Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

ASE15.0.3 permissions between databases

8 posts in General Discussion Last posting was on 2010-04-07 14:28:42.0Z
George Brink Posted on 2010-04-02 17:05:11.0Z
From: George Brink <siberianowl@yahoo.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
Newsgroups: sybase.public.ase.general
Subject: ASE15.0.3 permissions between databases
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4bb623c7$1@forums-1-dub>
Date: 2 Apr 2010 09:05:11 -0800
X-Trace: forums-1-dub 1270227911 10.22.241.152 (2 Apr 2010 09:05:11 -0800)
X-Original-Trace: 2 Apr 2010 09:05:11 -0800, vip152.sybase.com
Lines: 29
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:29089
Article PK: 78327

I have two databases. One of them has stored procedures which belong to
a super-user (login name sysu). From these stored procedures I am trying
to read data from another database from tables which belong to dbo.
Users sysu is an alias to dbo. Database has a guest user without any
permissions.

In other words: db1 has a stored procedure:
---
use db1
go
create procedure sysu.test
as
select * from db2.dbo.sometable
go
grant execute on sysu.test to user1
go
---

Now, when I connect as user1 and try to run this procedure, I receive
error message "SELECT permission denied on object sometable, database
db2, owner dbo".

What is going on? Permission delegation works perfectly well while
stored procedure is accessing tables from the same database as itself,
but do not if table is in other database???

I do not want to give anyone select permissions on tables in my second
database, but users require data from it and therefore my stored
procedures have to "cross the border". How can I solve this?


Leonid Gvirtz Posted on 2010-04-03 09:34:16.0Z
From: Leonid Gvirtz <lgvirtz@yahoo.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
Newsgroups: sybase.public.ase.general
Subject: Re: ASE15.0.3 permissions between databases
References: <4bb623c7$1@forums-1-dub>
In-Reply-To: <4bb623c7$1@forums-1-dub>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4bb70b98@forums-1-dub>
Date: 3 Apr 2010 01:34:16 -0800
X-Trace: forums-1-dub 1270287256 10.22.241.152 (3 Apr 2010 01:34:16 -0800)
X-Original-Trace: 3 Apr 2010 01:34:16 -0800, vip152.sybase.com
Lines: 50
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:29091
Article PK: 78328

Hi George

I think I succeeded to reproduce the problem. If I understand you
correctly, sysu is a true user in db1 database and is aliased as dbo in
db2 database. Despite of the alias presenting, owners of sometable (dbo)
and the stored procedure (sysu) are still different and the ownership
chain is broken. As result, ASE checks permissions on objects referenced
by the procedure. When you execute the procedure as user1, ASE tries to
find user1 in db2 and, since it doesn't exist, tries to use the guest
user. Since guest user doesn't have select permission on dbo.sometable,
you receive a error message and seems to be expected behavior. I think
that creating the procedure with user dbo instead of sysu should solve
the problem. See the following link for more details:
http://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc31654.1502/html/sag1/X53658.htm

Hope it helps
Leonid Gvirtz
http://www.gvirtz-consulting.com

On 4/2/2010 8:05 PM, George Brink wrote:
> I have two databases. One of them has stored procedures which belong
> to a super-user (login name sysu). From these stored procedures I am
> trying to read data from another database from tables which belong to
> dbo. Users sysu is an alias to dbo. Database has a guest user without
> any permissions.
>
> In other words: db1 has a stored procedure:
> ---
> use db1
> go
> create procedure sysu.test
> as
> select * from db2.dbo.sometable
> go
> grant execute on sysu.test to user1
> go
> ---
>
> Now, when I connect as user1 and try to run this procedure, I receive
> error message "SELECT permission denied on object sometable, database
> db2, owner dbo".
>
> What is going on? Permission delegation works perfectly well while
> stored procedure is accessing tables from the same database as itself,
> but do not if table is in other database???
>
> I do not want to give anyone select permissions on tables in my second
> database, but users require data from it and therefore my stored
> procedures have to "cross the border". How can I solve this?


Carl Kayser Posted on 2010-04-04 15:59:22.0Z
From: "Carl Kayser" <kayser_c@bls.gov>
Newsgroups: sybase.public.ase.general
References: <4bb623c7$1@forums-1-dub> <4bb70b98@forums-1-dub>
Subject: Re: ASE15.0.3 permissions between databases
Lines: 92
Organization: BLS
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5843
X-RFC2646: Format=Flowed; Response
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4bb8a94a$1@forums-1-dub>
Date: 4 Apr 2010 07:59:22 -0800
X-Trace: forums-1-dub 1270393162 10.22.241.152 (4 Apr 2010 07:59:22 -0800)
X-Original-Trace: 4 Apr 2010 07:59:22 -0800, vip152.sybase.com
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:29095
Article PK: 78333


"Leonid Gvirtz" <lgvirtz@yahoo.com> wrote in message
news:4bb70b98@forums-1-dub...
> Hi George
>
> I think I succeeded to reproduce the problem. If I understand you
> correctly, sysu is a true user in db1 database and is aliased as dbo in
> db2 database. Despite of the alias presenting, owners of sometable (dbo)
> and the stored procedure (sysu) are still different and the ownership
> chain is broken. As result, ASE checks permissions on objects referenced
> by the procedure. When you execute the procedure as user1, ASE tries to
> find user1 in db2 and, since it doesn't exist, tries to use the guest
> user. Since guest user doesn't have select permission on dbo.sometable,
> you receive a error message and seems to be expected behavior. I think
> that creating the procedure with user dbo instead of sysu should solve the
> problem. See the following link for more details:
> http://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc31654.1502/html/sag1/X53658.htm
>
> Hope it helps
> Leonid Gvirtz
> http://www.gvirtz-consulting.com
>

Some comments on the referenced document.



It is obvious that dynamic SQL executed within an SP requires run-time
checking of permissions. Not an issue with the OP but worth noting.



I notice the terms "same user" and "valid user". These are not defined in
the ASE 15.5 glossary and their meanings are not 100% clear to me.



If there is a "valid user" then I would think that an "invalid user" has
meaning, otherwise why isn't "user" used instead. Hence, what is an
"invalid user"? Apparently a guest user is one since the document refers to
". is a valid user or guest user in each ." Seems weird to me but . OK, I'll
accept it. In which case sso_role (and other systemic roles) are other
"invalid users" in a database? In particular there is the sa_role user in
sysusers but, unlike the sso_role user, the identity is never taken on since
an SA will be either a database user or assume the DBO identity as a user.



What is meant by "same user"? Although objects can be created by different
logins that are still owned by the same "user" (i.e., same uid value but
different loginame values) via aliases I don't think that this would apply
to view usage or SP execution. On the other hand it seems to me that
"George" in db1 is not necessarily "George" in db2 since login names and
user names can differ. I expect "same user" to mean that suser_id () and
suser_name () return the same values in both db1 and db2.



> On 4/2/2010 8:05 PM, George Brink wrote:
>> I have two databases. One of them has stored procedures which belong to a
>> super-user (login name sysu). From these stored procedures I am trying to
>> read data from another database from tables which belong to dbo. Users
>> sysu is an alias to dbo. Database has a guest user without any
>> permissions.
>>
>> In other words: db1 has a stored procedure:
>> ---
>> use db1
>> go
>> create procedure sysu.test
>> as
>> select * from db2.dbo.sometable
>> go
>> grant execute on sysu.test to user1
>> go
>> ---
>>
>> Now, when I connect as user1 and try to run this procedure, I receive
>> error message "SELECT permission denied on object sometable, database
>> db2, owner dbo".
>>
>> What is going on? Permission delegation works perfectly well while stored
>> procedure is accessing tables from the same database as itself, but do
>> not if table is in other database???
>>
>> I do not want to give anyone select permissions on tables in my second
>> database, but users require data from it and therefore my stored
>> procedures have to "cross the border". How can I solve this?
>


Michael Peppler [Team Sybase] Posted on 2010-04-06 03:34:13.0Z
From: "Michael Peppler [Team Sybase]" <mpeppler@peppler.org>
Organization: Peppler Consulting SARL
Subject: Re: ASE15.0.3 permissions between databases
User-Agent: Pan/0.14.2 (This is not a psychotic episode. It's a cleansing moment of clarity.)
Message-ID: <pan.2010.04.06.03.34.11.737589@peppler.org>
Newsgroups: sybase.public.ase.general
References: <4bb623c7$1@forums-1-dub> <4bb70b98@forums-1-dub> <4bb8a94a$1@forums-1-dub>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Date: 5 Apr 2010 20:34:13 -0700
X-Trace: forums-1-dub 1270524853 10.22.241.152 (5 Apr 2010 20:34:13 -0700)
X-Original-Trace: 5 Apr 2010 20:34:13 -0700, vip152.sybase.com
Lines: 46
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:29101
Article PK: 78338


On Sun, 04 Apr 2010 07:59:22 -0800, Carl Kayser wrote:
>
> Some comments on the referenced document.
>
>
>
> It is obvious that dynamic SQL executed within an SP requires run-time
> checking of permissions. Not an issue with the OP but worth noting.

Not necessarily. See sp_procxmode 'dynamic'.


> I notice the terms "same user" and "valid user". These are not defined in
> the ASE 15.5 glossary and their meanings are not 100% clear to me.
>
>
>
> If there is a "valid user" then I would think that an "invalid user" has
> meaning, otherwise why isn't "user" used instead. Hence, what is an
> "invalid user"? Apparently a guest user is one since the document refers to
> ". is a valid user or guest user in each ." Seems weird to me but . OK, I'll
> accept it. In which case sso_role (and other systemic roles) are other
> "invalid users" in a database? In particular there is the sa_role user in
> sysusers but, unlike the sso_role user, the identity is never taken on since
> an SA will be either a database user or assume the DBO identity as a user.
>
>
>
> What is meant by "same user"? Although objects can be created by different
> logins that are still owned by the same "user" (i.e., same uid value but
> different loginame values) via aliases I don't think that this would apply
> to view usage or SP execution. On the other hand it seems to me that
> "George" in db1 is not necessarily "George" in db2 since login names and
> user names can differ. I expect "same user" to mean that suser_id () and
> suser_name () return the same values in both db1 and db2.

The login of the user that created the object is significant. It is
recorded in sysobjects.login. So an object created by login "joe" who is
aliased to DBO is not the same as an object created by login "jack" also
aliased to DBO, and is again different from the login who is the "real"
database owner. For cross-database purposes the first two break the
ownership chain unless they are set up exactly the same way in the other
database.

Michael


Carl Kayser Posted on 2010-04-06 12:35:58.0Z
From: "Carl Kayser" <kayser_c@bls.gov>
Newsgroups: sybase.public.ase.general
References: <4bb623c7$1@forums-1-dub> <4bb70b98@forums-1-dub> <4bb8a94a$1@forums-1-dub> <pan.2010.04.06.03.34.11.737589@peppler.org>
Subject: Re: ASE15.0.3 permissions between databases
Lines: 84
Organization: BLS
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5843
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4bbb2aae$1@forums-1-dub>
Date: 6 Apr 2010 05:35:58 -0700
X-Trace: forums-1-dub 1270557358 10.22.241.152 (6 Apr 2010 05:35:58 -0700)
X-Original-Trace: 6 Apr 2010 05:35:58 -0700, vip152.sybase.com
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:29102
Article PK: 78340


"Michael Peppler [Team Sybase]" <mpeppler@peppler.org> wrote in message
news:pan.2010.04.06.03.34.11.737589@peppler.org...
> On Sun, 04 Apr 2010 07:59:22 -0800, Carl Kayser wrote:
>>
>> Some comments on the referenced document.
>>
>>
>>
>> It is obvious that dynamic SQL executed within an SP requires run-time
>> checking of permissions. Not an issue with the OP but worth noting.
>
> Not necessarily. See sp_procxmode 'dynamic'.

Interesting. Thank you! However the 15.5 documentation has to be incorrect
since it says the same thing for the option being either on or off!:
. Executing sp_procxmode procname, 'Dynamic Ownership Chain' makes sure that
any Dynamic SQL (execute immediate) statements within the stored procedure
get their permissions checked against the procedure creator.

. Executing sp_procxmode procname, 'No Dynamic Ownership Chain' (the default
behaviour if omitted) makes sure that any Dynamic SQL (execute immediate)
statements within the stored procedure get their permissions checked against
the procedure executor.

It would be nice to know exactly what the two options really mean.

>
>
>> I notice the terms "same user" and "valid user". These are not defined
>> in
>> the ASE 15.5 glossary and their meanings are not 100% clear to me.
>>
>>
>>
>> If there is a "valid user" then I would think that an "invalid user" has
>> meaning, otherwise why isn't "user" used instead. Hence, what is an
>> "invalid user"? Apparently a guest user is one since the document refers
>> to
>> ". is a valid user or guest user in each ." Seems weird to me but . OK,
>> I'll
>> accept it. In which case sso_role (and other systemic roles) are other
>> "invalid users" in a database? In particular there is the sa_role user
>> in
>> sysusers but, unlike the sso_role user, the identity is never taken on
>> since
>> an SA will be either a database user or assume the DBO identity as a
>> user.
>>
>>
>>
>> What is meant by "same user"? Although objects can be created by
>> different
>> logins that are still owned by the same "user" (i.e., same uid value but
>> different loginame values) via aliases I don't think that this would
>> apply
>> to view usage or SP execution. On the other hand it seems to me that
>> "George" in db1 is not necessarily "George" in db2 since login names and
>> user names can differ. I expect "same user" to mean that suser_id () and
>> suser_name () return the same values in both db1 and db2.
>
> The login of the user that created the object is significant. It is
> recorded in sysobjects.login. So an object created by login "joe" who is
> aliased to DBO is not the same as an object created by login "jack" also
> aliased to DBO, and is again different from the login who is the "real"
> database owner. For cross-database purposes the first two break the
> ownership chain unless they are set up exactly the same way in the other
> database.
>
> Michael
>

Are you sure about your claim? (Obviously there can't be procs ABC created
seperately by "joe" and "jack" as described above. There is a unique index
on sysobjects (name, uid). loginame is not included. But I don't think
that you are stating this.) Continuing on ... how are x-db permissions
checked? Sysobjects has to be checked in the "called database". (Perhaps
the objectid doesn't exist. Call-by-name would have to be done on
sysobjects, correct?) Either way sysobjects.loginame would be available.
So if loginame is the same then sysprotects is not checked? And if loginame
is not an alias in both DBs then there are no problems? (By checking both
sysusers and master.dbo.syslogins?)


George Brink Posted on 2010-04-06 16:58:36.0Z
From: George Brink <siberianowl@yahoo.com>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
Newsgroups: sybase.public.ase.general
Subject: Re: ASE15.0.3 permissions between databases
References: <4bb623c7$1@forums-1-dub> <4bb70b98@forums-1-dub> <4bb8a94a$1@forums-1-dub> <pan.2010.04.06.03.34.11.737589@peppler.org> <4bbb2aae$1@forums-1-dub>
In-Reply-To: <4bbb2aae$1@forums-1-dub>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4bbb683c$1@forums-1-dub>
Date: 6 Apr 2010 09:58:36 -0700
X-Trace: forums-1-dub 1270573116 10.22.241.152 (6 Apr 2010 09:58:36 -0700)
X-Original-Trace: 6 Apr 2010 09:58:36 -0700, vip152.sybase.com
Lines: 35
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:29104
Article PK: 78342


Carl Kayser wrote:
> "Michael Peppler [Team Sybase]" <mpeppler@peppler.org> wrote in message
> news:pan.2010.04.06.03.34.11.737589@peppler.org...
>> The login of the user that created the object is significant. It is
>> recorded in sysobjects.login. So an object created by login "joe" who is
>> aliased to DBO is not the same as an object created by login "jack" also
>> aliased to DBO, and is again different from the login who is the "real"
>> database owner. For cross-database purposes the first two break the
>> ownership chain unless they are set up exactly the same way in the other
>> database.
>>
>> Michael
>>
>
> Are you sure about your claim? (Obviously there can't be procs ABC created
> seperately by "joe" and "jack" as described above. There is a unique index
> on sysobjects (name, uid). loginame is not included. But I don't think
> that you are stating this.) Continuing on ... how are x-db permissions
> checked? Sysobjects has to be checked in the "called database". (Perhaps
> the objectid doesn't exist. Call-by-name would have to be done on
> sysobjects, correct?) Either way sysobjects.loginame would be available.
> So if loginame is the same then sysprotects is not checked? And if loginame
> is not an alias in both DBs then there are no problems? (By checking both
> sysusers and master.dbo.syslogins?)

Yes, Michael is correct. I just checked.
Procedure db1.sysu.proc1 created in db1 by the real sysu user is unable
to read data from table db2.sysu.sometable if this table was created by
a db2's dbo with the use of setuser command. Error message is about
insufficient permissions to select from table.
But if the table db2.sysu.sometable is created by the real sysu - no errors.
So yes. Login name should be the same on objects in both databases for
permission inheritance to work...


Carl Kayser Posted on 2010-04-07 14:28:42.0Z
From: "Carl Kayser" <kayser_c@bls.gov>
Newsgroups: sybase.public.ase.general
References: <4bb623c7$1@forums-1-dub> <4bb70b98@forums-1-dub> <4bb8a94a$1@forums-1-dub> <pan.2010.04.06.03.34.11.737589@peppler.org> <4bbb2aae$1@forums-1-dub>
Subject: Re: ASE15.0.3 permissions between databases
Lines: 38
Organization: BLS
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5843
X-RFC2646: Format=Flowed; Response
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4bbc969a$1@forums-1-dub>
Date: 7 Apr 2010 07:28:42 -0700
X-Trace: forums-1-dub 1270650522 10.22.241.152 (7 Apr 2010 07:28:42 -0700)
X-Original-Trace: 7 Apr 2010 07:28:42 -0700, vip152.sybase.com
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:29106
Article PK: 78344


"Carl Kayser" <kayser_c@bls.gov> wrote in message
news:4bbb2aae$1@forums-1-dub...
>
> "Michael Peppler [Team Sybase]" <mpeppler@peppler.org> wrote in message
> news:pan.2010.04.06.03.34.11.737589@peppler.org...
>> On Sun, 04 Apr 2010 07:59:22 -0800, Carl Kayser wrote:
>>>
>>> Some comments on the referenced document.
>>>
>>>
>>>
>>> It is obvious that dynamic SQL executed within an SP requires run-time
>>> checking of permissions. Not an issue with the OP but worth noting.
>>
>> Not necessarily. See sp_procxmode 'dynamic'.
>
> Interesting. Thank you! However the 15.5 documentation has to be
> incorrect since it says the same thing for the option being either on or
> off!:
> . Executing sp_procxmode procname, 'Dynamic Ownership Chain' makes sure
> that any Dynamic SQL (execute immediate) statements within the stored
> procedure get their permissions checked against the procedure creator.
>
> . Executing sp_procxmode procname, 'No Dynamic Ownership Chain' (the
> default behaviour if omitted) makes sure that any Dynamic SQL (execute
> immediate) statements within the stored procedure get their permissions
> checked against the procedure executor.
>
> It would be nice to know exactly what the two options really mean.
>

(SNIP)

Duh! The difference is with the last word of each bullet: "creator" vs.
"executor". (I'm surprised that no one commented earlier.)


George Brink Posted on 2010-04-05 20:36:14.0Z
From: George Brink <siberianowl@yahoo.com>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
Newsgroups: sybase.public.ase.general
Subject: Re: ASE15.0.3 permissions between databases
References: <4bb623c7$1@forums-1-dub> <4bb70b98@forums-1-dub>
In-Reply-To: <4bb70b98@forums-1-dub>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4bba49be$1@forums-1-dub>
Date: 5 Apr 2010 13:36:14 -0700
X-Trace: forums-1-dub 1270499774 10.22.241.152 (5 Apr 2010 13:36:14 -0700)
X-Original-Trace: 5 Apr 2010 13:36:14 -0700, vip152.sybase.com
Lines: 60
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:29098
Article PK: 78336

Got it, thanks.

Unfortunately, I can not give stored procedure to dbo in db1 or tables
to sysu in db2 - "corporate standards"...
I guess the only solution I can use in this case is to allow selects
from tables in db2 to all users who are allowed to execute procedures
which uses those tables.

Leonid Gvirtz wrote:
> Hi George
>
> I think I succeeded to reproduce the problem. If I understand you
> correctly, sysu is a true user in db1 database and is aliased as dbo in
> db2 database. Despite of the alias presenting, owners of sometable (dbo)
> and the stored procedure (sysu) are still different and the ownership
> chain is broken. As result, ASE checks permissions on objects referenced
> by the procedure. When you execute the procedure as user1, ASE tries to
> find user1 in db2 and, since it doesn't exist, tries to use the guest
> user. Since guest user doesn't have select permission on dbo.sometable,
> you receive a error message and seems to be expected behavior. I think
> that creating the procedure with user dbo instead of sysu should solve
> the problem. See the following link for more details:
> http://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc31654.1502/html/sag1/X53658.htm
>
>
> Hope it helps
> Leonid Gvirtz
> http://www.gvirtz-consulting.com
>
> On 4/2/2010 8:05 PM, George Brink wrote:
>> I have two databases. One of them has stored procedures which belong
>> to a super-user (login name sysu). From these stored procedures I am
>> trying to read data from another database from tables which belong to
>> dbo. Users sysu is an alias to dbo. Database has a guest user without
>> any permissions.
>>
>> In other words: db1 has a stored procedure:
>> ---
>> use db1
>> go
>> create procedure sysu.test
>> as
>> select * from db2.dbo.sometable
>> go
>> grant execute on sysu.test to user1
>> go
>> ---
>>
>> Now, when I connect as user1 and try to run this procedure, I receive
>> error message "SELECT permission denied on object sometable, database
>> db2, owner dbo".
>>
>> What is going on? Permission delegation works perfectly well while
>> stored procedure is accessing tables from the same database as itself,
>> but do not if table is in other database???
>>
>> I do not want to give anyone select permissions on tables in my second
>> database, but users require data from it and therefore my stored
>> procedures have to "cross the border". How can I solve this?
>