Where Is Security Info Stored?
Apr 7, 2008How does SQL Server store Security Information. Accounts, Users, etc... Is there a particular table, like Master Table?
View 4 Replies
ADVERTISEMENT
More Info: Stored Procedure Security Question
Jul 20, 2005Dear GroupI have found that table A had SELECT permissions for 'Public' but not tableB.Giving 'Public' SELECT permissions on table B did the trick.HOWEVER, I don't want anyone to be able to do a direct SELECT on table A orB but only give them access to the data by using the stored procedures. Isthere any way this can be set up?Thanks for your efforts!Have a nice day!Martin"Martin Feuersteiner" <theintrepidfox@hotmail.com> wrote in message news:...[color=blue]> Dear Group>> I'm having two stored procedures, sp_a and sp_b>> Content of stored procedure A:> CREATE PROCEDURE dbo.sp_a> SELECT * FROM a> GO>> Content of stored procedure B:> CREATE PROCEDURE dbo.sp_b> SELECT * FROM b> GO>> I have created a user that has execute permissions for both procedures.> When I run procedure A, all works fine but when running procedure B I'm> getting an error saying that the user must have SELECT permissions on> table B.>> Both tables are owned by dbo, and the security role for the user doesn't> has any SELECT permission on table a and b.> I'd be grateful if anyone could point me in a direction why this error> might come up for procedure B but not for A,> with a possible solution without giving the user SELECT permissions.>> Thanks very much for your help!>> Martin>[/color]
View 6 Replies View RelatedSQL 2012 :: Persist Security Info And Integrated Security In Connection String
Dec 4, 2014I use from sql server 2008. and c#
what is the best connectionstring?
I don't know if i use Persist Security Info and Integrated Security or not?
And if yes then their value must be true or false?
Differance Between Persist Security Info And Integrated Security
Apr 26, 2007hi i want to know what is the differance between
Persist Security Info=False;Integrated Security=Yes;
Security Info Not Getting Transferred Across Servers
May 24, 2000I backed up a database from one server and restored in it on another server
the database was installed with data, but the security info did not
get across.
thanks
SQL 2005 Reporting Services Security Info
Mar 29, 2007We have 2005 Reporting Services fully functional - Dev, QA and prod (farm). I have at least 5 distinct business group trees in my structure, who have inherited or modified security based upon NT Users and AD groups. Now, we want to replace a major group (<domain_name>Domain Users) with a controlled group.
I cannot find anyway to report or map the folders that a specific NT User and AD group has rights. Cannot it be done?
How To Get The Folder Wise Security Info Of All The Users?
Dec 21, 2006Hi,
The Report Manager portal has many folders. For each folder there are specific users with different roles.
I am trying to figure out the way to extract User, folder wise security data. I want to run a query and retrieve users name, the folders they have access to and the user role corresponding to that folder.
Use ReportServer
SELECT u.UserName, r.RoleName FROM users u, policyuserrole pur, roles r
WHERE pur.UserID=u.UserID AND pur.RoleID=r.RoleID
The above query fetches all the users and their roles.
The folder information corresponds to Path column of Catalog table. Am unable link this table with the above query.
TIA
Trying To Add Info To Database Using A Stored Procedure
Jul 16, 2004Hi there :)
I was hoping someone could help me figure out why this doesn't work....
