Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Blastrix
Posting Yak Master
208 Posts |
 Posted - 2003-03-27 : 15:09:07
|
| I'm trying to implement multiple users in a database that has been previously only used on the web, and as such, had just one generic user(DBO) to do it all. I am wanting to tighten security as it branches out, but have found that if I give EXEC rights to a user on a stored procedure, then those rights override the rights specified at the table level.Is it basically up to me to make sure that the user does not get EXEC rights to an SP that performs a DELETE somewhere inside of it, if that user shouldn't be using DELETE? I was kind of hoping that SQL Server would be smarter than that, and take the table permissions into account.Am I doing something wrong, or is this expected functionality?Thanks |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-03-27 : 15:34:22
|
| If a user has EXEC privileges on a stored procedure, then that user can do everything that the stored procedure can but only in the context of the stored procedure. Why would you want to deny the DELETE anyway? If it worked that way, then the user would receive an error message and it would be rolled back. Yes this is the expected functionality. You should not ditch stored procedures because of this. Stored procedures are the way to go for several reasons, one of which is that you don't have to grant individual table or view permissions.Tara |
 |
|
|
|
|
|
SP Permissions vs Table Permissions