Packaging Permissions in Stored Procedures

The December Ohio North Database Training user group meeting will be held on Tuesday, December 3rd, 2024 at 5:00PM. This will be a HYBRID event and our featured speaker, Erland Sommarskog, will be joining us remotely from Sweden!

You're welcome to come meet in-person at our usual meeting location at the Artemis offices at:

6161 Oak Tree Blvd, Ste 300
Independence, OH 44131

Agenda:

5:00 PM EST: Online and in-person meeting begins with a social hour. This is an unstructured hour where you can join us to catch up and meet other group members before the session starts. There will be pizza brought in for in-person attendees.

6:00 PM EST: Updates and announcements, followed by our feature presentation. See below for presentation details.

7:30 PM EST: Optionally after the main presentations, the in-person crowd may go out for snacks and drinks at a local establishment.

We hope to see you there!

*Please note, that we will be using Microsoft Teams for the online portion of this meeting. You may want to join a few minutes early to ensure you do not have any issues. If you are attending in person, there are large TVs at the office, and you do not need to bring a laptop or use Teams.

Featured Presentation:

Packaging Permissions in Stored Procedures

The basic mechanism when we want to give users access to data or actions in SQL Server in a controlled way through stored procedure is ownership chaining. This is something we use every day as SQL workers, although we may not be aware of it. Every once in a while, we run into situations where it seems that it is not sufficient to put a statement in a stored procedure, but that users need to be granted explicit permissions – something we may not always be comfortable with, because that would permit the users to do things we do not want them to be able to.

There are two additional mechanisms in SQL Server we can employ in these situations: certificate signing and the EXECUTE AS clause. In this session I will start by exploring how ownership chaining works and its limitations. I will then proceed to explore the other two options and I will particularly focus on certificate signing, as this is the preferred method. At first it may seem overly complex, but I will show how it easily can be automated. EXECUTE AS may seem simpler, but I will point out potential problems with it, not the least if you try to use it on server level and consider to set the database as TRUSTWORTHY. This session is directed towards both developers and DBAs, as this session deals with problems you may face in either roles.