This question is about impersonation in Microsoft SQL Server. I want to know that if I have impersonation permissions on a specific login then I can easily impersonate that login whenever I want and I do not need to have a stored procedure with EXECUTE AS OWNER? If that is so then what is the purpose of a stored procedure with EXECUTE AS?
SQL Server Impersonation Guide
impersonationpermissionsSecuritysql server
Related Question
- SQL Server – Assigning Temporary Permissions for DDL
- SQL Server – Stored Procedure with Minimal Permissions for Cross-Database Operations
- SQL Server Permissions – Use of IMPERSONATE Permissions
- SQL Server Impersonation – Troubleshooting Not Working Issues
- SQL Server – Cross-Database Impersonation Fail for Service Account
- Sql-server – 22046 “Impersonation error” running SQL Server Agent job
- Sql-server – Execute SSIS procedure from stored procedure using non-privileged SQL login
Best Answer
Excellent question. Yes, if LoginA (or UserA) is granted
IMPERSONATEon LoginB (or UserB), then LoginA (or UserA) can execute theEXECUTE ASstatement whenever they want, without restriction:or
The purpose of the
EXECUTE ASclause (part of theCREATE {module}statement) is to temporarily grant thatIMPERSONATEpermission only in the context of that module. This prevents you from needing to explicitly grantIMPERSONATE. The difference is, outside of the context of that module withEXECUTE AS {SomeUser}, whoever is executing that module shouldn't have the ability to impersonate that User. You don't want Logins / Users being able to impersonate others whenever they want. That is a security risk. TheEXECUTE ASclause gives you the ability to let a principal impersonate another only when you want, not when they try to on their own (where you can't restrict what they do with those elevated permissions). So, you actually do want theEXECUTE ASclause, and do not want to grantIMPERSONATEto anyone ever (if it can be avoided, and most likely it can be).For example: There is no
TRUNCATE TABLEpermission. If you want someone to be able to truncate a particular table (that they do not own, since they do have permission to do that) you could grant themIMPERSONATEondbo. However, there is then no way to restrict their actions to only issuingTRUNCATE TABLE, and only on that particular table. That User can executeEXECUTE AS USER = 'dbo';whenever they want, and then do whatever they want. However, by addingEXECUTE AS 'dbo'to theCREATE PROCEDURE .... AS TRUNCATE TABLE {TableName};statement, whoever executes that module will still impersonatedbo, but only for the actions in that module, which here is just truncating a particular table.Of course, the
EXECUTE ASclause of aCREATEstatement can only impersonate another User (database-level only). It cannot impersonate another Login (instance-level). This limitation is what leads too many people to enableTRUSTWORTHYso that a Login matching the same SID of the User being impersonated will be able to temporarily grant additional permissions. But this is quite dangerous, which is why the ideal (and far better) mechanism for temporarily elevating permissions is Module Signing.For more details on why impersonation, as well as
TRUSTWORTHY ONand Cross-DB Ownership Chaining, are bad, and how / why Module Signing is better, please see:PLEASE, Please, please Stop Using Impersonation, TRUSTWORTHY, and Cross-DB Ownership Chaining