StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
2212621
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2010-02-06T09:11:03.340
FavoriteCount
0
LastActivityDate
2016-07-06T10:24:10.703
LastEditDate
2016-07-06T10:24:10.703
LastEditorUserId
4027974
OwnerUserId
105929
ParentId
2212044
PostTypeId
2
Score
8
ViewCount
0
LastEditorDisplayName
text
Body
My 2c: Ownership chaining is legacy. It dates from days when there was no alternatives, and compared with today's alternatives is unsecure and coarse. I say the alternative is not schema permissions, the alternative is code signing. With code signing you can grant the needed permissions on the signature of the procedure, and grant wide execute access on the procedure while the data access is tightly controlled. Code signing offers more granular and more precise control, and it cannot be abused the way ownership chaining can. It works inside the schema, it works across the schema, it works across the database and does not require the huge security hole of cross database ownership chaining to be open. And it doesn't require the hijacking of the object ownership for access purposes: the owner of the procedure can be any user. As for your second question about row level security: row level security doesn't really exist in SQL Server versions 2014 and earlier, as a feature offered by the engine. You have various workarounds, and those workarounds work actually better with code signing than with ownership chaining. Since <a href="http://msdn.microsoft.com/en-us/library/ms186740.aspx" rel="nofollow noreferrer">sys.login_token</a> contains the context signatures and countersignatures, you can actually do more complex checks than you could in an ownership chaining context. Since version 2016 SQL Server fully supports <a href="https://msdn.microsoft.com/en-us/library/dn765131.aspx" rel="nofollow noreferrer">row level security</a>.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POSQL Server: How to permission schemas?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USRemus Rusanu
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. CORow level security is actually a red herring.. we use SUSER_SNAME too via JOINs from security tables to control access.
 singulars
 PostPostId
 PO
 UserUserId
 USgbn
2. COIt's the "legacy" bit and then time/effort/laziness why I've not followed up. + 1 anyway. Thanks
 singulars
 PostPostId
 PO
 UserUserId
 USgbn

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.