English 中文(简体)
How to control access to a Stored Procedure in SQL Server?
原标题:

I want to be able to have a Stored Procedure that can only be used from a particular page, without having to create a permissions / role for a user, when it is just a single stored procedure I want accessed in this way.

For example I want to have a proc_GetCustomerItems stored procedure which takes the Parameter of CustomerID and then returns a list of Items a Customer has purchased, however I want this to only work for the place which lists the Customer Items eg. the ASP Page which shows this list, but not work from anywhere else, such as Query Analyser etc.
Would this be done with another parameter to provide additional security information, the basic issue is how to allow only certain Methods and Pages access to a Stored Procedure, could this be done with a Role or Permissions?

The main issue is how to set the access rights to a Stored Procedure correctly to a particular method in code, which will help enforce the use of said Stored Procedure, so one has to explicitly allow a GetCustomerItems method (in ASP for example) access to use this Stored Procedure.

I m guessing Roles and User Access will be the suggested alternative, but I would be interested if it is possible to restrict access to a Stored Procedure by where it is called from.

最佳回答

Hard to know whether it would be suitable for you or not, and usually I m pro-stored procedures but the only alternative I could suggest is that you don t use a stored procedure.

Instead, use parameterised sql from the page in question. This way, there s no stored procedure existing to be used from anywhere else.

This would mean, if not already the case, that the user account being used would need direct permissions on the underlying tables.

时间:2009-11-06 15:22:39
问题回答

No, this is not possible. The nearest I can imagine you getting to this is the page that only has access to the certain stored proc uses different credentials from the rest of the pages. If you want people to not access the proc using Query Analyser you can use the standard SQL Server security features.

时间:2009-11-06 14:58:53

The closest you could get would be to add code to the beginning of your stored procedure that queried the values of APP_NAME(), HOST_NAME(), HOST_ID(), CURRENT_USER and perhaps others, and if any didn t match the relevant values for your app then just return NULL or an empty row. This wouldn t be page-specific, of course, and there wouldn t be anything to stop someone using Query Analyzer to view the contents of the stored procedure itself.

时间:2009-11-06 15:10:23


上一篇:
下一篇:


相关问题
Export tables from SQL Server to be imported to Oracle 10g

I m trying to export some tables from SQL Server 2005 and then create those tables and populate them in Oracle. I have about 10 tables, varying from 4 columns up to 25. I m not using any constraints/...

时间:2009-11-13 11:32:52 回答:3 展示:1
SQL server: Can NT accounts be mapped to SQL server accounts

In our database we have an SQL server account that has the correct roles to access some of the databases. We are now switching to windows authentication and I was wondering if we can create a NT user ...

时间:2009-11-13 11:16:11 回答:1 展示:1
SQL Server 2000, ADO 2.8, VB6

How to determine if a Transaction is active i.e. before issuing Begin Transaction I want to ensure that no previous transaction are open.. the platform is VB6, MS-SQL Server 2000 and ADO 2.8

时间:2009-11-05 09:41:09 回答:1 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全