The ASP.NET user and permissions

[ityles]

I've got a SQL2000 database being accessed by an ASP.NET webpage and I'm trying to add security by denying/granting access to certain sp's for that user.

The webpage connects to SQLServer as the generic user "ASP.NET" and I have a stored proc called up_NoAccess that has exec permission denied for the ASP.NET user (In fact, no user has exec permission on it except I think the dbo implicitely right?). But when I test it out through the web page the stored procedure still executes! I even added a little test select system_user to check if it is actually connecting as ASP.NET and it is.

Can anyone explain why the sp still executes? I'm not sure what I've overlooked.
Thanks.

 

[ityles]

The user is actually called "ASPNET" (no period). I just noticed my mistake, sorry.

 

[jfrost10]

Hmmm...Usually in this case, I would try and butter up a co-worker. Y'know, bring in a coffee for him/her (3 cream, 3 sugar, xtra large), maybe offer any Subway stamps you might have...


I tried doing the same thing, but with my username/password. It STILL let me gain access to the stored proc as well as the table, even though I restricted my access on both!

Maybe the users we're trying to access the server with are part of some role that over-rides the manual exclusions?

Jack-Next-Cubicle-Over

 

[ityles]

Hello Jack-Next-Cubicle-Over, nice to hear from you!

Yes it's quite strange. The only role that ASPNET belongs to is Public, but Public also does not have permission to run this proc, unless it is somehow implicitely being granted permission without my knowledge.

I'm still puzzled. I'll hang on to my Subway stamps for now!

 

[jfrost10]

Hey Inge,

Not sure if you have this post hooked up to your hotmail account or not, but if so can you email me your hotmail address to my work email (I check it from home)?

I'm not sure if you're checking your work email at home, and if not you'll want to see the one I just recieved from the "boss"

>:
Jack