Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What does "Grant Connect on Endpoint as [sa]" do?

Tags:

sql

sql-server

tsql

sql-server-2008

database-project

I was going through the script generated by my Visual Studio Database project and I found this:

GRANT CONNECT
    ON ENDPOINT::[TSQL Default TCP] TO PUBLIC
    AS [sa];

I don't know what it does, but it seems to grant PUBLIC access as SA (just by how it reads).

Anyone know what this really does? (Clearly it grants some access via an "ENDPOINT". But in plain english what does it do?)

By just reading it, it says to me that anyone connecting via TCP port can run as [sa]. (I hope that is not right, but if it is, why would Visual Studio's DB Project do that?)

like image 266
Vaccano Avatar asked Oct 09 '22 15:10

Vaccano

1 Answers

To start with, the GRANT is incorrect for one obvious reason: it uses the name [PUBLIC] for the grantee, but it should be [public]. On a case sensitive installation the name will not resolve.

Now about your question: the AS [sa] part is relevant for the action of granting the permission, it does not transfer to the grantee. It reads something like:

I, in the name of [sa], grant the privilege of connecting to the [TSQL Default TCP] endpoint to the members of the [public] group.

Specifically, it does not imply that the grantee (the members of [public]) are to be elevated to [sa]. Granting connect permission is a necessary but not sufficient privileged to connect to a database. The grantee would still require the permission to access the database (ie. to have a user mapped to its login in the database). Also, granting connect permission to the [public] server principal is not equivalent to creating a login for the BUILTIN\Everyone (or BUILTIN\ANONYMOUS LOGIN for the matter...) security principals (or other built-in account)... In other words an NT user that has no login (explicit or implicit via an NT group membership) in SQL Server will still not be able to connect to the instance.

As a side note, running the following query on any brand new installation reveals that the permission to connect to the default T-SQL endpoint is already granted to [public]:

select s.name as grantee, 
    e.name as endpoint,
    p.permission_name as permission,
    p.state_desc as state_desc
from sys.server_permissions p
join sys.server_principals s on s.principal_id = p.grantee_principal_id
join sys.endpoints e on p.major_id = e.endpoint_id
where p.type='CO'
like image 106
Remus Rusanu Avatar answered Oct 12 '22 11:10

Remus Rusanu
Sign in to Comment

Related questions

PostgreSQL DELETE/INSERT throughput issue
Alternatives to a recursive CTE inside an 'exists' correlated subquery?
Using Max() on SUM() Aggregate function in Oracle
Calculate Number of years between dates in Sql
SQL WHERE on a large table -> Join to small table first or put FK directly in the WHERE clause?
SQL Server ORDER BY clause in subquery
SSRS 2008 - Header on report is not showing Dynamic Data
in postgres, is it possible to optimize a VIEW of UNIONs
SQL partitioning on non-enterprise server?
Can't create foreign key with ON DELETE SET DEFAULT
Share Declarative_Base (SQLAlchemy) with Singleton in Python
Nested selects in joins: The multi-part identifier could not be bound
Using CASE for an optional predicate
XMLtable with Oracle 11g
How to control bracket position on ActiveRecord query with `OR` clause
Insert data and fill columns with rank
'In' clause in SQL server with multiple columns
Postgres column does not exist but it's there with alias [duplicate]
What happens when you hit the SQL Server Express 4GB / 10GB limit?
Doctrine syntax error with field named "order"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!