|
|
Posted by Dan Guzman on 08/26/05 15:49
>
> The one way I can think of to sort this out - beside uniting the databases
> into one - is to enable the server configuration parameter "Cross DB
> Ownership Chaining". This option was added in SP3 is off by default.
> If there no other databases from other applications on the server,
> there is no problem to enable this option. However, on consolidated
> server that hosts databases for unrelated applications, this is not
> recommendable.
>
Jason could instead enable the 'db chaining' database option for only those
databases needed by the application rather than turning the cross-database
chaining server-wide.
> For cross DB chaining to work, the databases must also have the same
> owner.
This is true, assuming the objects are owned by 'dbo', because database
ownership determines the dbo user mapping. In the case of non-dbo-owned
objects, the object owners in the different databases need to map to the
same login in order to maintain an unbroken ownership chain.
> The user's connection can gain access to
> another database only through permissions granted to the guest user
> account in that database. Therefore, if the guest user account does not
> exist in a database, the connection cannot gain access to that
> database.
To expand on this BOL excerpt, it's necessary to enable the guest user in
the non-application role databases so that users have a security context
after the application role is enabled. However, no permissions need to be
granted to guest or public in Jason's situation because access is done only
through views and procs from application role database.
--
Hope this helps.
Dan Guzman
SQL Server MVP
Navigation:
[Reply to this message]
|