I have a class called ProductsDB with a method called AddProduct that looks like this:
public String AddProduct(int categoryID, int makeID, string name, double price, double saleprice, double offerprice, int homepage, string thumbpath, string imagepath, string description)
{
// Create Instance of Connection and Command Object
SqlConnection myConnection = new SqlConnection(ConfigurationSettings.AppSettings["ConnectionString"]);
SqlCommand myCommand = new SqlCommand("ProductsAdd", myConnection);
// Mark the Command as a SPROC
myCommand.CommandType = CommandType.StoredProcedure;
// Add Parameters to SPROC
SqlParameter parameterCategoryID = new SqlParameter("@CategoryID", SqlDbType.Int, 4);
parameterCategoryID.Value = categoryID;
myCommand.Parameters.Add(parameterCategoryID);
SqlParameter parameterMakeID = new SqlParameter("@MakeID", SqlDbType.Int, 4);
parameterMakeID.Value = makeID;
myCommand.Parameters.Add(parameterMakeID);
SqlParameter parameterName = new SqlParameter("@Name", SqlDbType.NVarChar, 50);
parameterName.Value = name;
myCommand.Parameters.Add(parameterName);
SqlParameter parameterPrice = new SqlParameter("@Price", SqlDbType.Money, 8);
parameterPrice.Value = price;
myCommand.Parameters.Add(parameterPrice);
SqlParameter parameterSalePrice = new SqlParameter("@SalePrice", SqlDbType.Money, 8);
parameterSalePrice.Value = saleprice;
myCommand.Parameters.Add(parameterSalePrice);
SqlParameter parameterOfferPrice = new SqlParameter("@OfferPrice", SqlDbType.Money, 8);
parameterOfferPrice.Value = offerprice;
myCommand.Parameters.Add(parameterOfferPrice);
SqlParameter parameterHomepage = new SqlParameter("@Homepage", SqlDbType.Bit, 1);
parameterHomepage.Value = homepage;
myCommand.Parameters.Add(parameterHomepage);
SqlParameter parameterThumbnail = new SqlParameter("@Thumbnail", SqlDbType.NVarChar, 50);
parameterThumbnail.Value = thumbpath;
myCommand.Parameters.Add(parameterThumbnail);
SqlParameter parameterImage = new SqlParameter("@Image", SqlDbType.NVarChar, 50);
parameterImage.Value = imagepath;
myCommand.Parameters.Add(parameterImage);
SqlParameter parameterProductID = new SqlParameter("@ProductID", SqlDbType.Int, 4);
parameterProductID.Direction = ParameterDirection.Output;
myCommand.Parameters.Add(parameterProductID);
try
{
myConnection.Open();
myCommand.ExecuteNonQuery();
myConnection.Close();
// Calculate the ProductID using Output Param from SPROC
int productId = (int)parameterProductID.Value;
return productId.ToString();
}
catch
{
return String.Empty;
}
}
And then in another cs file for my aspx page I have an event handler for an add button in a webform, which looks like this:
// Add New Product to ProductDB database
bikescene.Components.ProductsDB accountSystem = new bikescene.Components.ProductsDB();
String productId = accountSystem.AddProduct(Int32.Parse(DDLproductcategory.SelectedValue), Int32.Parse(DDLproductmanufacturer.SelectedValue), TBproductname.Text, Double.Parse(TBproductprice.Text), Double.Parse(TBproductsaleprice.Text), Double.Parse(TBproductofferprice.Text), Int32.Parse(DDLproducthomepage.SelectedValue), thumbnailpath, imagepath, TBproductdescription.Text);
And finally, here is my stored procedure:
CREATE Procedure ProductsAdd
(
@ProductID int,
@CategoryID int,
@MakeID int,
@Name nvarchar(50),
@Price money,
@SalePrice money,
@OfferPrice money,
@Homepage int,
@Thumbnail nvarchar(50),
@Image nvarchar(50),
@Description nvarchar(500)
)
AS
INSERT INTO Products
(
productID,
categoryID,
makeID,
name,
price,
saleprice,
offerprice,
homepage,
thumbpath,
imagepath,
description
)
VALUES
(
@ProductID,
@CategoryID,
@MakeID,
@Name,
@Price,
@SalePrice,
@OfferPrice,
@Homepage,
@Thumbnail,
@Image,
@Description
)
SELECT
@ProductID = @@Identity
GO
Basically, my images are uploaded to the server just fine but nothing is being added to the database + I don't get any error messages.
Any ideas?
Many thanks indeed :)
SQL Stored Procedure Parameters Info C++ Clr 2.0
Feb 16, 2006How does one get the names and data types of the parameters of a SQL 2005 stored procedure? There does not seem to be a refresh for a command parameters object, and the syntax for the get() in I don't seem to have right in c++.
View 1 Replies View RelatedA SQL Procedure To STOP Repeated Info Being Stored
Feb 4, 2007In the web site that I am building ( in C# language ), a hypothetic customer who would buy something would then be redirected to a Secure payments company where he would make the payment and then the company would send back to my web site, information about this transaction.
My program would then save this info in a Microsoft SQL database. The problem is that this company uses to send the same info several times repeatedly and I do not want to store the same info more than once.
So I want a SQL procedure where it takes the invoice number of the customer ( contained in its string of info ) and looks inside a table to see if it was already stored there. If it is there ( or not ), it would return a value, which could be false/true or 0/1 so my program could use this value to save a new info or not and then activate ( or not ) some related tasks.
I am still learning SQL and I tried the below procedure but it is not working. Which alternative procedure could solve the problem ?
