惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

阮一峰的网络日志
阮一峰的网络日志
D
Darknet – Hacking Tools, Hacker News & Cyber Security
S
Schneier on Security
The Last Watchdog
The Last Watchdog
Cyberwarzone
Cyberwarzone
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cyber Attacks, Cyber Crime and Cyber Security
L
Lohrmann on Cybersecurity
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 司徒正美
The Cloudflare Blog
V
V2EX
博客园_首页
博客园 - 聂微东
Vercel News
Vercel News
人人都是产品经理
人人都是产品经理
G
GRAHAM CLULEY
T
Tenable Blog
Last Week in AI
Last Week in AI
Y
Y Combinator Blog
L
LINUX DO - 最新话题
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
SecWiki News
SecWiki News
博客园 - 三生石上(FineUI控件)
S
Secure Thoughts
N
News | PayPal Newsroom
T
The Blog of Author Tim Ferriss
The GitHub Blog
The GitHub Blog
T
Troy Hunt's Blog
博客园 - 【当耐特】
Forbes - Security
Forbes - Security
H
Hacker News: Front Page
A
About on SuperTechFans
B
Blog RSS Feed
Engineering at Meta
Engineering at Meta
MongoDB | Blog
MongoDB | Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
罗磊的独立博客
D
DataBreaches.Net
P
Privacy & Cybersecurity Law Blog
Schneier on Security
Schneier on Security
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Google DeepMind News
Google DeepMind News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Jina AI
Jina AI
D
Docker
P
Proofpoint News Feed

博客园 - 天蝎

两岸三地在线编程学习网站 WebinoImageThumb - ZendFramework 2中操作图片的API PHP依赖管理器- Composer Local Temporary Tables and Table Variables Logging with SQL Server SQL Server Database Partitioning Myths and Truths 转载:什么是SHELL 转载:Plan freezing and other plan guide enhancements in SQL Server 2008 - 天蝎 转载:如何正确理解自动化测试技术 存储过程 SOA的设计理念 转载: The DBA as Detective: Troubleshooting Locking and Blocking 转载:锁的概述 转载: Microsoft SQL Server roles Why BCP connects to SQL Server instance which start with account of Network Service fail? Execution plans, estimated vs actual Finding the causes of poor performance in SQL Server Enabling Dedicated Administrator Connection Feature in SQL Server 2008 .net中应用程序域的概念
转载:Breaking ownership chaining within a schema in SQL Server
天蝎 · 2009-12-01 · via 博客园 - 天蝎

Problem
I have several objects, all in the same schema. Because of this, ownership chaining is working, as described in this previous tip. However, I don't want ownership chaining to be on, but I need the objects to remain in the same schema. How can I do this?

Solution
In SQL Server 2005/2008, the objects we typically work with, like tables, views, and stored procedures, are contained in a schema. All schemas have owners, but the objects they contain, by default, do not have owners. For instance, the table MyTable sitting in the MySchema schema doesn't have an owner, but the MySchema schema does. In these cases, SQL Server takes the owner of the schema and treats that as the owner of the object. So consider the case where you have the following objects: a table, MyTable, which is referred to by a stored procedure, MyProc.

Let's set up the scenario:

USE MSSQLTips;
GO -- Create a schema to hold our objects
CREATE SCHEMA MySchema AUTHORIZATION dbo;
GO -- Create a user to test with
CREATE USER TestUser 
WITHOUT LOGIN
WITH DEFAULT_SCHEMA MySchema;
GO -- Create a role to assign permissions to
CREATE ROLE TestRole;
GO -- Add the user to the role
EXEC sp_addrolemember 'TestRole''TestUser';
GO

And let's create the objects in the MySchema schema:

-- Create objects to show ownership chaining
CREATE TABLE MySchema.MyTable (TableInt INT);
GO CREATE PROCEDURE MySchema.MyProc 
AS
BEGIN
  SELECT 
TableInt FROM MySchema.MyTable;
END;
GO GRANT EXECUTE ON MySchema.MyProc TO TestRole;
GO

Now, if we execute as TestUser, we'll see that the stored procedure works, because there is an ownership chain.

-- script 3
EXECUTE AS 
USER 'TestUser';
GO  EXEC MySchema.MyProc;
GO

REVERT

;
GO

This is because neither MyTable nor MyProc has a specified owner. As a result, SQL Server is using the owner of the schema as the owner of both objects. Since the owner is therefore one and the same, dbo, for both objects, the ownership chain forms.  Here is the result for running this query.  Note: the result set is empty, because we did not insert any rows into the table.

Ownership Chain - Stored Procedure Works

If we want the ownership chain to be broken, we need to change the owner of either the table or the stored procedure to something other than dbo, since that's the owner of the schema. We can accomplish this by either using an existing user in the database or by creating a new one and then executing an ALTER AUTHORIZATION on one of the two objects. For instance:

CREATE USER SecondOwner WITHOUT LOGIN;
GO ALTER AUTHORIZATION ON OBJECT::MySchema.MyTable TO SecondOwner;
GO 

And now if we go back and execute the code from script 3 again as TestUser, we'll get an error. This is because there is no longer an ownership chain in effect and the TestUser database principal does not have SELECT permissions against the table:

Ownership chain is broken

Also, if we look in SQL Server Management Studio we can see the objects are still in the same schema.

So simply by changing the owner for one of the objects using ALTER AUTHORIZATION, we can break the ownership chain. This should be used with caution, however, as it is easy to overlook this when troubleshooting why something doesn't work since we're so used to having all objects within a given schema "owned" by the schema owner. Also, if the need is to only break the ownership chain on a handful of referring objects, like a few of the stored procedures, then the owner on them should be changed and not the referred to object (the table). This will ensure that other objects referencing the table will still use ownership chaining and will minimize the changes you'll need to make.

Next Steps

Readers Who Read This Tip Also Read