Permissions, visibility, UDTs and user-defined aggregates

By Bob Beauchemin, Niels Berglund and Dan Sullivan 28 Feb 2005 | Addison-Wesley

Digg This!     StumbleUpon     Del.icio.us

The following excerpt, courtesy of Addison-Wesley, is from Chapter 6 of the book "A First Look at SQL Server 2005 for Developers" written by Bob Beauchemin, Niels Berglund and Dan Sullivan. Click for the complete book excerpt series or purchase the book.

Permissions, visibility, UDTs and user-defined aggregates

A user-defined type must be defined in the SQL Server catalog to be visible to SQL Server stored procedures and other T-SQL procedural code, just as an assembly is. Once a UDT is defined in the SQL Server catalog, users need the appropriate permission to invoke it, just as they do for any other database object.

Classes in an assembly are not directly accessible to T-SQL but may be used by other assemblies if they are public. For example, a CLR-based user-defined function may want to make use of a class from an assembly other than the one in which it is defined. This will only be allowed if the identity used to access the user-defined function, or other CLR-based procedural code, has EXECUTE rights to that assembly.

A UDT that is cataloged to SQL Server with CREATE TYPE is secured through permissions like any other SQL Server object. As with assemblies, you can grant REFERENCES and EXECUTE permissions on a UDT; with a UDT, however, the meaning is slightly different. Schema-bound links, in the context of a UDT, consist of:

• Creating a table with the UDT as a column


• Defining a stored procedure, UDF, or trigger on the static method of a UDT


• Defining a view using the WITH SCHEMABINDING option that references the UDT

EXECUTE permission on a UDT is defined at the class level, not at the method level. Granting EXECUTE permission on a UDT does not automatically grant permission on every stored procedure or user-defined function in the UDT. This must be granted by granting permission to the stored procedure or UDF SQL Server object directly. EXECUTE permission is also required to fetch a UDT or execute its methods from code inside the SqlServer data provider.

User-defined aggregates follow the same rules. A schema-bound link to a user-defined aggregate would consist of:

• Creating a table with the user-defined aggregates used in a constraint


• Defining a stored procedure, UDF, or trigger that uses the userdefined aggregate


• Defining a view using the WITH SCHEMABINDING option that uses the user-defined aggregate

REFERENCES permission would be required to create any of the database objects listed earlier.

Ownership chains apply when using user permissions with SQL Server objects, just as they do when using other SQL objects, like tables and views. Here are a few examples that will illustrate the concepts.

• User bob attempts to execute CREATE ASSEMBLY for bobsprocs. The bobsprocs assembly has a method that references another assembly, timsprocs, that is already cataloged in the database. Bob needs to have REFERENCES permission to the timsprocs assembly, because a schema-bound link will be set up between the two assemblies.


• If user bob creates a procedure, bobproc1, that is based on a method in the bobsprocs assembly, no permissions are checked. However, if user fred creates the bobproc1 procedure, this will set up a schema-bound link. User fred needs to have REFERENCES permission to the bobsprocs assembly.


• The procedure bobproc1 in bobsprocs is specified as execution_context = caller. When user alice attempts to execute bobproc1, she must have EXECUTE permissions on the procedure, but the code runs as bob. (We'll discuss execution context shortly.)


• User alice then defines a table, atable, using the UDT bobtype, which is part of the assembly bobsprocs. To do this, she needs REFERENCES permission on the bobsprocs assembly and on the bobtype UDT.


• User joe attempts to execute a SELECT statement that contains the UDT bobtype in the table atable. To do this, he needs SELECT permission on atable and EXECUTE permission on bobtype.

Click for the next excerpt in this series: What can .NET code do from within SQL Server: Safety levels

Tags: SQL Server Security,  .NET Development for SQL Server,  Microsoft SQL Server 2005,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Security Password cracking tools for SQL Server Meet compliance requirements with improved database security practices Hardening the network and OS for SQL Server security Securing the server and database in SQL Server SQL Server security made simple and sensible Blog: Protect your databases from the internal threat Setting up SQL Server Service Broker for secure communication The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification .NET Development for SQL Server Creating Windows PowerShell scripts to manage SQL Server 2008 instances Manipulate column names in a SQL Server table Code to restore SQL Server databases in VB.NET Custom VB.Net scripting in SQL Server Integration Services Retrieve images from SQL Server and store in VB.Net Connect to SQL Server database with Visual Basics Top 10 SQL Server development questions Developing CLR database objects: 10 tips, 10 minutes CLR architecture CLR stored procedures .NET Development for SQL Server Research Microsoft SQL Server 2005 End of life comes for SQL Server 2005 SP2, 2008 SQL Server Reporting Services Fast Guide SQL Server Service Broker Tutorial and Reference Guide Tips for tuning SQL Server 2005 to improve reporting performance SQL Server consolidation: Why it's an optimization technique Parent-child dimensions in SQL Server 2005 with Analysis Services MDX Enforcing data integrity in a SQL Server database SSIS error message due to installation problem on SQL Server 2005 Should you upgrade to SQL Server 2005 or SQL Server 2008? Basics for working with DATETIME and SMALLDATETIME in SQL Server 2005 Microsoft SQL Server 2005 Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary