October 23, 2012 at 1:23 am
I have a stored procedure that uses "WITH EXECUTE AS" to allow the querying of some system views, the stripped down syntax is as follows:
CREATE PROCEDURE [dbo].[MyTestProc]
WITH EXECUTE AS 'DOMAIN\UserA'
AS
SET NOCOUNT ON;
SELECT COUNT(*)
FROM msdb.dbo.sysjobs_view;
When I run this procedure I get the error message:
The SELECT permission was denied on the object 'sysjobs_view', database 'msdb', schema 'dbo'
UserA is a member of sysadmin so I would expect it to be able to access the view and in fact if I comment out the "WITH EXECUTE AS" line and run the stored procedure as UserA it works. Any ideas what might be happening?
Thanks
October 23, 2012 at 8:17 am
Execute As doesn't go outside the local database without extended authentication from the other database. It's scope is within the local DB. I only recently learned this myself. I'm going through a series of online videos.
Here's where I ran into it:
http://technet.microsoft.com/en-us/sqlserver/gg545013.aspx
---------------------------------------------------------------
Mike Hahn - MCSomething someday:-)
Right way to ask for help!!
http://www.sqlservercentral.com/articles/Best+Practices/61537/
I post so I can see my avatar :hehe:
I want a personal webpage 😎
I want to win the lotto 😀
I want a gf like Tiffa :w00t: Oh wait I'm married!:-D
October 23, 2012 at 8:50 pm
If "SA" owns the database, you could just execute as OWNER.
--Jeff Moden
Change is inevitable... Change for the better is not.
October 24, 2012 at 1:14 am
I found the problem but still not sure why it doesn't work!
I used the USER_NAME() and SUSER_NAME() functions to check the before and after and found that SUSERNAME() returned dbo before the switch (EXECUTE AS) but returned Domain\UserA after the switch.
I moved the WITH EXECUTE AS into the procedure itself and changed it to EXECUTE AS USER 'Domain\UserA' but this still failed, however changing it to EXECUTE AS LOGIN 'Domain\UserA' worked.
October 24, 2012 at 5:57 am
David-155102 (10/24/2012)
I found the problem but still not sure why it doesn't work!I used the USER_NAME() and SUSER_NAME() functions to check the before and after and found that SUSERNAME() returned dbo before the switch (EXECUTE AS) but returned Domain\UserA after the switch.
I moved the WITH EXECUTE AS into the procedure itself and changed it to EXECUTE AS USER 'Domain\UserA' but this still failed, however changing it to EXECUTE AS LOGIN 'Domain\UserA' worked.
Just checking to make sure... I'd really like to suggest using user names/logins (whatever) for this type of thing unless they are very specifically NOT attached to human entities. They should be setup for this type of proxy only and no human should ever be allowed to login through them. Their password should be guarded as strictly as the SA password should be.
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply