I have a view in database1 that uses views in database2.
My DBA says I must give users DATA READER permissions to
the tables referenced by the database2 views. I am trying
to keep customers OUT of the tables, only allowing access
thru views.
Do I really have to give DATA READER to the tables in
database2 to get my cross-database view references to work?It depends on whether you allow cross database ownership chaining. This is a
configurable option post SP3 wheras prior to that it was implicit. Basically
if all the views and tables have the same owner e.g. dbo and the databases
themselves are owned by the same login e.g. sa then users with permissions
to select from a view in database1 don't need any explicit permissions on
objects in database2 - they do still require access though.Post SP3 this is
configured using sp_configure 'Cross DB Ownership Chaining' and sp_dboption
with the 'db chaining' option. See BOL for more on cross database ownership
chaining.
HTH
Jasper Smith (SQL Server MVP)
I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org
"Barnes" <anonymous@.discussions.microsoft.com> wrote in message
news:13a2e01c44408$5da79f30$a501280a@.phx
.gbl...
> I have a view in database1 that uses views in database2.
> My DBA says I must give users DATA READER permissions to
> the tables referenced by the database2 views. I am trying
> to keep customers OUT of the tables, only allowing access
> thru views.
> Do I really have to give DATA READER to the tables in
> database2 to get my cross-database view references to work?|||To add to Jasper's response, both databases need to be owned by the same
login in order for the dbo-owned object ownership chain to be unbroken.
Your users still need a security context in database2 but no permissions or
role memberships need to be granted if objects are only accessed indirectly
via referencing database1 objects.
Hope this helps.
Dan Guzman
SQL Server MVP
"Barnes" <anonymous@.discussions.microsoft.com> wrote in message
news:13a2e01c44408$5da79f30$a501280a@.phx
.gbl...
> I have a view in database1 that uses views in database2.
> My DBA says I must give users DATA READER permissions to
> the tables referenced by the database2 views. I am trying
> to keep customers OUT of the tables, only allowing access
> thru views.
> Do I really have to give DATA READER to the tables in
> database2 to get my cross-database view references to work?
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment