More Info: Stored Procedure Security Question

Dear Group

I have found that table A had SELECT permissions for 'Public' but not table
B.
Giving 'Public' SELECT permissions on table B did the trick.

HOWEVER, I don't want anyone to be able to do a direct SELECT on table A or
B but only give them access to the data by using the stored procedures. Is
there any way this can be set up?

Thanks for your efforts!
Have a nice day!

Martin

"Martin Feuersteiner" <theintrepidfox@.hotmail.com> wrote in message news:...
> Dear Group
> I'm having two stored procedures, sp_a and sp_b
> Content of stored procedure A:
> CREATE PROCEDURE dbo.sp_a
> SELECT * FROM a
> GO
> Content of stored procedure B:
> CREATE PROCEDURE dbo.sp_b
> SELECT * FROM b
> GO
> I have created a user that has execute permissions for both procedures.
> When I run procedure A, all works fine but when running procedure B I'm
> getting an error saying that the user must have SELECT permissions on
> table B.
> Both tables are owned by dbo, and the security role for the user doesn't
> has any SELECT permission on table a and b.
> I'd be grateful if anyone could point me in a direction why this error
> might come up for procedure B but not for A,
> with a possible solution without giving the user SELECT permissions.
> Thanks very much for your help!
> MartinMartin Feuersteiner (theintrepidfox@.hotmail.com) writes:
> "Martin Feuersteiner" <theintrepidfox@.hotmail.com> wrote in message
>> Content of stored procedure A:
>> CREATE PROCEDURE dbo.sp_a
>> SELECT * FROM a
>> GO
>>
>> Content of stored procedure B:
>> CREATE PROCEDURE dbo.sp_b
>> SELECT * FROM b
>> GO
> I have found that table A had SELECT permissions for 'Public' but not
> table B. Giving 'Public' SELECT permissions on table B did the trick.
> HOWEVER, I don't want anyone to be able to do a direct SELECT on table A
> or B but only give them access to the data by using the stored
> procedures. Is there any way this can be set up?

I have a strong feeling that you are not telling us the full story,
because what you have described is the typical usage of ownership
chaining, and users should indeed be able to access the data in the
tables through the stored procedures.

Is there by chance some dynamic SQL involved?

--
Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techin.../2000/books.asp|||I also responded to your previous thread. As Erland said, this should work
as long as the objects are in the same database. If in different databases,
you'll need to enable cross-database chaining and the databases need to have
the same owner in order to maintain an unbroken ownership chain for
dbo-owned objects.

--
Hope this helps.

Dan Guzman
SQL Server MVP

"Martin Feuersteiner" <theintrepidfox@.hotmail.com> wrote in message
news:cg53pg$rbo$1@.sparta.btinternet.com...
> Dear Group
> I have found that table A had SELECT permissions for 'Public' but not
table
> B.
> Giving 'Public' SELECT permissions on table B did the trick.
> HOWEVER, I don't want anyone to be able to do a direct SELECT on table A
or
> B but only give them access to the data by using the stored procedures. Is
> there any way this can be set up?
> Thanks for your efforts!
> Have a nice day!
> Martin
>
> "Martin Feuersteiner" <theintrepidfox@.hotmail.com> wrote in message
news:...
> > Dear Group
> > I'm having two stored procedures, sp_a and sp_b
> > Content of stored procedure A:
> > CREATE PROCEDURE dbo.sp_a
> > SELECT * FROM a
> > GO
> > Content of stored procedure B:
> > CREATE PROCEDURE dbo.sp_b
> > SELECT * FROM b
> > GO
> > I have created a user that has execute permissions for both procedures.
> > When I run procedure A, all works fine but when running procedure B I'm
> > getting an error saying that the user must have SELECT permissions on
> > table B.
> > Both tables are owned by dbo, and the security role for the user doesn't
> > has any SELECT permission on table a and b.
> > I'd be grateful if anyone could point me in a direction why this error
> > might come up for procedure B but not for A,
> > with a possible solution without giving the user SELECT permissions.
> > Thanks very much for your help!
> > Martin|||Thanks for your help guys!
Well, as Erland suspected, I haven't given you the full story as I
thought it doesn't matter but as I found out the hard way, it was
indeed dynamic SQL that caused the problem.

Erland, please don't tell me off for using dynamic SQL! LOL
I've read your wonderful fantastic guides and obbey all rules on
dynamic SQL but although I'm not happy myself, I think I really can't
avoid it this time.
However, if you'd offer to have a look at my script and just tell me
whether it can be done without dynamic SQL then this would make me
very happy!

Anyway, I solved the permission problem by basing the stored
procedures that contain the dynamic SQL on Views and implementing row
level security in those.

Thanks again for your efforts!
Have a nice day!

Martin

"Dan Guzman" <danguzman@.nospam-earthlink.net> wrote in message news:<07JVc.8691$3O3.3742@.newsread2.news.pas.earthlink.n et>...
> I also responded to your previous thread. As Erland said, this should work
> as long as the objects are in the same database. If in different databases,
> you'll need to enable cross-database chaining and the databases need to have
> the same owner in order to maintain an unbroken ownership chain for
> dbo-owned objects.
> --
> Hope this helps.
> Dan Guzman
> SQL Server MVP
> "Martin Feuersteiner" <theintrepidfox@.hotmail.com> wrote in message
> news:cg53pg$rbo$1@.sparta.btinternet.com...
> > Dear Group
> > I have found that table A had SELECT permissions for 'Public' but not
> table
> > B.
> > Giving 'Public' SELECT permissions on table B did the trick.
> > HOWEVER, I don't want anyone to be able to do a direct SELECT on table A
> or
> > B but only give them access to the data by using the stored procedures. Is
> > there any way this can be set up?
> > Thanks for your efforts!
> > Have a nice day!
> > Martin
> > "Martin Feuersteiner" <theintrepidfox@.hotmail.com> wrote in message
> news:...
> > > Dear Group
> > > > I'm having two stored procedures, sp_a and sp_b
> > > > Content of stored procedure A:
> > > CREATE PROCEDURE dbo.sp_a
> > > SELECT * FROM a
> > > GO
> > > > Content of stored procedure B:
> > > CREATE PROCEDURE dbo.sp_b
> > > SELECT * FROM b
> > > GO
> > > > I have created a user that has execute permissions for both procedures.
> > > When I run procedure A, all works fine but when running procedure B I'm
> > > getting an error saying that the user must have SELECT permissions on
> > > table B.
> > > > Both tables are owned by dbo, and the security role for the user doesn't
> > > has any SELECT permission on table a and b.
> > > I'd be grateful if anyone could point me in a direction why this error
> > > might come up for procedure B but not for A,
> > > with a possible solution without giving the user SELECT permissions.
> > > > Thanks very much for your help!
> > > > Martin
>|||Martin (theintrepidfox@.hotmail.com) writes:
> Erland, please don't tell me off for using dynamic SQL! LOL
> I've read your wonderful fantastic guides and obbey all rules on
> dynamic SQL but although I'm not happy myself, I think I really can't
> avoid it this time.
> However, if you'd offer to have a look at my script and just tell me
> whether it can be done without dynamic SQL then this would make me
> very happy!

Well, there are cases where dynamic SQL is the best solution and there
are cases where dynamic SQL is a really poor choice.

The whole message of http://www.sommarskog.se/dyn-search.html is that
for dynamic search conditions is "use dynamic SQL, if you can handle
the security issues". If you can make it with views, then you should
be fine.

Beware though, that a very skilled person can be able to cram out
information from a view for row-based security that he is not supposed
to have access to. It is not that he can actually get to see the rows,
but he can make conclusions from query plans statistical IO and such.

--
Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techin.../2000/books.asp|||Thanks very much Erland!

>It is not that he can actually get to see the rows,
> but he can make conclusions from query plans statistical IO and such.

Do you know any source with more information on this view security issue?
What harm can it do? It's a CRM app, not a top secret military app.

Thanks for your efforts!

M

Erland Sommarskog <esquel@.sommarskog.se> wrote in message news:<Xns954FEB97D2796Yazorman@.127.0.0.1>...
> Martin (theintrepidfox@.hotmail.com) writes:
> > Erland, please don't tell me off for using dynamic SQL! LOL
> > I've read your wonderful fantastic guides and obbey all rules on
> > dynamic SQL but although I'm not happy myself, I think I really can't
> > avoid it this time.
> > However, if you'd offer to have a look at my script and just tell me
> > whether it can be done without dynamic SQL then this would make me
> > very happy!
> Well, there are cases where dynamic SQL is the best solution and there
> are cases where dynamic SQL is a really poor choice.
> The whole message of http://www.sommarskog.se/dyn-search.html is that
> for dynamic search conditions is "use dynamic SQL, if you can handle
> the security issues". If you can make it with views, then you should
> be fine.
> Beware though, that a very skilled person can be able to cram out
> information from a view for row-based security that he is not supposed
> to have access to. It is not that he can actually get to see the rows,
> but he can make conclusions from query plans statistical IO and such.|||Martin (theintrepidfox@.hotmail.com) writes:
> Do you know any source with more information on this view security issue?
> What harm can it do? It's a CRM app, not a top secret military app.

As long as you don't let SQL Server MVP Steve Kass anywhere near the
database, I think your data is fairly safe. :-) That is, Steve Kass was
the one who discovered this issue, and to exploit you would need to
a query tool like Query Analyzer, and you would probably have to have
some knowledge about the schema. And you need a very good understanding
of SQL Server. Finally a good dosis of patience is good for the task.

--
Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techin.../2000/books.asp

More custom security questions

Still working on custom security
Since I can't get a name of file (path) from within CheckAccess method it becomes somewhat useless. Is there a way to maybe overload GetPermissions or Policies methods? Or maybe CreateReport method so that I can include some custom code there? Is there an example of something like that?

I wish the catalog tree was transparent to Authentication extension, I don't see a point in acl for a custom extension, all I want is names and I can build on top of that. Something along the lines -

Code Snippet

public bool CheckAccess(...file...)
{
string[] permissions ;
permissions = server.GetPermissions(file);
...

Maybe I am missing something simple and I can tie everything to a security descriptor but I don't see how I can if there is no information such as name, date, modified by name and so on. All we get is principal name which is not very useful since I don't use built-in security names.

Thanks
So anybody implemented CustomAccess not totally based on acecollection?
|||bumpsql

More code access issues again

Upgrading our Custom Data Extension from SQL 2000 Reporting Services to 2005
has necessitated dealing with code access security to a new degree. My
extension is actually a complex set of interdependant DLLs:
1. My managed assembly that implements the Data Extension and two delivery
extensions. This calls into...
2. A set of third party UNmanaged DLLs. Via a callback mechanism, these
call into...
3. Another of my managed assemblies.
By doing the following, my Data extension now runs perfectly in the browser
(via the report manager interface):
A. Create a Code Group in the policy config file.
B. Add AllowPartiallyTrustedCallers attribute to all my managed assemblies
C. Put my assemblies in the GAC
While my extension now works in the browser, it fails when run as a
scheduled report. My managed assembly #1 and the unmanaged DLLs #2 seem to
load, but in the log files I see:
Could not load file or assembly <my managed assembly #3, above> Failed to
grant minimum permission requests. (Exception from HRESULT: 0x80131417)
So I guess my question comes down to this: Why would the code access
security context be different when the report is run on a schedule as
opposed to being run on the server?
Thanks for you help!Hello Stephen,
How about turned off the Caspol by running command caspol -s off?
Also, please try to create a new code group.
1. On the Web server, open Administrative Tools, and then double-click
Microsoft
.NET Framework Configuration 2.0.
2. Expand Runtime Security Policy, expand Machine, and then expand Code
Groups.
3. Right-click All_Code, and then click New.
4. Select Create a new code group. Give your code group a relevant name,
such as
the name of the applications share.
5. Click Next.
6. In the Choose the condition type for this code group list, select GAC.
7. Click Next. On the next page, select Use an existing permission set, and
then
8. select FullTrust.
9. Click Next, and then click Finish.
Once these steps have been done, plese turn off the caspol and restart the
server.
Sincerely,
Wei Lu
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================(This posting is provided "AS IS", with no warranties, and confers no
rights.)|||I can not do "caspol -s off" in this environment, but I believe your other
comments have pointed me in the right direction. Thanks!
"Wei Lu [MSFT]" <weilu@.online.microsoft.com> wrote in message
news:1krHN%23KzGHA.4340@.TK2MSFTNGXA01.phx.gbl...
> Hello Stephen,
> How about turned off the Caspol by running command caspol -s off?
> Also, please try to create a new code group.
> 1. On the Web server, open Administrative Tools, and then double-click
> Microsoft
> NET Framework Configuration 2.0.
> 2. Expand Runtime Security Policy, expand Machine, and then expand Code
> Groups.
> 3. Right-click All_Code, and then click New.
> 4. Select Create a new code group. Give your code group a relevant name,
> such as
> the name of the applications share.
> 5. Click Next.
> 6. In the Choose the condition type for this code group list, select GAC.
> 7. Click Next. On the next page, select Use an existing permission set,
> and
> then
> 8. select FullTrust.
> 9. Click Next, and then click Finish.
> Once these steps have been done, plese turn off the caspol and restart the
> server.
> Sincerely,
> Wei Lu
> Microsoft Online Community Support
> ==================================================> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
> ==================================================> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>