Olaf Doschke
Programmer
I am not very familiar with the EXECUTE AS clause and have read a lot about it, which made me unsure about when and how it works.
First of all I created a SQL Server Login named 'triggerlogin' with password.
I defined this AFTER DELETE trigger:
It's a little simplified, because the archive table has some more fields, but the question is not about the trigger, but the permissions involved.
I would like user to have no permissions on the archive schema, so only the trigger might add to (and also read from) the archive schema table.
From what I read the caller triggering that trigger by a DELETE operation must have rights to impersonate the triggerlogin and also this code doesn't need the password of the triggerlogin.
I am unsure how that really helps to achieve my goal of denying direct access to the archive schema to any db user besides the triggerlogin, if the users are granted the right to impersonate the login, they could do so anyway, if getting hands on the MSSQL Management Studio, couldn't they?
I read here, that "Ownership chaining rules continue to apply. This means if the owners of the calling and called objects are the same, no permissions are checked on the underlying objects." Does that mean if the archive.sometable has the same owner as the dbo.sometable, the permission of triggerlogin on the archive table are even not checked?
So in short: how would I really get a permission separation of the archive schema from the default (dbo) schema users work in?
Bye, Olaf.
First of all I created a SQL Server Login named 'triggerlogin' with password.
I defined this AFTER DELETE trigger:
Code:
USE [mydb]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE TRIGGER [dbo].[sometable_delete]
ON [dbo].[sometable]
AFTER DELETE
AS
EXECUTE AS LOGIN = 'triggerlogin'
BEGIN
SET NOCOUNT ON;
Insert Into [archive].[sometable] SELECT * FROM deleted
END
It's a little simplified, because the archive table has some more fields, but the question is not about the trigger, but the permissions involved.
I would like user to have no permissions on the archive schema, so only the trigger might add to (and also read from) the archive schema table.
From what I read the caller triggering that trigger by a DELETE operation must have rights to impersonate the triggerlogin and also this code doesn't need the password of the triggerlogin.
I am unsure how that really helps to achieve my goal of denying direct access to the archive schema to any db user besides the triggerlogin, if the users are granted the right to impersonate the login, they could do so anyway, if getting hands on the MSSQL Management Studio, couldn't they?
I read here, that "Ownership chaining rules continue to apply. This means if the owners of the calling and called objects are the same, no permissions are checked on the underlying objects." Does that mean if the archive.sometable has the same owner as the dbo.sometable, the permission of triggerlogin on the archive table are even not checked?
So in short: how would I really get a permission separation of the archive schema from the default (dbo) schema users work in?
Bye, Olaf.