I have restored a 2005 Database to a new 2008 R2 DB Server. I have created a new user called "gatekeeper"
However this user does not have access to the list of stored procedure in the database.
In a reporting application before running the query the report program is running the following procedure...
exec [Timesheet]..sp_procedures_rowset N'mp_GetTimesheetToPrint',1,N'dbo'
When run under gatekeeper user this returns no rows. However when run as sa it returns the procedure.
What is the minimum permission I need to give to gatekeeper for this procedure to work properly. It seems to be a problem with all system objects, none of them fail to run or give permission errors, they just return no results or subsets of the results.
Really struggling with this. Thanks in advance
Regards
Phil
I am honestly a bit confused by your description, so please let me know if I am off base here. You can try this below. It will grant execute access to all stored procedures. If you only need gatekeeper to have access to the one stored procedure, then just grant execute on that stored procedure. If the stored procedure is accessing data from other databases, you may need to grant permissions on the tables and such that it is accessing outside of its database.
CREATE ROLE db_executor
GRANT EXECUTE TO db_executor
EXEC sp_addrolemember 'db_executor', 'gatekeeper'
Related
I would like to have one script to remove the specific user group to execute all stored procedures on the specific database in SQL Server 2014. I searched the web and found the example at Grant Revoke Permissions On Stored Procedures in SQL Server. It looks like I need create the script for all stored procedure.
Also I found another website REVOKE Object Permissions (Transact-SQL). However I have no clue how to write it as one script for all stored procedure.
Also I tried to use the below script in the database, but the Sales group still has permission on the stored procedure.
revoke execute to [Sales]
Would anyone tell me what should I do?
I have a stored procedure that I can execute in SSMS with a non domain SQL Server user.
This stored procedure selects data from tables in one database (DB1) truncates and selects into a table in DB2.
The user has datareader,datawriter and dbowner for both databases.
Problem:
When I execute the stored procedure via SS Agent with execute as the user I get the following error
The server principal [user] is not able to access the database [DB1]
under the current security context.
Actions taken So far:
I have tried to resolve this so far by:
Turning on db chaining for both databases
Deleted the user from DB1 and added again
Checked using EXEC sp_change_users_login #Action=’Report’ to see if user orphaned. As this is a database that is a restore of a live one. However I added the user after the restore. The user was not listed as orphaned
A possible workaround if you don't want to have the owner be sa is to have the user be a member of msdb and grant the the SQLAgentOperatorRole in msdb. See if that works.
But to be honest, either use sa or a dedicated service account with enough permissions. It's better if the job runs under that context.
Maybe I'm getting this wrong, but... I have a SQL Server 2000 database with a stored procedure that is owned by DBO. This stored procedure is calling sp_grantdbaccess, which can be run by DBO, according to MS documentation. and I'm running a Windows user that belongs to a database role that has execute permission on this stored procedure.
If I understand ownership chaining correctly (which I obviously don't), I should be able to run this stored procedure, since it is run with impersonation as DBO.
But alas, it is telling me that the user doesn't have permission to run sp_grantdbaccess.
What can I do to solve this?
I'm trying to allow a user to view SQL Server trace data from a .trc file without giving them ALTER TRACE permissions (SQL Server 2008 R2). So I've wrapped it up in a stored procedure, using my sysadmin account:
CREATE PROCEDURE test_trace
as
SELECT * FROM FN_TRACE_GETTABLE(N'C:\temp\trace1.trc', 1)
If I execute this stored procedure using my sysadmin account, it runs fine as expected. If I try to run this under the domain1\user1 account, it does not run giving an error of "You do not have permission to run 'FN_TRACE_GETTABLE'". This is again expected.
So now I want to let domain1\user1 run the stored procedure, so I change the stored procedure to execute under a sysadmin account:
CREATE PROCEDURE test_trace
WITH EXECUTE AS 'domain1\sysadmin1'
as
SELECT * FROM FN_TRACE_GETTABLE(N'C:\temp\trace1.trc', 1)
Now when I execute the stored procedure, I get "You do not have permission to run 'FN_TRACE_GETTABLE'" regardless of the account I execute it under! I was expecting to be able to execute it both under the domain1\user1 and domain1\sysadmin1 accounts.
Could anybody please help with what I've missed? My goal is to allow domain1\user1 to read the trace1.trc file without giving them ALTER TRACE permissions.
You need to use code signing to elevate privileges in a controlled manner. While in an EXECUTE AS procedure context you are sandboxed and cannot leverage a server level priviledge (such as trace related permissions), read Extending Database Impersonation by Using EXECUTE AS. Code signing is the proper solution to this problem as well. See a full example here.
According to the documentation you can only specify a (database) username in execute as for stored procedures. Still I think this should normally work, but please alter the SP with the sysadmin account and specify EXECUTE AS SELF instead of the user name.
If that still does not work, try giving the executing user read rights on the trace file, maybe the server ignores the execute as for the file access (which I would consider as a bug).
Copy&paste the path into a new explorer window and if it gives an error, there's your problem. Took me a while to figure out why SQL Server said the "sa" account didn't have permissions that it did have.
I want to give a user access to a stored procedure, but not to all the objects in the database the stored procedure needs to use.
What is the best way to give rights to the stored procedure to enable it to work, but only grant execute access to the user to run it.
I am using sql server 2000 sp4.
From MSDN
Users can be granted permission to
execute a stored procedure even if
they do not have permission to execute
the procedure's statements directly
try
exec grant exec ON 'myprocname' TO 'myusername'