tags:

views:

26

answers:

1
Q: 

do functions in sql server have different permissions rules?

Here's the situation. I'm writing an automated test that walks the list of dependencies for a proc and determines if an acct has rights for all of the dependent objects.

My code looks like this: 

exec sp_depends 'the_proc_name'

-- run this query on the results of sp_depends: 

select
case                          
when exists (                                   
select *
from sys.database_permissions dp
where grantee_principal_id=USER_ID('TheAccount')                                     
    and major_id=object_id('dbo.theDependentObject')                                     
    and minor_id=0
    and state_desc = 'GRANT')
then 'true'
else 'false'                                
end;

It all seems to be working fine, but there's a hiccup when it encounters a function. I have one case where TheAccount doesn't have rights to a function (the query above returns false). However the proc that calls the function in question runs fine when running under TheAccount. So there's either something wrong with my test code or functions have special permission behavior in SQL-Server that I'm not aware of.

Should I change the code to only search for 'DENY' instead of 'GRANT'? Do functions that are called in procs inherit the permissions of the calling proc except when the execute rights are explicitly denied? Does my code suck?

+1  A: 

When you are running static SQL from a stored proc, the stored proc runs with the authority of the id that last created/modified the stored proc; not the id of the person running the stored proc.

For example, this is the same ability that allows you to use a stored proc to run an Insert statement without giving the person running the stored proc Insert Authority on the underlying table.

One note - this does not apply when you are using dynamic SQL (with the exec statement). In that case, the person running the stored proc, must have the necessary authority for that SQL statement.

So I'm not sure if your unit tests will provide you what you are looking for since the rights to dependent objects are taken care of, to some extent, by the way SQL Server handles Stored Proc security.

Jeff Siver  2010-05-26 15:24:32
What? If I create a proc and don't grant execute permissions to you you won't be able to execute it unless you are dbo GRANT EXECUTE ON ProcNAme to UserName...try it out create a proc and then try executing as a user with read access only. Of course you can use EXECUTE AS in the proc but that is another story
SQLMenace  2010-05-26 15:30:05
So if a DBA modifies a stored proc, then a datareader user runs the proc, the proc will be run with the authority of the DBA. That's what you're saying, if I'm reading it right. That sounds patently false.
jcollum  2010-05-26 15:32:14
Jeff Siver  2010-05-26 20:39:23

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?