~~~~~~~~~~~~~~~~~~~~~~~~~
CREATE PROCEDURE VerifyIfInvoiceExists
(@Invoice VARCHAR(50))
AS
SELECT COUNT(*) FROM IPN_received
WHERE Invoice = @Invoice
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How To Query Active Users - Where Is This Info Stored ???
Jul 25, 2001I know how to look at active users from Enterprise Manager, but how can I query out the information - what table is that info stored in ??? I don't want a list of all the logins, I just want the list of active users....
Help... thanks in advance,
Nancy
Stored Procedure Returning Info About A Table
Sep 28, 2007i want to have a user defined function or stored procedure(i don't know which one should be used, anyway!) which returns false if the table has no records, with the table name comes with a parameter.
could you give a little code sample?
thanx
I Need To Find Out Info On How To Schedule A Stored Proc To Run In Sql 7 Every Few Hours?
Aug 24, 1999I have 2 stored proc's that i want to run an append query every 4 or 8 hours.
how does a person do this in ms sql 7?
Transact SQL :: How To Get Info Which Stored Procedure Updated A Column For Particular Timestamp
Jul 31, 2015How to get the details of a stored proc or sql query which updated a particular table for specified time stamp or interval. Is there any query to get this?
View 3 Replies View RelatedIs There A System Table With Timestamp Info Or DTS Job Info?
May 7, 2007I want to be able to see when records have been added to a table. The issue is we have a DTS job scheduled to run every night. The developer who wrote it password protected it and doesn't work here anymore. I want to add a step to this series of DTS jobs and want to run it just prior to his job. Is there a way to see when the records are being added or when this job is being run? Thanks again, you guys are the best.
ddave
Stored Procedure - Security
Dec 22, 2006Is it a safe way to use a paramter (which fetch values from querystring) in the "where-part" of my stored procedure? Or is it an securityrisk because I dont know what the user is writing in the url-field?
I got the following sqldatasource which grab the value (from querystring) into the my parameter.
<asp:SqlDataSource ID="SQLDataSource"
ConnectionString="<%$ ConnectionStrings:ConnectionString %>"
runat="server"
SelectCommand="My_StoredProcedure"
SelectCommandType="StoredProcedure">
<SelectParameters>
<asp:QueryStringParameter QueryStringField="Myparameter" Name="City" Type="string" />
</SelectParameters>
</asp:SqlDataSource>
Security On Stored Procs On Dev Db
Mar 25, 2002I want to "deny" create, update,and delete access on the dbo stored procs that are in the database, but do not want take away dbo owner access. is this possible?
can i create a role and deny access on a particular table in msdb? or a system table in the user table. Thus preventing the developers on the box access to update any of the dbo owned sp's and have them create their own user-owned stored procs?
this is sql7, sp3, development box.
thanks,
Security Stored Procedures
Feb 26, 2004Hello, everyone:
How to security the stored procedures? I want to prevent the stored procedures to be changed accidently. Thanks.
ZYT
Stored Procedure Security?
Oct 31, 2007Hi all,
this should be a easy question, but I can't really seem to find anything on it...
Here's the scenerio:
n-tier web app, with asp/iis/sql... All database calls are done via stored procedures with the same user (lets call the user: webuser)
webuser has NO access to the db in question, but it is granted EXEC on all stored procedures.
My question is, when a user tells the web app to say delete a record, the application server (iis) makes a call to the database with the webuser security cred's... It says execute the delete stored proc.
webuser has the ability to do this, so it happens. However, in what context (this may not be the right word) does the stored procedure execute?
ie: which user does the stored proc exeucte as. It can't be webuser can it? Because webuser does not have access to the base tables.
Does the stored proc execute as the user that created it?
I'm confused...
thx all!
Stored Procedure Security
Mar 19, 2008Hi,
I have a Stored Procedure in one database that grabs data from another database. I don't want the user to be able to read data from the tables that the stored procedure Selects from but I would like the user to be able to run the stored procedure. Pretty standard request I think.
What I have done is to give the user in question a login then assigned them the Execute Permissions on the stored procedure. Unfortunately they are still unable to run the stored procedure from my web app. I have "allow anonymous access" turned on but I am still getting an error when the user tries to execute the stored procedure.
Am I missing something here or could there be a bigger issue?
