Database Administration
sql-server security schema view
Updated Sun, 29 May 2022 00:03:54 GMT

Grant select to dbo view without select on non dbo tables

SQL Server 2008 R2

We have a login & user called "JoeBlogs", this user has it's own default schema of JoeBlogs - it has Public access only to the database.

We then granted it SELECT on a dbo view - the dbo view however selects data from underlying tables that belong to a non-dbo schema - so we get an error selecting from the view saying access was denied to underlying tables.

How does one configure the user to have select access to the dbo view but not the underlying non-dbo tables?

Is this even possible?



You have to understand the problem before proceeding with the solution.
When you select from a view the SQL Server system would check permissions twice:
Once when you select from the view, and once when the view makes reference to the underlying table.
Obviously the second check would fail if the user has no permission on the underlying table.

Microsoft have solved this with "Ownership Chaining" (known as OC).
OC will bypass the permission check that would be done when the view is referencing the table,
Only if the owner of the view is the same as the owner of the table.
The thing is, OC is bypassing permission checks completely, which means that it can bypass denies as well...
For example, if "JoeBlogs" has the create view permission, he can create a new view which has access to the entire table.
I suggest you read about ownership chaining before you decide your course of action.

books online
msdn blog
detailed example, using a stored procedure instead of view

Having said that, the first Intuitive solution would be to create the view under the same non-dbo schema as the underlying tables (or a schema owned by the same user as the non-dbo schema).
However, if you find that solution to be too risky there is another (and maybe even better) option:
You can always use a function (Multistatement Table-valued Function) with an EXECUTE AS clause:
Create function syntax
execute as clause
This method will allow you to select from the function (execute permission on the function) while the function belongs to dbo. The user specified in the execute as clause must have permissions on the underlying tables.