Posted by Kevin Frey on 11/16/07 00:41

SQL Server allows for a user to have SELECT permission on a View without
that user requiring an associated SELECT permission on the underlying table
that the VIEW accesses, but the user can still access the data through the
View. A similar arrangement holds true for stored procedures.

So based on these initial known behaviours, I have a couple of questions:

1. If a stored procedure A executes stored procedure B, does the user of A
require execute permission for B also? Or will access to B be permitted
regardless because the user was given access to A?

2. Similarly, if a stored procedure A accesses a View, does the user of A
require permissions on the referenced View?

I guess to paraphrase what I am trying to determine is whether SQL Server
only checks permissions at the "entry" point of a particular function, or
whether permission checks are performed "intra-function". My opening
examples imply they are only checked "on entry", but I am wondering if this
behaviour is entirely consistent. Perhaps the SQL Standard mandates this?

• Next in forum: Sql injecting
• Prev in forum: Re: tuning stored procedure, variables and different optimisers
• Thread view: Security Checking

[Reply to this message]