Thanks,
Patrick
Stored Procedures/security
Jul 23, 2005First off I am a rookie at Sql Server. Ok let's give this a try. Mycompany has bought a new software package called Viewpoint. It's OnSql Server and written in VP. We do not have access to the code.There is a option in the software package called "ApplicationSecurity". When this is clicked you are unable to access the ViewpointDatabase from an outside application. Since I can't get to the code Ihave no idea how this feature works.I would like to keep the "Application Securty" ON so no one can accessthe Viewpoint Database from an outside application but I would like towrite my own outside application where I can access the Viewpointapplication tables while the Application Security in ON. Does anyoneknow what I am talking about? I know it is not very clear and I amworking with limited information, but any help would be appreciated.Thanks
View 1 Replies View RelatedStored Procedure Security
Sep 4, 2007
Hi,
I have a stored procedure spoc_CreateNewUser.
I have a role called 'creator'. I want that no one else other than creator should be able to execute this procedure through an asp.net application or directly.If anyone attempts, it should be logged.
HOw do I do this. Please explain the answer. I am new to this.
Ron
CLR Stored Procedure Security
Jan 11, 2008Hi,
I created a CLR stored procedure, and added a web service reference, am using the generated proxy class
to call the web service, currently am facing the following security issues. I think am missing
something, what are the possible patterns to call a web service from the CLR Stored procedure.
Thank you
---------------------------------------
The following is the error that is happening each
time I call the stored procedure
A .NET Framework error occurred during execution of
user defined routine or aggregate
'MyStoredProcedure':
System.Security.SecurityException: Request for the
permission of type 'System.Net.WebPermission, System,
Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089' failed.
System.Security.SecurityException:
at System.Security.CodeAccessSecurityEngine.Check
(Object demand, StackCrawlMark& stackMark, Boolean
isPermSet)
at System.Security.CodeAccessPermission.Demand()
at System.Net.HttpWebRequest..ctor(Uri uri,
ServicePoint servicePoint)
at System.Net.HttpRequestCreator.Create(Uri Uri)
at System.Net.WebRequest.Create(Uri requestUri,
Boolean useUriBase)
at System.Net.WebRequest.Create(Uri requestUri)
at
System.Web.Services.Protocols.WebClientProtocol.GetWe
bRequest(Uri uri)
at
System.Web.Services.Protocols.HttpWebClientProtocol.G
etWebRequest(Uri uri)
at
System.Web.Services.Protocols.SoapHttpClientProtocol.
GetWebRequest(Uri uri)
at
System.Web.Services.Protocols.SoapHttpClientProtocol.
Invoke(String methodName, Object[] parameters)
at MyWebServiceProxy.HelloWorld()
at MyStoredProcedure()
Stored Procedures, Security, Xp_cmdshell
Sep 27, 2000To try to secure an outside web application we set up a user that
only has permission to execute a series of stored procedures that are
related to the appliation. Unfortunately a couple of those stored
procedures have to access system resources outside SQL Server so we
are using a call to xp_cmdshell from inside the stored procedure
SQL Server apparently won't let us do that unless we give our
restricted user (who is calling the initial stored procedure) execute
permission on xp_cmdshell. This, of course, negates most of the benefit
of setting up a restricted user. Is there some simple way I am missing
of running xp_cmdshell from inside s stored procedure without the user
calling the stored procedure having execute permission on xp_cmdshell?
Stored Procedure Security Ideas??
Jan 21, 2004Does anyone know how you can distribute Stored Procedures that work with a third party application but keep the contents / code of those Stored Procedures from being viewed and edited by the end users who have purchased the application as well as own and operate the SQL Server??
Thanks
Stored Procedure Migration And Security
Apr 30, 2008I have an ASP page which is supposed to populate a dropdown based on values returned from a stored procedure. This ASP page is working on our old server. I recently moved all the pages, code, ect over to our new server including migrated to SQL Server 2005 (from 2000 I think), as you can tell, somthing broke...
I assume this is security related however, all the relevant security is set correctly as far as I can tell. I am granting "Execute" access for the stored procedure and "Select" access for all the referenced tables. Am I missing something? Is there another security setting which needs to be set?
How To Provide Security To Stored Procedures
Jul 20, 2005Hi all,I know that it is possible to encrypt Stored Procedures using 'withencyption'.But my problem is that when there are so many decriptingmethods available how far will the encyption be secure.Is there any other method to encrypt the stored procedures that areresiding on the customer sites.We do not want the customers to meddle with the SPs.If anyone knows can u please let me know.ThanksDilini
View 1 Replies View RelatedSecurity Hole In Stored Procedure
Jul 20, 2005here's my stored procedure:CREATE PROCEDURE proc@id varchar(50),@pswd varchar(20),@no_go int OUTPUTASSET NOCOUNT ONSELECT user_id FROM profileWHERE user_id=@id AND pswd=@pswdIF @@ROWCOUNT = 0BEGINSET @no_go = 1ENDELSEBEGINSELECT date,date_mod FROM ansWHERE user_id=@idSET @no_go = 0ENDUsing the PERL odbc_more_results function I can retrieve the data inthe second select statement whether the rowcount is 0 or not. Anysuggestions how to stop this
View 3 Replies View RelatedStored Procedure Security Question
Jul 20, 2005Dear GroupI'm having two stored procedures, sp_a and sp_bContent of stored procedure A:CREATE PROCEDURE dbo.sp_aSELECT * FROM aGOContent of stored procedure B:CREATE PROCEDURE dbo.sp_bSELECT * FROM bGOI have created a user that has execute permissions for both procedures.When I run procedure A, all works fine but when running procedure B I'mgetting an error saying that the user must have SELECT permissions on tableB.Both tables are owned by dbo, and the security role for the user doesn't hasany SELECT permission on table a and b.I'd be grateful if anyone could point me in a direction why this error mightcome up for procedure B but not for A,with a possible solution without giving the user SELECT permissions.Thanks very much for your help!Martin
View 1 Replies View RelatedSecurity, Dynamic SQL, And CLR Stored Procedures
Aug 1, 2006Okay, I have sort of a peculiar permissions question I am wondering if someone can help me with. I'm suspect there's a simple answer, but I'm unaware of it. Basically, here's the scenario...
I have a CLR stored procedure which does some dynamic SQL building based on values sent in via XML. It's a CLR stored procedure using XML because I want to build a parameterized statement (to guard against SQL Injection) based on a flexible number of parameters which are basically passed in the XML.
The dynamic SQL ends up reading from a table I'll call TableX and I actually discovered an (understandable) quirk with security.
Basically, the connection context is impersonating a low-privilaged Windows account ("UserX") coming from a .NET application. UserX has no permission to the table referenced in the dynamic SQL and because of the dyanmic nature of the query, the stored procedure apparently adopts the security context of UserX. Naturally, this throws a security exception saying UserX has no SELECT permission on TableX.
Now, I can give UserX read permission to the table in question to get things running, but one of the points of using stored procedures is to defer security to the procedure level vs. configuration for tables or columns.
So in striving toward my ideal of security at the procedure level, my question is what is the best way to allow minimum privilege in this case?
I thought about having the internals of the CLR stored procedure run under a different (low-privalaged) security context, but I am wondering if there's an alternate configuration that may use the same connection, and be as secure, but simpler.
Dynamic Security Stored Proc
May 7, 2008Hi,
I'm looking for some sample code rather than having to re-invent the wheel.
I need to write an analysis services stored proc that will invoke a SQL stored prod in my DW dataabse to retrieve a list of client_id's. I then need to construct and return a set object. This AS stored proc will be referenced from a role.
I've read few things about using the Set object rather than StrToSet function but then the only way I see to create a Member orSet object from a literal is to build an Expresion object and call the CalculateMdxObject(null).ToSet() function. Is this not equivalent to MDX.StrToSet()?
Also, ideally I'd like to connect to my SQL db by accessing the connection string from the Data Source objects in my AS DB. So far I have not found a way to do this.
Some guidance and sample code would be much appreciated.
Thanks.
Stored Procedure Only Works In When App Uses Trusted Security
Dec 23, 2005Hi,I have a .NET application that connects to a SQL 2000 database usingtrusted security. It eventually calls a stored procedure that receives3 parameters - nothing special.If I simply change the connection string to use a valid Userid andPassword it still connects to the DB w/o problems but when it executesthe SP I get the following:System.Data.SqlClient.SqlException: Invalid length parameter passed tothe substring function.I change nothing but the login. Same store procedure, same parameters.Any ideas?
View 6 Replies View RelatedDisabling Extended Stored Procedures For Security
Jun 29, 2007Our security team wants us to disable access to (or drop) all of the built-in extended stored procedures in MSDE 2000 as they feel it is a vulnerability. Where can I find out which extended procs are safe to disable or how we can disable them during install time? Or, is the security team being too cautious and we should just tell them to leave these intact?
View 5 Replies View Related