Can you grant SA privs to a stored proc?

• Andy Warren

  SSC Guru

  Points: 119747

  More actions

  July 6, 2007 at 7:53 am

  #717692

  I caught the tail of Carl's post just now, pretty much the same thing. Allow the user to flip a bit, or even insert an entire script into a queue table, then have a job that runs once a min that checks the queue and processes as SA. I've used this technique to allow developers to backup/restore certain databases on a dev server without giving them SA or other access. The more specific the table the less danger of course!

  Andy
  SQLAndy - My Blog!
  Connect with me on LinkedIn
  Follow me on Twitter

• K. Brian Kelley

  SSC Guru

  Points: 114532

  More actions

  July 6, 2007 at 7:54 am

  #717694

  Well, a mix of both. Scheduled job polls a table. User has the ability to execute a stored procedure which makes a change in the table. Scheduled job notes the change, executes the process. It could even execute a secondary job. So indirectly the user is starting the job.

  K. Brian Kelley
  @kbriankelley

• Jeff Moden

  SSC Guru

  Points: 1000539

  More actions

  July 6, 2007 at 8:15 am

  #717702

  Great idea... thanks everyone...

  Carl, thanks for the original idea that everyone seems to be hitting on.

  --Jeff Moden

  ---

  RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
  First step towards the paradigm shift of writing Set Based code:
  ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.
  "Change is inevitable... change for the better is not".
  

  ---

  Helpful Links:
  How to post code problems
  How to Post Performance Problems
  Create a Tally Function (fnTally)
  Intro to Tally Tables and Functions

• Ronald San Juan

  SSCrazy

  Points: 2937

  More actions

  July 6, 2007 at 8:38 pm

  #717821

  Application Role??

  ---

  Ronald San Juan | SQL DBA
  ID 710124 ~ Code "Northwind"

• Jeff Moden

  SSC Guru

  Points: 1000539

  More actions

  July 6, 2007 at 9:52 pm

  #717824

  Thought about that, Ronald... that, I believe, would allow the Operators to run xp_CmdShell anytime they wanted and that's not a good thing... 'course, I could be wrong especially since I'm the one asking for help   What do you mean by "Application Role" and how could it be used to run a proc that uses xp_CmdShell without the user having the privs to run xp_CmdShell?

  --Jeff Moden

  ---

  RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
  First step towards the paradigm shift of writing Set Based code:
  ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.
  "Change is inevitable... change for the better is not".
  

  ---

  Helpful Links:
  How to post code problems
  How to Post Performance Problems
  Create a Tally Function (fnTally)
  Intro to Tally Tables and Functions

• K. Brian Kelley

  SSC Guru

  Points: 114532

  More actions

  July 6, 2007 at 11:41 pm

  #717829

  The problem with an application role is that when it is set in SQL Server 2000 using sp_setapprole (SQL Server 2005 has sp_unsetapprole to revert back), you lose all identity except for the application role. Within the database your user is the application role. As a login you're generally anonymous, meaning you can only do what the guest user can do in a given database.

  Since xp_cmdshell exists in the master database, that basically means either putting an app role in the master database or giving the guest user execute rights on xp_cmdshell. If you have to utilize another database, you really can't go the application role route.

   

  K. Brian Kelley
  @kbriankelley