Question : SQL Table-value function / permissions / Access Front End

I have an Access Front End, with screens that use a sql table-value function as the datasource.  I use the table-value functions because I pass parameters to limit the records returned (versus using views) and also want to update data easily in an Access Datasheet (versus using stored procs).

See code for function code.

If I make the user a member of the db_datawriter role, all is well.  User can work in the datasheet and edit.  

However, I would much rather secure the data, and only allow updates through the sp's.  Here's what happens when I try to do it the right way:

I've granted select and update permissions to the functions.  Update permissions have not been granted against the underlying tables.

Attempting to update records from the Access Datasheet, I get 'update permission was denied on the object 'nnnnn', where object name is one of the underlying tables in the function.  If the function has 3 tables, and I update a record from each table, I will see in the trace three update statements, each referencing the relevant table.  (Example 1)

However, I will get the error updating table nnnn in Access, and be unable to move off the record until I undo the changes to the record.

Any suggestions would be appreciated.

Thanks!
Code Snippet: 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:

CREATE FUNCTION [dbo].[fnGet_ItemsMissingSRPrice](@Season nchar(4))
RETURNS TABLE 
AS
 
RETURN (
SELECT     TOP (100) PERCENT 
i.[ITEM-NO], 
i.DESCRIPTION, 
FL.SR, 
FL.SRPrice, 
FL.Price AS FLPrice, 
DLR.Page AS FLPage, 
i.STATUS, 
DLR.Page AS DLRPage, 
PSAS.PriceSameAs,
FL.Updates
FROM         tblPSAS PSAS RIGHT OUTER JOIN
                      [Item Master] AS i ON PSAS.EDP = i.[EDP-NO] LEFT OUTER JOIN
                      tblDLR AS DLR ON i.[EDP-NO] = DLR.Edp LEFT OUTER JOIN
                      tblFL AS FL ON i.[EDP-NO] = FL.EDP
WHERE     ((FL.Page > 1) AND (FL.Page < 500) 
or (DLR.Page > 1 and DLR.Page < 400))
AND SRPrice IS NULL AND [PriceSameAs] = 'p' and brandcode<>'N'
and FL.Season=@season
and DLR.season=@season
and PSAS.season=@Season
ORDER BY FL.Page, FL.Sec, [ITEM-NO]
 
)
 
Example 1:
exec sp_executesql N'UPDATE "PriceShop".."tblPSAS" SET "PriceSameAs"=@P1 WHERE "PriceSameAs"=@P2 AND "EDP"=@P3 AND "Season"=@P4',N'@P1 nvarchar(6),@P2 nvarchar(1),@P3 int,@P4 nvarchar(4)',N'hi mom',N'p',44404,N'0909'
 
exec sp_executesql N'UPDATE "PriceShop".."tblDLR" SET "Page"=@P1,"Page"=@P2 WHERE "Page"=@P3 AND "Page"=@P4 AND "Edp"=@P5 AND "Season"=@P6',N'@P1 int,@P2 int,@P3 int,@P4 int,@P5 int,@P6 nvarchar(4)',98,99,25,25,44404,N'0909'
 
exec sp_executesql N'UPDATE "PriceShop".."tblFL" SET "Price"=@P1 WHERE "Price"=@P2 AND "EDP"=@P3 AND "Season"=@P4',N'@P1 numeric(8,2),@P2 numeric(8,2),@P3 int,@P4 nvarchar(4)',36.33,26.99,44404,N'0909'
Open in New Window
Select All

Answer : SQL Table-value function / permissions / Access Front End

>exec sp_executesql

means: dynamic sql.
which runs, by default, under the CALLER permissions, and NOT under the permissions of the procedure owner.

the function's caller/owner are not relevant here.

if you are using sql 2005+, your can change that behavior in the procedure, by using
EXECUTE AS OWNER
msdn.microsoft.com/en-us/library/ms188354.aspx
Random Solutions  
 
programming4us programming4us