July 26, 2016 at 3:02 pm
Probably asked and answered 100 times but I'm stuck.
Have a production database and I need to give a third party access to a subset of data via views. I do not want them to have access to the underlying tables as that would defeat the purpose.
db1 has table [Location]
db2 has view [Location]
Database Owner of both db1 and db2 is the same login.
Schema of both [location] objects is dbo, schema owner is DBO.
user myLogin exists in both db1 and db1
myLogin has been granted Select permission on view [Location]
table [Location] has permissions assigned to two custom Database Roles of which myLogin is not a member
select * from location fails
Msg 229, Level 14, State 5, Line 1
The SELECT permission was denied on the object 'Location'
July 26, 2016 at 3:10 pm
Bah! SQL doesn't enable ownership chaining by default.
https://msdn.microsoft.com/en-us/library/bb669059(v=vs.110).aspx
July 26, 2016 at 3:16 pm
Enabling DB chaining for the two databases is probably the simple way out.
However, beware that if one user is db_owner in one database and plain user in the other, this user can exploit the fact that ownership chaining is in force access data in the other database he should not have access to.
For a longer discussion see the article Giving Permissions through Stored Procedures on my web site.
[font="Times New Roman"]Erland Sommarskog, SQL Server MVP, www.sommarskog.se[/font]
September 16, 2016 at 11:49 am
No, cross-database ownership chaining is not enabled by default and you couldn't disable it. It used to be, until SQL Server 2000 SP3. After that, you must enable yourself. See Erland's warnings about enabling it. Make sure you don't expose more than you expected. It's a feature because there's a time and place for it. sounds like you've got such a case.
K. Brian Kelley
@kbriankelley
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply