This question is about impersonation in Microsoft SQL Server. I want to know that if I have impersonation permissions on a specific login then I can easily impersonate that login whenever I want and I do not need to have a stored procedure with EXECUTE AS OWNER
? If that is so then what is the purpose of a stored procedure with EXECUTE AS
?
SQL Server Impersonation Guide
impersonationpermissionsSecuritysql server
Related Question
- SQL Server – Assigning Temporary Permissions for DDL
- SQL Server – Stored Procedure with Minimal Permissions for Cross-Database Operations
- SQL Server Permissions – Use of IMPERSONATE Permissions
- SQL Server Impersonation – Troubleshooting Not Working Issues
- SQL Server – Cross-Database Impersonation Fail for Service Account
- Sql-server – 22046 “Impersonation error” running SQL Server Agent job
- Sql-server – Execute SSIS procedure from stored procedure using non-privileged SQL login
Best Answer
Excellent question. Yes, if LoginA (or UserA) is granted
IMPERSONATE
on LoginB (or UserB), then LoginA (or UserA) can execute theEXECUTE AS
statement whenever they want, without restriction:or
The purpose of the
EXECUTE AS
clause (part of theCREATE {module}
statement) is to temporarily grant thatIMPERSONATE
permission only in the context of that module. This prevents you from needing to explicitly grantIMPERSONATE
. The difference is, outside of the context of that module withEXECUTE AS {SomeUser}
, whoever is executing that module shouldn't have the ability to impersonate that User. You don't want Logins / Users being able to impersonate others whenever they want. That is a security risk. TheEXECUTE AS
clause gives you the ability to let a principal impersonate another only when you want, not when they try to on their own (where you can't restrict what they do with those elevated permissions). So, you actually do want theEXECUTE AS
clause, and do not want to grantIMPERSONATE
to anyone ever (if it can be avoided, and most likely it can be).For example: There is no
TRUNCATE TABLE
permission. If you want someone to be able to truncate a particular table (that they do not own, since they do have permission to do that) you could grant themIMPERSONATE
ondbo
. However, there is then no way to restrict their actions to only issuingTRUNCATE TABLE
, and only on that particular table. That User can executeEXECUTE AS USER = 'dbo';
whenever they want, and then do whatever they want. However, by addingEXECUTE AS 'dbo'
to theCREATE PROCEDURE .... AS TRUNCATE TABLE {TableName};
statement, whoever executes that module will still impersonatedbo
, but only for the actions in that module, which here is just truncating a particular table.Of course, the
EXECUTE AS
clause of aCREATE
statement can only impersonate another User (database-level only). It cannot impersonate another Login (instance-level). This limitation is what leads too many people to enableTRUSTWORTHY
so that a Login matching the same SID of the User being impersonated will be able to temporarily grant additional permissions. But this is quite dangerous, which is why the ideal (and far better) mechanism for temporarily elevating permissions is Module Signing.For more details on why impersonation, as well as
TRUSTWORTHY ON
and Cross-DB Ownership Chaining, are bad, and how / why Module Signing is better, please see:PLEASE, Please, please Stop Using Impersonation, TRUSTWORTHY, and Cross-DB Ownership Chaining