Remove From My Forums

GRANT permission to an Application Role

Question
0

Sign in to vote

Hi,
I have a problem using GRANT.
I have 2 DB (A & B) on the same server.
On the A DB is defined an Application Role (MyApplicationRole).
How can I GRANT permission on DB B (or only on some tables) to MyApplicationRole ?
I didn't find the correct syntax...

Wednesday, January 28, 2009 2:46 PM

Answers

0

Sign in to vote
    An alternative to using Cross DB Ownership chaining (CDOC), application roles or EXECUTE AS in cross-database access could be using digital signatures to establish a controlled trust relationship. I wrote an article on this topic some time ago that I hope will be useful: http://blogs.msdn.com/raulga/archive/2006/10/30/using-a-digital-signature-as-a-secondary-identity-to-replace-cross-database-ownership-chaining.aspx
BTW. Regarding cross-database behavior for application roles. Approles are not design for cross DB usage, the following thread describes in detail the restrictions around cross-DB access for application roles: http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/b12821f5-fcd6-4d49-83b6-da7220339411/

I hope this information helps; please let us know if you any question.

-Raul Garcia
   SDE/T
   SQL Server Engine
This posting is provided "AS IS" with no warranties, and confers no rights.
- Marked as answer by Nazza Thursday, January 29, 2009 8:34 AM
Wednesday, January 28, 2009 10:21 PM

All replies

0

Sign in to vote

Hi
I found a solution by myself.
Simply use the Impersonation (WITH EXECUTE AS ...) in the Stored Procedure that queries 2 DataBases.

Wednesday, January 28, 2009 4:17 PM
0

Sign in to vote
Remember that his will either need a higher priviledged account than you want to OR you will need to enable Cross database ownership chaining, which opens a security hole as well.

Jens K. Suessmeyer
- Proposed as answer by Jens K. Suessmeyer -Microsoft employee Friday, January 30, 2009 1:53 PM
Wednesday, January 28, 2009 6:59 PM
0

Sign in to vote
    An alternative to using Cross DB Ownership chaining (CDOC), application roles or EXECUTE AS in cross-database access could be using digital signatures to establish a controlled trust relationship. I wrote an article on this topic some time ago that I hope will be useful: http://blogs.msdn.com/raulga/archive/2006/10/30/using-a-digital-signature-as-a-secondary-identity-to-replace-cross-database-ownership-chaining.aspx
BTW. Regarding cross-database behavior for application roles. Approles are not design for cross DB usage, the following thread describes in detail the restrictions around cross-DB access for application roles: http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/b12821f5-fcd6-4d49-83b6-da7220339411/

I hope this information helps; please let us know if you any question.

-Raul Garcia
   SDE/T
   SQL Server Engine
This posting is provided "AS IS" with no warranties, and confers no rights.
- Marked as answer by Nazza Thursday, January 29, 2009 8:34 AM
Wednesday, January 28, 2009 10:21 PM
0

Sign in to vote

Hi Jens, hi Raul,
I know that using Impersonation I open a security hole. Anyway my application is used only on a intranet, so I think I shouldn't have many problems.
Raul, thank you for your articles, I'll read them asap. I'm interested about digital signatures, I'll think about the possibility to use in replacement of Impersonation.
Thank you very much !

Thursday, January 29, 2009 8:34 AM
0

Sign in to vote

Hi Nazza,

What sintax did you use to grant impersonate to your stored procedure?

Friday, July 17, 2009 2:32 PM
0

Sign in to vote
Hi fgiacomel,
you can find the syntax in the MSDN, look the link below:
http://msdn.microsoft.com/en-us/library/ms188354.aspx

I used

WITH EXECUTE AS 'user_name'

where user_name has the permissions needed.
Friday, July 17, 2009 2:57 PM

Answered by:

GRANT permission to an Application Role

Question

Answers

All replies