can a SQL Server stored proc execute with higher permission than its caller?

删除回忆录丶 提交于 2019-12-12 13:03:44

问题


Our SQL Server database has a reporting feature that allows callers to read, but not write, any table, because the user (or, more precise, the connection opened by the web app that's operating on behalf of the user) has only datareader permissions on the database.

We'd like to be able to write a store procedure that is a special "cleanup report" that will scrub the DB of old cached data before running another report. We'd like the same read-only user above to be able to run this stored proc. The queries inside the stored proc will do DELETE operations, but we don't want to give the user the ability to delete anything other than by via calling this proc.

I know about Module Signing but was hoping to avoid the complexity of dealing with certificates.

Is there another solution? We're using SQL Standard Authentication if that matters.


回答1:


CREATE PROCEDURE dbo.my_procedure
WITH EXECUTE AS OWNER
AS
BEGIN
  -- do your stuff here
END
GO
GRANT EXEC ON dbo.my_procedure TO [your_datareader_member];
GO



回答2:


The granted permission to execute the procedure will allow the delete to occur.

In fact this is a very relevant scenario, to limit ability to perform certain operations (such as delete). The user may not delete random rows from random tables but they can execute a specific targeted delete procedure.



来源:https://stackoverflow.com/questions/15980286/can-a-sql-server-stored-proc-execute-with-higher-permission-than-its-caller

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!