October 12, 2006 at 3:11 pm
Hello!
I am reading official MS's teaching course about stored procedure. This is short quote from paragraph "Advantages of stored procedures":
Provide security mechanisms. Users can be granted permission to execute a stored procedure even if they do not have permission to access the tables or views to which the stored procedure refers.
What it talk about? In brief:
-there is table T1
-there is stor. proc. P1 sort of "select * from T1"
-there is user Ann. Ann has EXECUTE permission on P1 and has absolutely nothing permission on T1
And quoted text stated: "in this scenario Ann can execute P1 and get all rows from T1".
My verdict - not completely true. It is right if BOTH P1 and T1 have the same owner(as a formality - Ted will be owner for both). BUT! If Ted is owner of P1 only and Jack is owner of T1 - quoted text falls to false due to the fact of "broken ownership chain".
So... am I right in my conclusions?
October 13, 2006 at 11:23 am
You are absolutely right.
I think the course missed some details.
October 13, 2006 at 5:27 pm
Aha... Thanks for confirmation of my apprehensions. I also think this paragraph from course miss nuances...
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply