Stored Procedure and Permissions – Is EXECUTE enough?

by

Permissions on tables are not checked (including DENY) if tables and proc have the same owner. They can be in different schemas too as long as the schemas have the same owner.

See Ownership chaining on MSDN

Edit, from a comment from a deleted answer.

The context is always the current login unless EXECUTE AS as been used: only referenced object DML permissions are not checked. Try OBJECT_ID(referencedtable) in a stored proc where no rights are assigned to referencedtable. It gives NULL. If executed by the owner of the stored proc then it would give a value because owener has rights on referencedtable

More Related Contents:

  1. T-SQL stored procedure that accepts multiple Id values
  2. Select columns from result set of stored procedure
  3. SQL Server: Query fast, but slow from procedure
  4. Escape a string in SQL Server so that it is safe to use in LIKE expression
  5. Retrieve column definition for stored procedure result set
  6. Dapper.NET and stored proc with multiple result sets
  7. How to list all dates between two dates [duplicate]
  8. SQL Server sp_msforeachtable usage to select only those tables which meet some condition
  9. EXEC sp_executesql with multiple parameters
  10. T-SQL Dynamic SQL and Temp Tables
  11. How do I find a stored procedure containing ?
  12. How do I search an SQL Server database for a string?
  13. Calling an API from SQL Server stored procedure
  14. Handling date in SQL Server
  15. SQL Server history table – populate through SP or Trigger?
  16. Retrieve data from stored procedure which has multiple result sets
  17. Programmatically retrieve SQL Server stored procedure source that is identical to the source returned by the SQL Server Management Studio gui?
  18. Calling stored procedure using VBA
  19. Avoid Naming User Stored Procedures SP% or SP_%
  20. Execute stored procedure with an Output parameter?
  21. Check if a string contains a substring in SQL Server 2005, using a stored procedure
  22. Stored procedure – return identity as output parameter or scalar
  23. How to find a text inside SQL Server procedures / triggers?
  24. Python – pyodbc call stored procedure with parameter name
  25. SQL Server stored procedure return code oddity
  26. Populate Dataset With Table Names From Stored Procedure
  27. How to cleanse (prevent SQL injection) dynamic SQL in SQL Server?
  28. ODBC Call Failed with stored procedure – Pass through query
  29. Why can’t Entity Framework see my Stored Procedure’s column information?
  30. Why do table names in SQL Server start with “dbo”?

Leave a Comment