We have a SQL Agent job that is configured to run as user "dbo". This job gets a list of databases defined in sys.databases that match a naming scheme. The job then performs some dynamic SQL to cleanup some old transaction tables. The job starts against tempdb.
The agent job runs fine on my own development database (SQL Server 2008 R2 Standard Edition 10.50.2500.0). The job correctly gets the list of databases. However, on a customer system (SQL Server 2008 R2 Standard Edition 64-bit 10.50.1600.1), the job does not find any matching databases despite them existing.
On the customer system, a simple select * from sys.databases
run against tempdb in a query window returns all 10 databases in the system.
Using the profiler, I saw SQL Agent call EXECUTE AS USER = N'dbo' WITH NO REVERT
when running this job. I duplicated the issue using the following SQL:
use tempdb
-- results: tempdb, <my SQL user>, dbo
select
db_name() as [Current Database],
suser_name() as [Current Context],
user_name() as [Current User]
-- results: tempdb, 10 (which I expect)
select
db_name() as [Current Database],
count(*)
from sys.databases
execute as user = N'dbo'
-- results: tempdb, sa, dbo
select
db_name() as [Current Database],
suser_name() as [Current Context],
user_name() as [Current User]
-- results: tempdb, 2 (?!?)
select
db_name() as [Current Database],
count(*)
from sys.databases
revert
If I change 'use tempdb' to 'use master', the results are the expected 10 databases for each query.
Why would sys.databases return different results when run as the user dbo from the tempdb database? And why does it return all databases with use master
as the dbo user?
More information – If I run this script in SQL Server Management Studio without including the revert
at the bottom, my list of databases shrinks to the same two that this query returns from sys.databases.
Best Answer
This appears to be a matter of access rights and the specific user in the database. The first thing to understand is that
sys.databases
in any database is simply a view that exposes parts of the system table that lives inresourcedb
. Anytime you are querying that in any database, you're hitting the same table but through a different view.The second thing to understand is each database has a
dbo
user. When you use theexecute as user = N'dbo'
, that means you'redbo
in the context of that specific database. In your specific example, thedbo
user inmaster
and thedbo
user intempdb
are two different security principals.What you're seeing is simply a matter of what each principal is allowed to see.
dbo
users, being the owner login of each specific database, only have rights to see the following databases:master
(in order to look up control information)tempdb
(in order to create temporary objects when necessary)Note that the
dbo
user inmaster
, since that database needs to see and supply control information for all databases, has rights to view all databases on the server.