I want to give a user access to a stored procedure, but not to all the objects in the database the stored procedure needs to use.
What is the best way to give rights to the stored procedure to enable it to work, but only grant execute access to the user to run it.
I am using sql server 2000 sp4.
From MSDN
Users can be granted permission to
execute a stored procedure even if
they do not have permission to execute
the procedure's statements directly
try
exec grant exec ON 'myprocname' TO 'myusername'
Related
I've got a SSRS report that is calling a stored procedure in my database.
Locally everything works, I am connecting with Windows authentication locally to hit the database and there are no problems.
When the SSRS report is deployed it's set up to use a different login, and this login has the correct role to grant execute on stored procedures. However, when trying to view the report on SSRS server I get this message:
Cannot find the user 'dbo', because it does not exist or you do not have permission.
If I remove the role that allows the grant execute rights I get a more specific error saying that I don't have permission to execute the stored procedure. But once this role is put back on the user account SSRS runs as it goes back go showing an error
Cannot find the user 'dbo'
The role I have that is granted execute rights is granted by 'dbo' user, this is the database owner. I have found things online saying that it's possible that a database backup messed up some user logins. I have checked, and the database owner sid is the same as the sysuser sid for name = 'dbo', so I do not think this is the problem.
Does anyone else know what I might be able to try?
EDIT: Details on stored procedure: it is a simple select with some inner joins.
At the end of the stored procedure is the following, granting access to the role my SSRS user is part of:
GRANT EXECUTE
ON OBJECT::[dbo].[Application_LoadData] TO [SSRSUserRole]
AS [dbo];
A stored procedure includes all statements in the batch after the CREATE PROCEDURE. So a proc like this
CREATE PROCEDURE USP_FOO
AS
BEGIN
SELECT * FROM FOO
END
GRANT EXECUTE ON USP_FOO TO SOMEUSER AS DBO;
Will attempt to execute to GRANT every time the procedure is run, and will fail when not run by dbo.
The script to create the procedure should have a batch separator before the grant. eg:
CREATE PROCEDURE USP_FOO
AS
BEGIN
SELECT * FROM FOO
END
GO
GRANT EXECUTE ON USP_FOO TO SOMEUSER AS DBO;
I have created a stored procedure, and used it to create a report in report builder. When I run the report, it says that execute permission was denied. But I can execute that stored procedure in the SQL SERVER. I could run the report when I give the same stored procedure as query. Can you please suggest me the solution. Thanks in advance.
log in to SQL Server and do the following :
GRANT EXEC ON [YourStoredProcedure] TO [TheReportServerUser]
Make sure the account you are using for this process have the appropriate permissions.
Maybe I'm getting this wrong, but... I have a SQL Server 2000 database with a stored procedure that is owned by DBO. This stored procedure is calling sp_grantdbaccess, which can be run by DBO, according to MS documentation. and I'm running a Windows user that belongs to a database role that has execute permission on this stored procedure.
If I understand ownership chaining correctly (which I obviously don't), I should be able to run this stored procedure, since it is run with impersonation as DBO.
But alas, it is telling me that the user doesn't have permission to run sp_grantdbaccess.
What can I do to solve this?
I have restored a 2005 Database to a new 2008 R2 DB Server. I have created a new user called "gatekeeper"
However this user does not have access to the list of stored procedure in the database.
In a reporting application before running the query the report program is running the following procedure...
exec [Timesheet]..sp_procedures_rowset N'mp_GetTimesheetToPrint',1,N'dbo'
When run under gatekeeper user this returns no rows. However when run as sa it returns the procedure.
What is the minimum permission I need to give to gatekeeper for this procedure to work properly. It seems to be a problem with all system objects, none of them fail to run or give permission errors, they just return no results or subsets of the results.
Really struggling with this. Thanks in advance
Regards
Phil
I am honestly a bit confused by your description, so please let me know if I am off base here. You can try this below. It will grant execute access to all stored procedures. If you only need gatekeeper to have access to the one stored procedure, then just grant execute on that stored procedure. If the stored procedure is accessing data from other databases, you may need to grant permissions on the tables and such that it is accessing outside of its database.
CREATE ROLE db_executor
GRANT EXECUTE TO db_executor
EXEC sp_addrolemember 'db_executor', 'gatekeeper'
My requirement is that user performing alter CANNOT be sysadmin (it can have all other rights but not sysadmin).
I am running a query from local server which should modify a remote one
EXEC ('ALTER DATABASE REMOTEDB MODIFY FILEGROUP ftfg_REMOTEDB NAME=ftfg_REMOTEDB') at [REMOTESERVER]
This query works once I add sysadmin right to the user but without the right, it give the following error:
The server principal "USERWITHOUTSYSADMIN" is not able to access the database "REMOTEDB" under the current security context.
I am on SQL Serve 2008.
Please Help!
After much research: This is not possible:(
Put the EXEC command in a stored procedure and grant execute on the procedure to the user. It won't STOP a sysadmin from executing it, but it will allow others to execute it as well. Be VERY, VERY careful with this!
Can you allow the user to impersonate someone with the appropriate permissions?
EXEC ('ALTER DATABASE REMOTEDB MODIFY FILEGROUP ftfg_REMOTEDB NAME=ftfg_REMOTEDB')
AS USER = 'UserWithAppropriatePermissions'
AT [REMOTESERVER]