Sql-server – how to run SQL query without permission

permissionssql server

there is a sql query that joins both example1.dbo.table1 and example2.dbo.table2

User1 has no select permission on example1 DB.

User1 has select permission on example2 DB.

User2 can run that query

how can User1 run that query ? I dont want to give select permission to User1.

Is there any possibility of that ?

I created this query as procedure and added "execute as user2" inside of it but still couldn't run for User1.

Best Answer

You will need cross-database permissions.

The most secure solution is to create a dedicated user from Certificate in the "example1" DB and grant this user read privileges. Then in the "example2" DB you will sign this stored procedure with the same certificate, so the procedure will be able to use permissions of the previously created user.

You can find detailed tutorial here. And for a longer elaboration on the topic, check out Erland's classic article.

Another option would be to enable 'Cross-database ownership chaining', but it is not recommended because of security implications.

Related Solutions

SQL Server Login – Access Tables Across Multiple Databases

Cross-database ownership chaining is the easier solution. But as Oliver noted, it does come with some security exposures.

If you want to avoid the cross-database ownership chaining approach you can, to quote Erland Sommarskog: "When you need to write a stored procedure that accesses data in another database, you can arrange permissions by signing your procedure with a certificate that exists in both databases."

Erland has a lengthy article on the subject. I am giving you the link to the specific issue of cross database permissions using a certificate: http://www.sommarskog.se/grantperm.html#certcrossdb

This is safer, but it is more work.

SQL Server – Procedure Permission Issues with SQL State Query

I think that your simplest option is a job.

You can grant the permissions to start a job through the SQLAgentOperatorRole role in msdb. Members of this role can start jobs owned by a sysadmin login, which can execute the commands you need.

Here's an example based on your requirements:

USE master
GO

CREATE LOGIN testUser WITH PASSWORD = 'strongPassword' , CHECK_POLICY = OFF
GO

USE msdb
GO

CREATE USER testUser FOR LOGIN testUser
GO

EXEC sp_addrolemember 'SQLAgentOperatorRole', 'testUser'
GO

DECLARE @jobId uniqueidentifier

EXEC sp_add_job @job_name=N'test', 
        @enabled=1, 
        @owner_login_name=N'sa',
        @job_id = @jobId OUTPUT

EXEC msdb.dbo.sp_add_jobserver @job_id=@jobid, @server_name = @@SERVERNAME


EXEC sp_add_jobstep @job_id=@jobId, @step_name=N'step1', 
    @subsystem=N'TSQL', 
    @command=N'DBCC SQLPERF(logspace)
EXEC master..xp_fixeddrives
SELECT * FROM dbo.sysfiles
SELECT * FROM sys.master_files
SELECT * FROM tempdb.sys.database_files
SELECT * FROM tempdb.sys.dm_db_file_space_usage
SELECT * FROM sys.dm_exec_requests
SELECT * FROM sys.dm_tran_locks
SELECT * FROM sys.partitions
SELECT * FROM sys.indexes
SELECT * FROM sys.dm_os_waiting_tasks
SELECT * FROM sys.dm_os_tasks
SELECT * FROM sys.dm_exec_sessions
'
GO


EXECUTE AS LOGIN = 'testUser'

EXEC msdb.dbo.sp_start_job @job_name = 'test'

REVERT
GO


-- CLEANUP:
-----------
-- EXEC msdb.sys.sp_executesql N'DROP USER testUser'
-- DROP LOGIN testUser
-- EXEC msdb.dbo.sp_delete_job @job_name = 'test'

While granting the SQLAgentOperatorRole is stil a (minor) security concern, I find it less worrying than other solutions.

Best Answer

Related Solutions

SQL Server Login – Access Tables Across Multiple Databases

SQL Server – Procedure Permission Issues with SQL State Query

Related Question