Ownership chaining in SQL Server 2005

There are three basic rules in ownership chaining:

1. If you have access to a given object, and then reference another object through it (such as a view that accesses a table) where both objects have the same owner, permissions on the second object are not checked. If you have access to the first item, it's assumed you'll have access to the second.
2. If you have access to a given object, and then reference another object through it, but the second object does not have the same owner, the permissions on the second object are checked against the retrieving user's permissions. If the user doesn't have permissions that allow access to that second object, he can't read it.
3. All of this is instigated in the security context of the user who invokes the original object. If the user doesn't have access to that original object, nothing happens (which is just standard security practice).

With one key exception, these rules work regardless of the object types being accessed. The rules do not apply if you're chaining to an object in another database within the same instance of SQL Server. This kind of access is called cross-database ownership chaining (CDOC). By default, this feature is turned off in SQL Server because it's a bit too easy to use as a way to defeat object se...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft SQL Server Performance Monitoring and Tuning Using traces in SQL Server Profiler SQL Server Mailbag: CALs, witnesses and unwanted changes SQL Server Mailbag: Data restoration and DB property management Working with IntelliSense in SQL Server 2008 Management Studio SQL Server Mailbag: Stored procedures, triggers and SSRS reports Troubleshooting Distributed Transaction Coordinator errors in SQL Server Clearing the Windows page file and its effect on server performance Optimizing SQL Server indexes –- even when they're not your indexes Performance implications of transaction log autogrowth in SQL Server The short course on how SQL Server really works Database Management and Administration Password cracking tools for SQL Server Using traces in SQL Server Profiler Meet compliance requirements with improved database security practices Hardening the network and OS for SQL Server security Securing the server and database in SQL Server How SQL Server 2008 components impact SharePoint implementations Troubleshooting Distributed Transaction Coordinator errors in SQL Server Achieving high availability and disaster recovery with SharePoint databases Clearing the Windows page file and its effect on server performance Deploying a SQL Server virtual appliance for Microsoft Hyper-V

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary contiguity  (SearchSQLServer.com) contiguous  (SearchSQLServer.com) drilldown  (SearchSQLServer.com) hashing  (SearchSQLServer.com) hybrid online analytical processing  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

curity for someone with local access and malice in mind.

SQL Server 2005 does have some new features, making it possible to work across databases or differently owned objects without having to explicitly grant access or use CDOC. For instance, if you use CDOC to allow cross-database access for a stored procedure, you might be better off using something like a Service Broker queue to do the same thing. Or, you could create a matching stored procedure on the other database that has been written to securely handle such things.

Another change to the way ownership chaining works in SQL Server 2005 involves the EXECUTE AS clause, which lets you run many operations in the context of another user. It can only be used by someone who has the authority to impersonate other users, i.e., a sysadmin. While it lets you choose which identity to use if permissions are checked during execution, it doesn't force them to be checked (although there's an exception to this which I'll go into in a moment).

EXECUTE AS is useful in a variety of ways. Primarily, it allows you to easily simulate (in the context of other activity) whether a given user can access something in a chained fashion. This is an important function considering ownership chains are often taken for granted. Because of the way chaining works, it's not always obvious you will (or won't) have access to a dependent object, therefore it's a good idea to audit such things whenever possible using EXECUTE AS. It's also useful as a way to run a potentially risky operation in a restricted-user context. Another benefit is if you create a stored procedure that uses EXECUTE AS, you can define more precisely the security context the stored procedure runs in.

In addition, EXECUTE AS can force an ownership chain to break by using EXECUTE AS SELF. If you use EXECUTE AS SELF in the context of a stored procedure, for instance, permissions on any of the underlying objects called by the stored procedure will be explicitly checked. This sort of thing happens on multiple levels, including when you invoke a stored procedure that calls another stored procedure and, for instance, when EXECUTE AS SELF is being used somewhere in the chain.

Note that EXECUTE AS will not work if SQL Server is running as a local account. When it's set up as a local account, it can't read the group memberships of Windows domain accounts. Be aware of this if you happen to have an instance of the SQL Server Desktop Engine installed and you're running it as a local account for the sake of security.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

More on SearchSQLServer.com

Expert advice: Access across databases when executing a stored procedure

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.