Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SQL Server Execute Impersonation

Tags:

sql

sql-server-2005

sql-server-2008

impersonation

What is the diffrence between... 

execute as user = 'testuser'

AND

execute as login = 'testuser'

I am executing a cross database procedure under these logins and it works with the exececute as login but not the execute as user. It is saying the server principal "testuser" is nt able to access the database "xxx" under the securty context.

When i SELECT SYSTEM_USER after both commands I see that it is set to 'testuser'

like image 672
JBone Avatar asked Apr 06 '12 15:04

JBone

2 Answers

execute as login provides impersonation to the entire server, since logins are on a server level. Since users are defined per database, execute as user impersonation applies only to a specific database, which is why you see the error when you cross databases.

like image 196
goric Avatar answered Oct 21 '22 21:10

goric

The EXECUTE AS can be added to stored procs, functions, triggers, etc.

Example to Execute As:

CREATE PROCEDURE dbo.MyProcedure
      WITH EXECUTE AS OWNER

In this case you are impersonating the owner of the module being called.

You can also impersonate SELF, OR the USER creating or altering the module OR... impersonate CALLER , which will enable to module to take on the permissions of the current user, OR... impersonate OWNER, which will take on the permission of the owner of the procedure being called OR... impersonate 'user_name', which will impersonate a specific user OR... impersonate 'login_name' with will impersonate a specific login.

Setting permission on objects like stored procedures can be accomplished with 

GRANT EXECUTE ON <schema>.<procedurename> to <username>;

However, you may also want to grant security rights at both the login and user level.

You will want to determine and grant ONLY the necessary rights for the objects that require access (such as execution). Consider use of the "EXECUTE AS" capability which enables impersonation of another user to validate permissions that are required to execute the code WITHOUT having to grant all of the necessary rights to all of the underlying objects (e.g. tables).

MOST of the time, you will only need to grant EXECUTE rights to stored procs and then rights are granted to all objects referenced within the stored proc.

In this way, you do not need to give implicit rights (example: to update data or call additional procs). Ownership chaining handles this for you. This is especially helpful for dynamic sql or if you need to create elevated security tasks such as CREATE TABLE. EXECUTE AS is a handy tool to consider for these.

This example may help clarify all of this:

--Create a user called NoPrivUser with public access to a database (e.g. dbadb)

USE [master]
GO
CREATE LOGIN [NoPrivUser] WITH PASSWORD=N'ABC5%', DEFAULT_DATABASE=[dbadb], CHECK_EXPIRATION=ON, CHECK_POLICY=ON
GO
USE [DBAdb]
GO
CREATE USER [NoPrivUser] FOR LOGIN [NoPrivUser]
GO

NOTE: CREATOR OR OWNER OF THIS PROCEDURE WILL REQUIRE CREATE TABLE RIGHTS within the target database.

use DBAdb
go
CREATE PROCEDURE dbo.MyProcedure 
WITH EXECUTE AS OWNER
AS
IF NOT EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].MyTable') AND type in (N'U')) 
CREATE TABLE MyTable (PKid int, column1 char(10)) 
INSERT INTO MyTable
VALUES (1,'ABCDEF')

GO

GRANT EXEC ON dbo.MyProcedure TO NoPrivUser;
GO

-- Now log into your database server as NoPrivUser and run the following.

use dbadb
go

EXEC dbo.MyProcedure

--(1 row(s) affected)

Now try to select from the new table while logged on as NoPrivuser.

You will get the following:

select * from MyTable
go

Msg 229, Level 14, State 5, Line 1 The SELECT permission was denied on the object 'MyTable', database 'DBAdb', schema 'dbo'.

That is expected since you only ran the procedure under the security context of Owner while logged on as NoPrivUser.
NoPrivUser as no rights to actually read the table, Just to execute the procedure which creates and inserts the rows.

With the EXECUTE AS clause the stored procedure is run under the context of the object owner. This code successfully creates dbo.MyTable and rows are inserted successfully.

In this example, the user "NoPrivUser" has absolutey no granted rights to modify the table, or read or modify any of the data in this table.
It only takes on the rights needed to complete this specific task coded WITHIN the context of this procedure.

This method of creating stored procedures that can perform tasks that require elevated security rights without permanently assigning those rights come be very useful.

like image 20
Richard Ouimet Avatar answered Oct 21 '22 22:10

Richard Ouimet
Sign in to Comment

Related questions

Is it faster to UPDATE a row, or to DELETE it and INSERT a new one?
SQL Alias of joined tables
Oracle EXECUTE IMMEDIATE into a cursor
SQL - Give me 3 hits for each type only
Sum on a left join SQL
Use nested stored procedure results in calling stored procedure Sql Server 2008
ORACLE SQL listagg function
Converting SQL to relational algebra [closed]
SQL SELECT from three tables
HTML Format in sp_send_dbmail
Updating a table by referencing another table
How to restrict a user to access objects of only one schema in SQL Server 2008?
Does it make sense to create new table or add fields
renaming a temporary table into a physical one
How can I store a string in a varbinary(max) column using c#
Why isn't the 'insert' function adding rows using MySQLdb?
ActiveRecord: count with groups
SDL Tridion times out when publishing multiple items
One-to-Many relationships in (Postgre)SQL
Ranking rows using SQL Server Rank function without skipping a rank number

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!