OWSUG.ca

In this third and final instalment of our series on the SQL Server Database Engine Permission Model, we look execution context switching – in other words when I access an object, from whose perspective should I be assigned permissions. 

As always, if you want to test these out and don’t have SQL Server handy, you can download a full-featured evaluation copy of SQL Server 2008 R2 from the TechNet Evaluation Center at http://technet.microsoft.com/en-ca/evalcenter/default.aspx (look under Server Products and Technologies | Release). If you are feeling adventurous and want to explore SQL Server 2012 RC0, you can download it from http://technet.microsoft.com/en-ca/evalcenter/hh225126.aspx. Give it a try!

SQL SERVER DATABASE ENGINE PERMISSION MODEL (PART 3)

The principal of least privilege requires that users be granted the most restrictive set of privileges required to perform tasks in order to limit the damages caused by security incidents. In the context of a database application, users must only be allowed to perform those operations required within the context of an application and nothing more. Restricting user permissions thus helps to limit the potential for inappropriate data access and database actions.

By using the SQL Server permission model, database administrators can associate permissions directly to user objects or to groups. To be successful, however, database administrators must apply due diligence in setting up user accounts and should carefully provisioning groups and control access to objects by user/group entities.

Stored procedures and functions are very common in modern database applications and quite often it is required for users to get access to application database modules (i.e. stored procedures and functions) without have additional permissions to access the objects referenced by the modules directly. In SQL Server, this pattern can be accomplished through ownership chaining, context switching and module signing.

This article will focus on explaining about context switching in SQL Server. In the next article, we will explain about module signing in SQL Server. To refresh your understanding about ownership chaining, please review the ownership chaining article here.

Execution Context Switching

It’s very common to have multiple users owning various objects in the database. Quite often, you might want to give access of your object to another user. Context switching can be used when a module needs to be executed under the permission of a different user and was introduced in SQL Server 2005 to alleviate the administrative burden on the database administrator.

Figure 1: Explaining execution context in SQL Server

As illustrated in figure 1, when user ‘User A’ calls stored procedure ‘Proc2’ in UserB schema, the execution context of user ‘User A’ is switched to user ‘UserZ’ execution context. The procedure selects data from Table2 and since UserZ does not own Table2 permissions are checked for UserZ on Table2.

Within functions and stored procedures, the EXECUTE AS clause supports the following qualifiers –

(1)    CALLER – causes the module to be executed in the context of the user executing the module.

(2)    SELF – causes the module to execute in the context of the user who created or last altered the module

(3)    OWNER – causes the module to execute under the context of the module owner.

(4)    ‘user name’ – causes the module to execute under the context of a given username.

It is important to note that the IMPERSONATE permission is required for creating / altering any module that specifies the EXECUTE AS clause. The REVERT statement switches the execution context back to the caller of the last EXECUTE AS statement.