0

I've the following view defined into myCustomDatabase:

CREATE VIEW myCustomDatabase.dbo.myView AS
   SELECT job_id  FROM msdb.dbo.sysjobhistory

myCustomDatabase's owner is sa.

My current user (called currentUser) has only the db_reader role on the myCustomDatabase.

guest is enable on msdb database.

When I execute the view I get the following error:

The SELECT permission was denied on the object 'sysjobhistory', database 'msdb', schema 'dbo'.

I understand that my current user has no role defined on the system database.

Which role/authorization should I give to my current user to allow him to execute the view (which contains only one column of the system's one), but not give to him full access to the table.

To resume the following view should work when called with currentUser:

CREATE VIEW myCustomDatabase.dbo.myView AS
    SELECT job_id  FROM msdb.dbo.sysjobhistory

, but not the following query:

SELECT *  FROM msdb.dbo.sysjobhistory

Edit : viewable tables in MSDB

enter image description here

Edit2 : My SQLServer version is 2008

Fractaliste
  • 5,777
  • 11
  • 42
  • 86

1 Answers1

2

You don't need to grant permissions on the tables referenced by the view as long as the ownership chain is unbroken. In the case of dbo-owned objects in different databases, this requires that:

  1. both databases have the DB_CHAINING option turned on (on by default in msdb)
  2. databases have the same owner ('sa' is the default owner of msdb)
  3. the user has a security context in the other database (guest is enabled by default in msdb)

Consequently, the following script should do the job. 

ALTER DATABASE myCustomDatabase SET DB_CHAINING ON;
ALTER AUTHORIZATION ON DATABASE::myCustomDatabase TO sa;

Note that you should enable DB_CHAINING in sa-owned databases only if you trust privileged users with permissions to create dbo-owned objects. This isn't a consideration if only sysadmin role members can create objects anyway. Also, if the old owner is not a sysadmin role member and you need that login to retain dbo permissions, add the old owner as a regular database user and add to the db_owner role.

Dan Guzman
  • 43,250
  • 3
  • 46
  • 71
  • My custom database isn't owned by *sa* user, if I set *sa* as the owner as you suggest can it break some existing access rules? – Fractaliste Jan 19 '15 at 08:34
  • @Fractaliste, I added more info to my post. This can also be accomplished with certificates. I'll add more info about that technique if you specify what version of SQL Server you are using. – Dan Guzman Jan 19 '15 at 12:58
  • if both database are sa-owned, I don't need to execute `ALTER AUTHORIZATION ON DATABASE::myCustomDatabase TO sa;` isn't it? – Fractaliste Feb 25 '15 at 13:07
  • @Fractaliste, correct. If the user database is already owned by sa, no need to change the owner. – Dan Guzman Feb 25 '15 at 13:34
  • Thanks for you advice, I would run your `ALTER AUTHORIZATION` script earlier, the problem was a confusing interface about database ownership (see [here](http://dba.stackexchange.com/a/93873/38068) for more detail) – Fractaliste Feb 26 '15 at 09:22
  • This worked for me. However, I believe the default setting for DB_CHAINING is OFF. At least it was on my 2008 DB's. – cbmeeks May 17 '17 at 12:56
  • @cbmeeks, yes, the `DB_CHAINING` database option is off by default for user databases. – Dan Guzman May 17 '17 at 13:17