SQL Server 2008 R2
We have a login & user called "JoeBlogs", this user has it's own default
schema of JoeBlogs - it has
Public access only to the database.
We then granted it
SELECT on a
dbo view - the
dbo view however selects data from underlying tables that belong to a non-dbo schema - so we get an error selecting from the view saying access was denied to underlying tables.
How does one configure the user to have select access to the
dbo view but not the underlying non-dbo tables?
Is this even possible?
You have to understand the problem before proceeding with the solution.
When you select from a view the SQL Server system would check permissions twice:
Once when you select from the view, and once when the view makes reference to the underlying table.
Obviously the second check would fail if the user has no permission on the underlying table.
Microsoft have solved this with "Ownership Chaining" (known as OC).
OC will bypass the permission check that would be done when the view is referencing the table,
Only if the owner of the view is the same as the owner of the table.
The thing is, OC is bypassing permission checks completely, which means that it can bypass denies as well...
For example, if "JoeBlogs" has the
create view permission, he can create a new view which has access to the entire table.
I suggest you read about ownership chaining before you decide your course of action.
Having said that, the first Intuitive solution would be to create the view under the same non-dbo schema as the underlying tables (or a schema owned by the same user as the non-dbo schema).
However, if you find that solution to be too risky there is another (and maybe even better) option:
You can always use a function (Multistatement Table-valued Function) with an
EXECUTE AS clause:
Create function syntax
execute as clause
This method will allow you to select from the function (
execute permission on the function) while the function belongs to
dbo. The user specified in the
execute as clause must have permissions on the underlying tables.
External links referenced by this document: