SQL Server 2008 R2
We have a login & user called "JoeBlogs", this user has it's own default schema
of JoeBlogs – it has Public
access only to the database.
We then granted it SELECT
on a dbo
view – the dbo
view however selects data from underlying tables that belong to a non-dbo schema – so we get an error selecting from the view saying access was denied to underlying tables.
How does one configure the user to have select access to the dbo
view but not the underlying non-dbo tables?
Is this even possible?
Jordon
Best Answer
You have to understand the problem before proceeding with the solution.
When you select from a view the SQL Server system would check permissions twice:
Once when you select from the view, and once when the view makes reference to the underlying table.
Obviously the second check would fail if the user has no permission on the underlying table.
Microsoft have solved this with "Ownership Chaining" (known as OC).
OC will bypass the permission check that would be done when the view is referencing the table,
Only if the owner of the view is the same as the owner of the table.
The thing is, OC is bypassing permission checks completely, which means that it can bypass denies as well...
For example, if "JoeBlogs" has the
create view
permission, he can create a new view which has access to the entire table.I suggest you read about ownership chaining before you decide your course of action.
books online
msdn blog
detailed example, using a stored procedure instead of view
Having said that, the first Intuitive solution would be to create the view under the same non-dbo schema as the underlying tables (or a schema owned by the same user as the non-dbo schema).
However, if you find that solution to be too risky there is another (and maybe even better) option:
You can always use a function (Multistatement Table-valued Function) with an
EXECUTE AS
clause:Create function syntax
execute as clause
This method will allow you to select from the function (
execute
permission on the function) while the function belongs todbo
. The user specified in theexecute as
clause must have permissions on the underlying tables.