授予exec存储过程的角色

时间:2015-03-27 16:29:57

标签: sql-server tsql stored-procedures

我有一个代理用户,我试图添加到可以执行所有存储过程的角色。使用其他StackOverflow帖子,我已经能够将这个脚本放在一起

USE abc

Create ROLE db_exec
go

GRANT EXECUTE TO db_exec
go

EXEC sp_addrolemember 'db_exec', 'abc_user'
go

当我尝试运行我的存储过程时,根据我的错误处理,我仍然会收到此错误。

  

对象' sp_OACreate',数据库' mssqlsystemresource',架构' sys'上的EXECUTE权限被拒绝。

我可以做些什么让abc_user执行sp_OACreate

4 个答案:

答案 0 :(得分:7)

除了处于sysadmin角色之外,还需要在master数据库上授予执行权限,这些程序实际驻留在那里

use master
go

grant exec on sp_OACreate to abc_user
GO

运行后,您可以通过以下方式验证您是否有权执行该程序

SELECT * 
FROM master.sys.database_permissions [dp] 
JOIN master.sys.system_objects [so] ON dp.major_id = so.object_id
JOIN master.sys.sysusers [usr] ON 
     usr.uid = dp.grantee_principal_id AND usr.name = 'abc_user'
WHERE permission_name = 'EXECUTE' AND so.name = 'sp_OACreate'

答案 1 :(得分:2)

给出的答案有效,但是,我们通常尽可能不向任何用户授予sysadmin权限。在这种情况下,我发现运行sp_OACreate您实际上并不需要sysadmin角色。

我运行了以下内容:

use master
grant exec on sp_OACreate to yourSecObject
grant exec on sp_OADestroy to yourSecObject  --Optional
grant exec on sp_OAMethod to yourSecObject

出于我的目的,我需要一个清理步骤,因此用户需要创建和销毁。

我希望这可以帮助任何想要运行这些程序的人,但又不希望用户拥有对服务器上所有其他数据库的完全数据库访问权限。

-Scott

答案 2 :(得分:0)

出现以下错误:

The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OACreate', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAMethod', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAMethod', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAMethod', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAGetProperty', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OAGetProperty', database 'mssqlsystemresource', schema 'sys'.
The EXECUTE permission was denied on the object 'sp_OADestroy', database 'mssqlsystemresource', schema 'sys'.

启用xp_cmdshell过程

它可能已在此时执行,因此仅供参考:

EXEC sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO
EXEC sp_configure 'xp_cmdshell', 1
GO
EXEC sp_configure 'show advanced options', 0
GO
RECONFIGURE
GO

允许用户执行存储过程

use [master]
GO

GRANT EXECUTE ON [sys].[xp_cmdshell] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OACreate] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OADestroy] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OAGetErrorInfo] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OAGetProperty] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OAMethod] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OAStop] TO [DOMAIN\username];
GRANT EXECUTE ON [sys].[sp_OASetProperty] TO [DOMAIN\username];
GO

检查是否设置了执行权限

SELECT * 
FROM master.sys.database_permissions [dp] 
JOIN master.sys.system_objects [so] ON dp.major_id = so.object_id
JOIN master.sys.sysusers [usr] ON usr.uid = dp.grantee_principal_id AND usr.name = 'DOMAIN\username'
WHERE permission_name = 'EXECUTE' 
AND (so.name = 'xp_cmdshell'
  OR so.name = 'sp_OACreate'
  OR so.name = 'sp_OADestroy'
  OR so.name = 'sp_OAGetErrorInfo'
  OR so.name = 'sp_OAGetProperty'
  OR so.name = 'sp_OAMethod'
  OR so.name = 'sp_OAStop'
  OR so.name = 'sp_OASetProperty')

答案 3 :(得分:0)

如果有帮助,则位于proc> master>可编程性>扩展存储过程>系统扩展存储过程中。

相关问题
最新问题