问题
Our SQL Server database has a reporting feature that allows callers to read, but not write, any table, because the user (or, more precise, the connection opened by the web app that's operating on behalf of the user) has only datareader permissions on the database.
We'd like to be able to write a store procedure that is a special "cleanup report" that will scrub the DB of old cached data before running another report. We'd like the same read-only user above to be able to run this stored proc. The queries inside the stored proc will do DELETE operations, but we don't want to give the user the ability to delete anything other than by via calling this proc.
I know about Module Signing but was hoping to avoid the complexity of dealing with certificates.
Is there another solution? We're using SQL Standard Authentication if that matters.
回答1:
CREATE PROCEDURE dbo.my_procedure
WITH EXECUTE AS OWNER
AS
BEGIN
-- do your stuff here
END
GO
GRANT EXEC ON dbo.my_procedure TO [your_datareader_member];
GO
回答2:
The granted permission to execute the procedure will allow the delete to occur.
In fact this is a very relevant scenario, to limit ability to perform certain operations (such as delete). The user may not delete random rows from random tables but they can execute a specific targeted delete procedure.
来源:https://stackoverflow.com/questions/15980286/can-a-sql-server-stored-proc-execute-with-higher-permission-than-its-caller