We created a Role (Alpha) and made it a member of the datareader Role. Our
hope was that members of this role would only be able to preform data reads.
On a test we granted Alpha exec rights to an update Stored Procedure. The
members of Alpha are now able to run the Stored Procedure and do updates eve
n
thought they are NOT members of datawriter. Further testing showed the same
for insert and delete stored procedures.
Does this sound right?
Thanks, Randy"Randy" <Randy@.discussions.microsoft.com> wrote in message
news:0EA38A7F-70DF-44D3-91C0-6555FB42A4FA@.microsoft.com...
> We created a Role (Alpha) and made it a member of the datareader Role.
> Our
> hope was that members of this role would only be able to preform data
> reads.
> On a test we granted Alpha exec rights to an update Stored Procedure. The
> members of Alpha are now able to run the Stored Procedure and do updates
> even
> thought they are NOT members of datawriter. Further testing showed the
> same
> for insert and delete stored procedures.
> Does this sound right?
>
Yes. Look up "ownership chains" in BOL. If the user can run the
procedure, then permission checks on all objects owned by the owner of the
stored procedure are supressed.
David
