tags:

views:

115

answers:

3
Q: 

How to control access to a Stored Procedure in SQL Server?

I want to be able to have a Stored Procedure that can only be used from a particular page, without having to create a permissions / role for a user, when it is just a single stored procedure I want accessed in this way.

For example I want to have a proc_GetCustomerItems stored procedure which takes the Parameter of CustomerID and then returns a list of Items a Customer has purchased, however I want this to only work for the place which lists the Customer Items eg. the ASP Page which shows this list, but not work from anywhere else, such as Query Analyser etc.
Would this be done with another parameter to provide additional security information, the basic issue is how to allow only certain Methods and Pages access to a Stored Procedure, could this be done with a Role or Permissions?

The main issue is how to set the access rights to a Stored Procedure correctly to a particular method in code, which will help enforce the use of said Stored Procedure, so one has to explicitly allow a GetCustomerItems method (in ASP for example) access to use this Stored Procedure.

I'm guessing Roles and User Access will be the suggested alternative, but I would be interested if it is possible to restrict access to a Stored Procedure by where it is called from.

+2  A: 

No, this is not possible. The nearest I can imagine you getting to this is the page that only has access to the certain stored proc uses different credentials from the rest of the pages. If you want people to not access the proc using Query Analyser you can use the standard SQL Server security features.

RichardOD  2009-11-06 14:58:53
I had a feeling this was the case, but thought I'd ask anyway, as it is something I've wanted to know about as a possible alternative. This may be useful anyway, as it shows the SQL security features can offer this on a connection-basis, which the page can use as mentioned.
RoguePlanetoid  2009-11-06 15:03:37
A: 

The closest you could get would be to add code to the beginning of your stored procedure that queried the values of APP_NAME(), HOST_NAME(), HOST_ID(), CURRENT_USER and perhaps others, and if any didn't match the relevant values for your app then just return NULL or an empty row. This wouldn't be page-specific, of course, and there wouldn't be anything to stop someone using Query Analyzer to view the contents of the stored procedure itself.

CodeByMoonlight  2009-11-06 15:10:23
Thanks for this, the main purpose of the question was to see if a page could use a stored procedure when allowed, and not before. This might be useful to have these when the context of the Stored Procedure has to be Page only.
RoguePlanetoid  2009-11-06 15:14:17
Well, you could also make that page run the sp with different credentials to everywhere else, or just modify the ApplicationName in the connection string for that page to something unique and 'block' everything else.
CodeByMoonlight  2009-11-06 15:25:03
A: 

Hard to know whether it would be suitable for you or not, and usually I'm pro-stored procedures but the only alternative I could suggest is that you don't use a stored procedure.

Instead, use parameterised sql from the page in question. This way, there's no stored procedure existing to be used from anywhere else.

This would mean, if not already the case, that the user account being used would need direct permissions on the underlying tables.

AdaTheDev  2009-11-06 15:22:39

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?