Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

EXECUTE AS in trigger...Not working 1

Status
Not open for further replies.
TheBugSlayer

TheBugSlayer

Programmer
Sep 22, 2002
887
US
All,

I have a trigger that writes some data into an audit table. Among that data is the client's IP address, which it retrieves from the sys.dm_exec_connections DMV. When the user does not have permission to select from the DMV a The user does not have permission to perform this action. error is returned, obviously. These are service accounts that I must grant VIEW SERVER STATE permission to.

However, I would like to instead the trigger instead under the security profile with the proper permission, VIEW SERVER STATE. I have created the trigger with a
Code: 
WITH EXECUTE AS 'Domain\administrator'
clause alright. Nonetheless, when I run an update statement on the table to test the trigger, it still fails with the same error! I have tried different impersonations to no avail.

What am I doing wrong? Is there any way I can switch the security context just for the call to the DMV and switch it back to the current user before the next statement? EXECUTE AS CALLER may not work for all logins, obviously.

PS: I am writing the code in SQL Server 2012 MS but the underlying DB is in 2008 R2.

Thanks for your help.

MCP SQL Server 2000, MCTS SQL Server 2005, MCTS SQL Server 2008 (DBD, DBA)
 
Sort by date Sort by votes
Execute as works for invoking database users' rights, but not for logins' rights. View server state is of course, a server permission. Can you use the function host_name() instead?
 
Upvote 0 Downvote
Hi Yelworcm,

Are you saying that if my 'Domain\administrator' is a server login but not a database user it won't work? In this instance it is also a DB user.

I am also using the HOST_NAME(). Here is excerpt of my code:
Code: 
...
 SELECT @IPAddress = client_net_address FROM sys.dm_exec_connections WHERE session_id = @@SPID;
...
INSERT INTO [Audit] ...
		 VALUES
			   ('Client Audit Trigger'
			   ,SUSER_SNAME()
			   ,CONVERT(CHAR(8), GetDate(), 112)
			   ,REPLACE(CONVERT(CHAR(10), GetDate(), 108),':', '')
			   ,'Client'
			   ,@Operation
			   ,'Main: ' + @Main + ', Sub: ' + @Sub
			   , @ClientID
			   ,PROGRAM_NAME()
			   ,HOST_NAME() + '/' + @IPAddress
			   ,@FacilityID
			   ,null);

I can do without the IP address if need be. It's working otherwise, I am explicitly granting VIEW SERVER STATE to the service accounts that update the table.

Thanks.

MCP SQL Server 2000, MCTS SQL Server 2005, MCTS SQL Server 2008 (DBD, DBA)
 
Upvote 0 Downvote
That is correct. when you "EXECUTE AS" a user, you only gain that user's database permissions. You do not gain the underlying login's rights. Not even to other databases that login has access rights on.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Cpreston
  • Locked
  • Question
Working Days giving NULL values
Replies
8
Views
221
Cpreston
Cpreston
leifoet
  • Locked
  • Question
Error in Select query
Replies
14
Views
286
Andrzejek
Andrzejek
Andrzejek
  • Locked
  • Question
Eliminate pesky [ ] in SQL Management Studio
Replies
5
Views
258
SaltyTheFrog
SaltyTheFrog
Lidias13
  • Locked
  • Question
Issue trying to find "closest" dated record to a rather complex query (not working)
Replies
1
Views
102
ggriffit
ggriffit
Auguy
  • Locked
  • Question
Using UDF In Select, Bad Idea? 2
Replies
3
Views
153
Auguy
Auguy

Part and Inventory Search

Sponsor

Back
Top