SQLServerCentral Article

Allowing BULK INSERT for non-SysAdmin Users in SQL 7.0

,

Introduction

 

The BULK

INSERT statement allows you to bulk copy data into SQL Server using the

functionality of the bcp utility with a Transact-SQL statement, rather than from

the command prompt. In SQL 2000 there is a fixed server role called “Bulk Insert

Administrators” which has rights to issue BULK INSERT, while in SQL 7.0 there is

no such role – only members of the Sysadmin role can execute BULK INSERT. This

creates a problem on systems where an application connects using a SQL login,

because usually you wouldn’t  want this login to be granted complete admin

access.

 

Solution

 

The

workaround is as follows:

 

Create a DTS

package which has the required Bulk Insert Task. Schedule the package. This will

create a job with a single step which runs DTSRUN in a cmdshell, and the

redundant schedule can be deleted. Next create a stored procedure to run the job

using : EXEC msdb.dbo.sp_start_job @job_name = 'JobName'.

 

Now we need

to enable permissions to execute this job.  In the Properties GUI of SQL Agent

(right-click on SQL Agent in Enterprise Manager) select the Job System tab and

uncheck the “Only users with SysAdmin privileges can execute CmdExec and

ActiveScripting job steps” checkbox. Usually the security context in which the

job is run is determined by the owner of the job. However, if the job is owned

by a login that is not a member of the Sysadmin server role (ie our case), then

the package is run under the context of the SQLAgentCmdExec account. So, as long

as this account is set up with the rights to access the source file, it all

works ok. Be sure to limit the rights of the SQLAgentCmdExec user, otherwise one

security loophole has been swapped for another.

 

Understandably this is not ideal, because now each user has access to (the

limited rights of SQLAgentCmdExec) to execute xp_cmdshell, but it may be

preferable to allowing the application login to have SysAdmin rights, and once

you upgrade to SQL 2000 this solution can be replaced by implementing the fixed

server role.

 

NB

 

It may seem that other simpler

methods can be used, but I found that if you try to run a stored procedure which

has the BULK INSERT command in it, you receive the following message “The

current user is not the database or object owner of table 'database.dbo.table'.

Cannot perform SET operation.” Making the user the DBO, simply changes the error

message to “You do not have the permission to issue the BULK INSERT statement”!

The same happens if you create a procedure which executes a job which in turn

executes the bulk insert statement.

Rate

5 (1)

You rated this post out of 5. Change rating

Share

Categories

Join the discussion and add your comment

Share

Rate

5 (1)

You rated this post out of 5. Change rating

Related content

SQLServerCentral Article

Worst Practice - Bad Connection Strings and Bad Info in Sysprocesses

Andy returns to the Worst Practice series this week with a short article looking at how connection strings in applications affect what you see in sysprocesses. Perhaps less controversial (in our opinion) that some of the other worst practices, this is something easy to fix and definitely worth fixing! Read the article and post a comment - explore other points of view! Readers posting a comment will be entered in a drawing for a copy of the SQL Server 2000 Resource Kit.

You rated this post out of 5. Change rating

2003-08-01

15,766 reads

SQLServerCentral Article

Logins, Users, and Roles - Getting Started

Do you know the difference between a login and a user? What's the best way to add them; Enterprise Manager, T-SQL, or SQL-DMO? In this beginner level article Andy demonstrates how to use all three methods to add logins and users and offers his view of which is the best technique.

You rated this post out of 5. Change rating

2005-09-30 (first published: )

37,455 reads