Saturday, 25 February 2012

Confused About Permission

I read a few articles on best SQL practices and they kept coming back to using a Least Privileged Account. So I did so and gave that account read only permissions. The articles also said to do updates use Stored Procedures - so I created stored procedures for updating/deleting data.

So here's my problem - I connect to the database using the Least Privileged Account, I use the Stored Procedures, but .NET keeps saying I lack permissions. If I GRANT the Least Privileged Account UPDATE/DELETE permission on the table, the Stored Procedures run perfectly. But isn't that EXACTLY what I'm trying to avoid?

My greatest concern is someone hacks my website and using the Least Privileged Account, they delete all my data using that account. So I don't want to give the Least Privileged Account the Update/Delete privileges.

Thanks a MILLION in advance!

Do you grant EXECUTE permission on the stored procedures to the account?

Once that is done you do not need UPDATE/DELETE on the tables for the account.

|||I granted execute permissions to the stored procedures, but it still fails when I check OFF the Update permission on the table (and still works when I check ON the Update permission). Any other ideas?|||

I figured out my problem (thanks to TATWORTH). I was creating the SP's while logging in as the least privileged account, so therefore the SP was [LeastPrivilegedAccount].[StoredProcedureName] - this required the Least privileged user to have the permissions. Now I created the SP's as [dbo].[StoredProcedureName] and granted the Least privileged user EXECUTE permissions.

It works perfectly! Thanks a MILLION!!1Big Smile

No comments:

Post a Comment