I have a script which generates a database for a given {databaseName}, and then creates a login for a given {loginName} for this database.
I then want restrict this user to only be able to view this database, and no others.
I have this working through the use of:
USE [{DatabaseName}]
GO
ALTER AUTHORIZATION ON DATABASE::[{DatabaseName}] to [{LoginName}]
GO
USE [master]
GO
DENY VIEW ANY DATABASE TO [{LoginName}]
GO
I have now put this into a stored procedure, but I cannot change to the [master] database to execute the last line:
DENY VIEW ANY DATABASE TO [{LoginName}]
Is there a way to restrict the user from seeing other database from within a stored procedure?
The stored procedure is currently on another database, but I am able to move it.
You can change the database context for a given SQL command by doing something like this:
master.dbo.sp_executesql N'print db_name()'
Although I suspect there might be a better way to do what you're trying to do
Related
I have a C# Winform application that interacts with an SQL Server DB via stored procedures. In SSMS, how do I create a login that ONLY has permissions to run stored procedures? That login wouldn't be able to view/edit/create table definitions, etc. It would also only have access to a single specified DB.
The reason I want to create such a login is because I store the SQL Server credentials used by my Winform application in its App.config file. Since the app.config can easily be read, anyone with malicious intent can easily perform unwanted operations on the database if the given login had any other permissions than just stored procedures.
A neat trick in this scenario is to create a separate (custom) SQL Server role that can only execute stored procedures:
CREATE ROLE db_executor;
GRANT EXECUTE TO db_executor;
This role now has the permission to execute any stored procedure in the database in which it's been created - and in addition: that permission will also extend to any future stored procedures you might create later on in this database.
Now create a user in your database and give it only this database role - this user will only be able to execute stored procedures - any and all of them in your database.
If you user should be allowed to execute any and all stored procedures - this is a very convenient way to allow this (and you don't have to constantly update the permissions when new stored procedures are created).
You can use the following query in order to allow stored procedure execute permision to your user
USE [DB]
GRANT EXECUTE ON dbo.procname TO username;
However, in my humble opinion , you should secure the connection string in the app.config.
Maybe , this How to store login details securely in the application config file link can be helped to you.
The access to a specific database is done through creating a user on the database that you want him to operate on. You can find more infos about users here.
If the user is created you can Grant, With Grant and Deny actions for every single item on the database.
The user will then be granted/denied those rights by a grantor, which is the dbo by default.
You can use this to also deny him access to every item on your database that isn't your stored procedure, which is what you're looking for if I understand you correctly.
Try folloiwng approach (grant execute should be repeated for every SP). Note that MyStoredProcedure has to be in MyDatabase :)
-- create login to server
create login test_user with password = 'test';
-- create user mapped to a database
use MyDatabase
go
create user test_user for login test_user;
-- grant permission to execute SP
grant execute on MyStoredProcedure to test_user
I would like to have one script to remove the specific user group to execute all stored procedures on the specific database in SQL Server 2014. I searched the web and found the example at Grant Revoke Permissions On Stored Procedures in SQL Server. It looks like I need create the script for all stored procedure.
Also I found another website REVOKE Object Permissions (Transact-SQL). However I have no clue how to write it as one script for all stored procedure.
Also I tried to use the below script in the database, but the Sales group still has permission on the stored procedure.
revoke execute to [Sales]
Would anyone tell me what should I do?
I have a stored procedure Which we call it Test here.
For simplicity I modified the SP code to:
Select * from table A
I can run this SP without any issues.
Now if I use Dynamic SQL
#SQL='Select * from table A'
EXECUTE (#SQL)
I get
The SELECT permission was denied on the object 'A', database 'MyDb', schema 'dbo'.
What is different here?
Dynamic SQL has this restriction/limitation. When you use dynamic sql inside a stored procedure , even if the calling user has the permissions on the stored procedure , the user also need permissions on the tables/objects being called inside the dynamic sql .
You have two options
Do not use Dynamic sql at all.
Give the calling user permissions on the table being used inside the dynamic sql.
This error comes when the user does not have the sufficient privileges
to access your tables in the database. Do grant the privilege to the
user in order to get what you want.
Grant The Permission For Select statement(or any other if you want).
I'm working with SQL Server on a database which has tables, views and stored procedures. This database will surely be used by some other persons and I want to block the access to my stored procedures code. Is it possible to do that?
You can encrypt procedure code (if that is what you want to hide) by adding "With Encryption":
Create Procedure MyProc
With Encryption
As
Select 1;
But for sysadmins its still will be possible to get to procedure code (with a bit of effort).
You can revoke their EXECUTE permission on your stored procedure something like this..
REVOKE EXECUTE ON OBJECT::dbo.Proc_Name
FROM NaughtyPerson;
GO
There is a user and two databases on server (db1 and db2).
User can connect to server having default database db1 where he can exec sp.
In sp syntax we use synonyms for db2 tables under dbo scheme.
All that is done in order to allow user just connect and exec one stored procedure. It worked noraml but now The server principal "user" is not able to access the database "db2" under the current security context.
User gets output from sp when code does not touch synonyms to db2.
What should be updated? I cant grant select to user for db2 objects.
I know the question is old, but still relevant
the procedure has to have permission on the synonym object
the procedure has to have permission on the object the synonym is targeting
you have to correctly setup trustworthy database property
By default, the procedure executes under the caller account, but it can be changed with execute as clause.