I have a role ExecSP
which I use to manage who can execute stored procedures. EXECUTE
permission is granted on all SPs to this role.
I also use SQL Server Data Tools (SSDT) to manage MS SQL Server database schema.
In the file where my SP is defined, I have this:
CREATE PROC SomeProc AS
.
.
.
GO
GRANT EXECUTE ON SomeProc TO ExecSP
However, when I apply the change to the target database, and do the schema comparison, it reports differences in SP permissions, where on the DB side I have this:
GRANT EXECUTE ON SomeProc TO ExecSP AS dbo
I've tried to understand what AS dbo
part represents, but I couldn't.
My questions:
- Does it mean that the SP will be executed with
dbo
rights, regardless of who is executing it? (I guess/hope it doesn't.) - Why is this added automatically?
- I want this SP to be executed with the rights the caller has – how do I achieve that?
Best Answer
That is wrong. Try to reproduce it and you'll get the error:
Even if Mary and Raul are members of sysadmin fixed server role. And that is why: the AS clause is not intended to be used with WITH GRANT OPTION, but, as BOL 2008R2 offline version says:
That is, the mentioned above repro with Mary and Raul both sysadmins fails because Raul has no explicit permission on object X, and even if it has no need to be granted an explicit permission being sysadmin, this time we get an error because the permission check is not bypassed: server checks the sys.database_permissions to find the appropriate permission.
The AS clause is used in following scenario: we have a database role MyRole that is granted some permission WITH GRANT OPTION. Let's Mary be a user-member of MyRole. Now Mary wants to give the permission she has to Steven, but the simple
failed because as a simple user Mary has no permission on X, but if she writes
it works fine: there is the explicit grant to MyRole is sys.database_permissions
Returning to your question, if you try now to script any of your object using Management Studio (database -> tasks -> generate scripts, select some objects and in "advanced" turn on "script object level permissions"), you'll get the same script: GRANT ... AS DBO. And only in the case with the role you'll see GRANT .. AS MYROLE. So the Studio always scripts out the grantor from sys.database_permissions, but it's not an "audit", you'll never see other principals that are not dbo except for the role case, and even if you has a principal that has only CONTROL permission on only one object, when he grants someone a permission to that object, in sys.database_permissions the grantor will be dbo.