Sql-server – Different Results From sys.databases As Different Users

Securitysql serversystem-tables

We have a SQL Agent job that is configured to run as user "dbo". This job gets a list of databases defined in sys.databases that match a naming scheme. The job then performs some dynamic SQL to cleanup some old transaction tables. The job starts against tempdb.

The agent job runs fine on my own development database (SQL Server 2008 R2 Standard Edition 10.50.2500.0). The job correctly gets the list of databases. However, on a customer system (SQL Server 2008 R2 Standard Edition 64-bit 10.50.1600.1), the job does not find any matching databases despite them existing.

On the customer system, a simple select * from sys.databases run against tempdb in a query window returns all 10 databases in the system.

Using the profiler, I saw SQL Agent call EXECUTE AS USER = N'dbo' WITH NO REVERT when running this job. I duplicated the issue using the following SQL:

use tempdb

-- results: tempdb, <my SQL user>, dbo
select
    db_name() as [Current Database],
    suser_name() as [Current Context],
    user_name() as [Current User]

-- results: tempdb, 10 (which I expect)
select
    db_name() as [Current Database],
    count(*)
from sys.databases

execute as user = N'dbo'

-- results: tempdb, sa, dbo
select
    db_name() as [Current Database],
    suser_name() as [Current Context],
    user_name() as [Current User]

-- results: tempdb, 2 (?!?)
select
    db_name() as [Current Database],
    count(*)
from sys.databases

revert

If I change 'use tempdb' to 'use master', the results are the expected 10 databases for each query.

Why would sys.databases return different results when run as the user dbo from the tempdb database? And why does it return all databases with use master as the dbo user?

More information – If I run this script in SQL Server Management Studio without including the revert at the bottom, my list of databases shrinks to the same two that this query returns from sys.databases.

Best Answer

This appears to be a matter of access rights and the specific user in the database. The first thing to understand is that sys.databases in any database is simply a view that exposes parts of the system table that lives in resourcedb. Anytime you are querying that in any database, you're hitting the same table but through a different view.

The second thing to understand is each database has a dbo user. When you use the execute as user = N'dbo', that means you're dbo in the context of that specific database. In your specific example, the dbo user in master and the dbo user in tempdb are two different security principals.

What you're seeing is simply a matter of what each principal is allowed to see. dbo users, being the owner login of each specific database, only have rights to see the following databases:

master (in order to look up control information)
tempdb (in order to create temporary objects when necessary)
The database they own

Note that the dbo user in master, since that database needs to see and supply control information for all databases, has rights to view all databases on the server.

Best Answer

Related Solutions

Sql-server – How to fix a login timout in SQL Server 2005 when using a linked server and a stored procedure called from a SQL Agent Job

Sql-server – “current security context is not trusted” for job running as a SQL login accessing linked server

Related Question