Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Permissions when using "Execute sp_Executesql"

Tags:

sql

sql-server

permissions

dynamic-sql

sp-executesql

I have a database where all access is controlled by stored procedures. The DBA would like to avoid giving users direct read/write access to the underlying tables, which I can understand. Hence all updating and selecting of data is done via stored procedures. Basically he has created one role that has EXECUTE permissions to all the stored procedures in the database and given users that role.

The problem is that one of the stored procedures dynamically builds a SQl Query and executes it via "Execute sp_Executesql". Without going into great detail the query is built dynamically because it changes significantly depending on many user input parameters. The stored procedure in question is only a SELECT sql statement however I am finding that just giving the stored procedure EXECUTE permission is not enough. The underlying tables referenced within the stored procedure that make use of "Execute sp_Executesql" need to have been given "datareader" access or else the stored procedure fails.

Any thoughts on how to correct this? I really wanted to restrict access to the tables to only stored procedures, but I need to find a way to work around the stored procedures that make use of "Execute sp_Executesq"l. Thank you.

like image 690
webworm Avatar asked Sep 28 '10 19:09

webworm

People also ask

What permissions are required to execute stored procedure?

To grant permissions on a stored procedure Expand Stored Procedures, right-click the procedure to grant permissions on, and then select Properties. From Stored Procedure Properties, select the Permissions page. To grant permissions to a user, database role, or application role, select Search.

What is the difference between execute and sp_executesql?

sp_executesql supports parameterisation, whereas EXEC only accepts a string. Only performance differences that may arise are due to the parameterisation i.e. a parameterised sp_executesql call is more likely to have a reusable cached plan.

What is EXEC sp_executesql in SQL?

January 9, 2020 by Esat Erkec. The sp_executesql is a built-in stored procedure in SQL Server that enables to execute of the dynamically constructed SQL statements or batches. Executing the dynamically constructed SQL batches is a technique used to overcome different issues in SQL programming sometimes.

What privilege should be given to a user to log on to the SQL Server?

The user ID ideally requires DB OWNER privileges on the data stores used for IBM Business Automation Workflow. Configure the SQL Server for SQL Server and Windows authentication so that authentication to be based on an SQL server login ID and password.

1 Answers

In the wrapper proc you can use EXECUTE AS OWNER or EXECUTE AS SomeuserWithNoLogin

This will change the login context for the duration of the stored proc which includes sp_executesql.

  • If you use OWNER, it will work because you're already using ownership chaining.
  • If your DBA (good man!) does not want you running as dbo, then set up a user that has full read but no rights. EXECUTE AS <user> requires an entry is sys.database_principals

Like this:

CREATE USER SomeuserWithNoLogin WITH WITHOUT LOGIN
EXEC sp_addrolemember 'db_datareader', 'SomeuserWithNoLogin'

For more info, see EXECUTE AS Clause on MSDN and CREATE PROCEDURE

like image 158
gbn Avatar answered Sep 20 '22 09:09

gbn
Sign in to Comment

Related questions

How to tune a range / interval query in Oracle?
Using Labels in HAVING() Clause in SQLAlchemy
How to get my PUT_LINE statement to display in TOAD?
Postgresql: Find values in JSON array by wildcard and comparison operators with index
How to simulate ActiveRecord Model.count.to_sql
Invalid table alias or column reference b
Finding count for a Period in sql
Convert YYYYMMDD String to Date in Impala
Why is there one more negative int than positive int?
Check if a String value contains any number by using Lambda Expression
How to avoid PG::NumericValueOutOfRange when using sum function
How to implement a Digg-like algorithm?
SQL Server, Converting NTEXT to NVARCHAR(MAX)
Optimize SQL that uses between clause
Oracle lag between commit and select
How do I LIMIT the number of rows in a DELETE with DB2?
Is there integer ranges for Where Clause?
Is Nhibernate Vulnerable to SQL Injection?
How to go from DBF files to SQL Server 2008?
How to make for loop in windows batch file run in name order

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!