have a stored procedure running on DB2 V7 Z/os calling a COBOL
program to do some inserts. The stored procedure have 3 input columns
and one column is of varchar(32648)
The stored procedure is being called from a V7 DB2 connect client.
The stored procedure is giving SQL0104N An unexpected token was found
if my varchar data goes beyond 1024 bytes. Anything under 1025 bytes
on that column is working perfectly.
Does anybody know of any...
|
by: Bob Alston |
last post by:
I have recently been trying to determine the best technique to pull the
least amount of info across the LAN link in a slow speed LAN situation
(e.g. < 10 Mbps), where data volume = performance.
After much confusion from reading a lot of info, some of which had
conflicting info, it appears that setting the record source of a form
equal to a sql statement that has the selection criteria as part of the
sql statement, rather than using a...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |