Another post for me that is simple and hopefully serves as an example for people trying to get blogging as #SQLNewBloggers.
This is one of those simple things that many people should be able to do in order to build in better security for their database code. However I’m sure many people haven’t ever built one. I ran into this recently, and thought it would be a great SQLNewBlogger post.
Creating the User
It’s a bit anticlimactic, but creating a user in a database without a login is simple:
CREATE USER UpdateStatsUser
WITHOUT LOGIN WITH DEFAULT_SCHEMA = [dbo];
This creates a new user in my database,
that is not associated wtih a login.
I can assign this user permissions, like any other user.
GRANT CONTROL ON dbo.Authors TO UpdateStatsUser;
I could then use these permissions any other way.
Why would you do this?
A short summary from Pinal Dave, which is pretty good. Essentially you want to give different permissions to a user, without using something like an Application Role, which has a name and password that must be managed. Here, you can allow a user to execute a routine as another, more privileged user, without giving the original user additional permissions.
This is a really simple post that took my longer to write than create the user. About 10 minutes. I wouldn’t expect most of you to stop here. I’d want a post that shows you understand something about how this user can be used, show me an example of reading or writing a table as a user with this impersonation in action.
CREATE USER – https://msdn.microsoft.com/en-us/library/ms173463.aspx