Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why does COUNT(*) require SELECT permission on all table columns on SQL Server?

Tags:

sql

sql-server

tsql

sql-server-2017

I recently encountered the problem that COUNT(*) requires the user to have select permission on every single column of a table. Even though the spec of 'COUNT(*)' explicitly says that

it does not use information about any particular column.

It just returns the number of rows in the result.

So if you want to count the number of of rows in a table as a restricted user you get permission exceptions.

Here is an example:

CREATE TABLE [Product]
([name] nvarchar(100) null, [price] float)

CREATE USER Intern WITHOUT LOGIN;
DENY SELECT ON [Product] (price) TO Intern;

EXECUTE AS Intern;

-- Fails with "The SELECT permission was denied on the column 'price' of the object 'Product'"
SELECT COUNT(*) FROM [Product];

REVERT;

After some testing I found that even SELECT COUNT(1) FROM [Product] does not work.

Can someone explain what the reasoning behind this behaviour is? And what would be a workaround to allow the Intern user to still get an accurate count of Product.

Update: I would be most interested in workarounds that the Intern could use. So even though creating a View would be best practice for the admin, the Intern does not have this option.

like image 766
Bluuu Avatar asked Aug 29 '19 08:08

Bluuu

People also ask

How does count (*) work in SQL?

COUNT(*) returns the number of rows in a specified table, and it preserves duplicate rows. It counts each row separately. This includes rows that contain null values.

What is the purpose of the count (*) clause?

The SQL COUNT() function returns the number of rows in a table satisfying the criteria specified in the WHERE clause. It sets the number of rows or non NULL column values. COUNT() returns 0 if there were no matching rows.

What does SELECT count (*) from table do?

The COUNT (*) function returns the number of rows that satisfy the WHERE clause of a SELECT statement.

1 Answers

I don't know the reasoning behind this behaviour, but there is a way around it:

SELECT  COUNT(1)
FROM    (
            SELECT  P.name
            FROM    dbo.Product AS P
        ) AS t;

Of course you need SELECT permission on Product.name, but I gather from your comments that shouldn't be an issue.

Addendum, because I agree it is unexpected behaviour. If you do the following, you are also permitted to execute the count (if you have an index on name as well as SELECT permissions on name):

SELECT  COUNT(1)
FROM    dbo.Product AS P
WHERE   P.name = P.name
    OR  P.name IS NULL

The preceding works well from the point of view of the user who wants something they aren't allowed (Intern, in this case). From the point of view of the DBA, a better method exist to facilitate that user. (Copied from the comment of Jeroen Mostert above:)

You can create a view that explicitly excludes columns Intern should not see, and grant SELECT permission on that. This way, queries work as normal without having to introduce circuitous and unintuitive workarounds and you do not need separate DENY permissions per column either -- you don't have to grant SELECT permission on the base table in the first place.

like image 152
HoneyBadger Avatar answered Oct 13 '22 01:10

HoneyBadger
Sign in to Comment

Related questions

ActiveRecord left outer join with and clause
PostgreSQL: Terribly slow ORDER BY with primary key as the ordering key
How reliable is the cost measurement in PostgreSQL Explain Plan?
Implement a ring buffer
SQL query not working as expected (from a beginners point of view)
distribute value to all rows while updating table
PHP and MySQL showing different results with same query
Edit specific row of a table using id of that row
Cannot get the value from database in PHP
General approach for SQL script execution in Java
SQL Server - merge two XML using only .modify()
How to perform complex API authorization in fewer SQL queries?
Using `type` as database column name
Avoid sort operator in index plan
Union of arrays as aggregate function
Generate new line number for each mapping
Unexpected result for string comparison
SQL Server Weird Grouping Scenario by multiple columns and OR
Rails 5.2 Error Changing or Removing Table Column (SQLite3::ConstraintException: FOREIGN KEY constraint failed: DROP TABLE)
Not able to convert directly to decimal value?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!