Sql-server – Does a user who has permissions to select from a view also need select granted to the children entities of that view

permissionsSecuritysql server

If view 1 uses tables A and B, and a user has SELECT granted on view 1 is that sufficient for the user to select from view 1 or does he also need SELECT granted on tables A and B.

Specific details on my situation (in regards to Erik's comment):

I thought I understood permissions, but I'm a little confused right now.

I have a user specifically for testing permissions. I have view 1 in database 1 that references view 2 in database 2 and view 3 in database 2. View 2 in database 2 references table A in database 3. View 3 in database 2 references table B in database 2.

So at the individual entity level, I slowly was adding permissions as necessary and check with my test user to see what error I get back from SSMS.

I first granted select permissions to the test user on view 1. Then based on the errors I was getting, I also needed to grant select on view 2 and table A (that is referenced by view 2). But I did NOT need to grant select permissions to my test user on view 3. This is where I'm confused.

I then assumed my test user might be part of a role (or something) that gives it full select access on database 2, but then if I try to select directly from view 3 it gets a permission denied error, even though it CAN select from view 1 (which references view 3).

TL;DR: Why can my test user account select from a view but can't directly select from one of the entities that that view is dependent on?…is that normal permissions behavior?

Best Answer

Generally speaking, sub-objects owned by the same owner of the object that one has permission to will pass along that permission. This is Ownership Chaining. By default this behavior is constrained to working within the current database, and with non-dynamic SQL. When you start involving other databases and/or dynamic SQL, then you need some additional configuration to allow that to work (that is, if you don't want to grant direct access to those sub-objects).

The simple / easy mechanisms are to enable Cross-Database Ownership Chaining and/or TRUSTWORTHY (database property), depending on what you are trying to do. However, being simple and easy also means that they both open up rather large security holes.

Fortunately, there is a way to accomplish this with just a little bit of extra work, but the end result will be a much more secure setup. You want to use Module Signing. The only down-side is that you might need to change 1 or more of the Views into Multi-statement Table-valued Functions so that the object can be signed (Views and Inline TVFs cannot be signed). However, the security itself is much cleaner since it is highly specific and self-contained. You will create Certificate-based Users that have the permissions that you want, in each DB that you want them to be extended to (this is done by re-creating the same Certificate in each DB). Then you just need to grant the actual Login / User the EXECUTE permission to the main object.

For a full example of how to do this, please see my answers here:

And for more info on why you should use Module Signing instead of Cross-DB Ownership Chaining and/or TRUSTWORTHY, please see my post here:

PLEASE, Please, please Stop Using Impersonation, TRUSTWORTHY, and Cross-DB Ownership Chaining

Related Solutions

Sql-server – The SELECT permission was denied on the (View) object after explicit grant select on view to user

Your response pointed me in the right direction.

After looking at the object and verifying the permissions many times, I shifted my focus to the Login and User.

Apparently the login is mapped to a different user. So when I checked the server_principal against the database_principal there was a mismatch.

The login is called appuser and i am also trying to grant permissions inside the database to appuser. Unfortunately someone created a different database user which is actually called appwebuser.

So once i discovered that we were granting permissions to the wrong user and update the code to the correct database user the problem was resolved.

I used the following query to track down the login. I add in the servername and dbname so i can check against my different environments and report to the customer.

SELECT 
@@servername  as [server_name]
,db_name()  as [database_name]
,sp.name as [server_principal_name]
,sp.type as [server_principal_type]
,sp.type_desc as [server_principal_type_desc]
,sp.create_date as [server_principal_create_date]
,sp.default_database_name as [server_principal_default_database_name]
,dp.name as [database_principal_name]
,dp.type as [database_principal_type]
,dp.type_desc as [database_principal_type_desc] 
,dp.default_schema_name as [database_principal_default_schema_name]
FROM 
    sys.database_principals  dp INNER JOIN
    sys.server_principals sp ON (dp.sid = sp.sid)
WHERE 
    sp.name like 'appuser'
    or dp.name like  'appuser'
    or sp.name like 'appwebuser'
    or dp.name like  'appwebuser'

Sql-server – Does this mean the ‘public’ has full select, insert, update, and delete access

This means that if the user has not had permissions explicitly set for the securable (or inherited from permissions explicitly set) that public has permissions for, then those will be applied. In other words, if you have User1 with DELETE permissions denied on User_Table, then User1 will not be able to delete data from that table.

Please see BOL's reference on Database-Level Roles:

public Database Role
Every database user belongs to the public database role. When a user has not been granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object.

Example

use TestDB;
go

create login Login1
with
    password = 'password',
    check_policy = off;
go

create user User1
for login Login1;
go

-- this will return 1 (meaning, yes it is a role member)
select is_rolemember('public', 'User1');


-- let's do a test to show the above theory
create table SomeTable
(
    id int identity(1, 1) not null,
    SomeText varchar(30) not null
        default replicate('a', 30)
);
go

insert into SomeTable
values(default);
go 10

-- give the public role permissions to SELECT on SomeTable
grant select
on SomeTable
to public;
go

-- this will be successful, because User1 is part of public
execute as user = 'User1';
go

select *
from SomeTable;

revert;
go


-- create a new role to deny SELECT on SomeTable
exec sp_addrole 'Role1';
go

deny select
on SomeTable
to Role1;
go

-- add User1 to this new role
exec sp_addrolemember 'Role1', 'User1';
go


-- this will not be successful because User1 now has been denied SELECT on SomeTable
execute as user = 'User1';
go

select *
from SomeTable;

revert;
go

Best Answer

Related Solutions

Sql-server – The SELECT permission was denied on the (View) object after explicit grant select on view to user

Sql-server – Does this mean the ‘public’ has full select, insert, update, and delete access

Related Question