I have a Stored Procedure that creates a Database for a specific project which needs to run every month by one of our Data Analysts. The question is how do I structure this to enable the Analyst to run this Stored Procedure without granting them Create Database Permission.
I Tried
WITH EXECUTE AS OWNER/USER_NAME
The Analysts still get the below error:
Msg 262, Level 14, State 1, Line 67
CREATE DATABASE permission denied in database 'master'.
Any advice?
Best Answer
It did not work because the
EXECUTE AS
clause of aCREATE {object}
statement can only reference a User, which is a database-level principal.CREATE DATABASE
is an instance-level permission, so it needs to be granted to a login (an instance-level principal), not to a user.This is easy to accomplish using Module Signing:
SETUP
APPLY MODULE SIGNING
TEST
For a detailed explanation of the steps taken to apply module signing, please see my post:
Safely and Easily Use High-Level Permissions Without Granting Them to Anyone: Server-level
For more information about module signing in general, and why you should use it instead of the easier yet more dangerous
SET TRUSTWORTHY ON
, please see my post:PLEASE, Please, please Stop Using Impersonation, TRUSTWORTHY, and Cross-DB Ownership Chaining