tags:

views:

325

answers:

2
+1  Q: 

How do you set permissions on a schema that has objects accessing other schemas?

I have 2 schemas and one of the objects in the first schema needs to access an object in the other schema. For example:

CREATE VIEW I.ITest
AS
    SELECT 1 as TestColumn
GO
CREATE VIEW O.OTest
AS
    SELECT * FROM I.ITest
GO

EXEC ('SELECT * FROM O.OTest') AS USER = 'TestUser'

DROP VIEW O.OTest
DROP VIEW I.ITest

In the above example, TestUser only has access to the 'O' Schema. So the select itself works fine, but because the view is doing a select from another schema 'I' then it fails with the error:

The SELECT permission was denied on the object 'ITest', database 'MyDB', schema 'I'.

To get around this I can give the 'O' schema permission to access the 'I' schema, but this doesn't sound right and looks to be bypassing the schema permissions.

What can be done? Am I doing this all wrong? Whats the best practice in this scenario?

Thanks

UPDATE: My schemas were owned by different db roles so I got around this problem by simply changing the owner of both to dbo and then giving the db role permission to access the schema. This meant that the owner dbo could see everything and I could then give specific permission to the db role only and the rest of the db objects were not available unless via this schema. Thanks for your help

+1  A: 

You should wrap the selection of data from the view on the "other" Schema, within a stored procedure. Then grant execute rights on the stored procedure. Although the user will not have direct access to the view they are permitted access via the stored procedure.

Here is an example walkthrough for you demonstrating the security principles as work:

USE DATABASE SANDBOX;

--Create Logins
CREATE LOGIN UserOne WITH Password='Hello123';
CREATE LOGIN UserTwo WITH Password='Hello123';

--Create Database Users
CREATE USER UserOne;
CREATE USER UserTwo;

--Create the Test Schemas
CREATE SCHEMA SchemaOne AUTHORIZATION UserOne;
CREATE SCHEMA SchemaTwo AUTHORIZATION UserTwo;

--Create a View on SchemaOne
CREATE VIEW SchemaOne.ViewOne
AS SELECT 1 as TestColumn;

--Create a View on SchemaTwo
CREATE VIEW SchemaTwo.ViewTwo
AS SELECT * FROM SchemaOne.ViewOne;

--Test that the SchemaOne
EXEC('select * from SchemaOne.ViewOne') AS USER = 'UserOne'
--1

EXEC('select * from SchemaTwo.ViewTwo') AS USER = 'UserOne'
--The SELECT permission was denied on the object 'ViewTwo', database 'SANDBOX', schema 'SchemaTwo'.

--Create a stored procedure to safely expose the view within SchemaTwo to UserOne who's default Schema is
--SchemaOne.
CREATE PROCEDURE SchemaTwo.proc_SelectViewTwo
AS
    select * from SchemaTwo.ViewTwo;

--Grant execute rights on the procedure
GRANT EXECUTE ON SchemaTwo.proc_SelectViewTwo TO UserOne;

--Test the 
EXECUTE AS LOGIN='UserOne';
    Exec SchemaTwo.proc_SelectViewTwo;
revert;

An alternative approach as suggeted in my comments would be to use a Database Role to control access to multiple schemas. Using the principals as defined in the solution above, you could use Database Roles like so:

EXEC sp_addrole 'CrossSchemaRole';
EXEC sp_addrolemember 'CrossSchemaRole','UserOne';

GRANT SELECT ON SCHEMA::SchemaOne TO CrossSchemaRole;
GRANT SELECT ON SCHEMA::SchemaTwo TO CrossSchemaRole;

EXECUTE AS LOGIN='UserOne';
    select * from SchemaTwo.ViewTwo;
revert;

Some suggested further reading:

John Sansom  2009-11-02 14:40:14
Thanks for the reply, however this is basically bypassing the schema permissioning, but a long winded way of doing it. Plus rather than creating sps as wrappers for views, I could instead give the user direct access to the view in the 'other' schema. All of this though, is still bypassing the use of schemas, which is what I don't want to do. Maybe the answer is that "YOU SHOULDN'T BE ACCESSING ONE SCHEMA FROM ANOTHER", but I'm not sure this is correct.
HAdes  2009-11-02 15:23:25
If you wish to grant a specific Database User access to multiple schemas and or schema objects then you should use Database Roles to manage this.
John Sansom  2009-11-02 15:37:31
Yes this is what I have done now, however it is still bypassing the schema permissions. i.e. I now have a user in a db role that now accesses 3 schemas, just because of this scenario. This sounds dangerous to me, because now either they have access to everything in the other schemas or I need to manually set object by object permissions on the 'other' schema. What i really want is, if I give user A access to an Object B, that should be it, regardless of what Object B does (i.e. inserts to another schemas object).
HAdes  2009-11-02 15:47:11
Good stuff, Database Roles are indeed the way to go, although considering the original question posted it sounds as though you may be confusing the use of Schemas for logical seperation of objects, with using Schemas as a securable
John Sansom  2009-11-02 16:28:22
Yeah I was trying to keep the question simple and to the point, but you're right I am confused!! Even though i'm using db roles, I still can't understand why I have to then give the db role access to the other schemas, cos this gives them access to everything and then I may aswell just have given them access directly to that other schema. Man I'm screwed.
HAdes  2009-11-02 16:41:21
To clarify, use Database Roles to manage permissions on seucruables such as tables/views and NOT Schemas. Take the time to read through the suggested reading in my post, certainly the first two references and it will become clearer to you!
John Sansom  2009-11-02 17:10:56
+1  A: 

Hey my first post! Surely you give permissions to users not objects and that's it. If you or the owner of the other schema wants to allow other users to access objects (whether they are tables, views or whatever) within it then it is up to the owner of the other schema. Just because you as the developer can write a procedure that accesses objects in other schemas it does not follow that anyone running your procedure should be allowed to do so too. Roles are the way to go.

Mike H  2009-11-02 16:04:40
Good point regarding my developer ignorance. Just so happens I have access to all schemas so lucky me. So I guess you're basically saying either to give them object by object access to the 'other' schema, or complete access via the db role. I just can't understnad why access isn't implicitly resolved within the object, considering I've given them access to that object.
HAdes  2009-11-02 16:12:51

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?