Home/ Questions/Q 8092223
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T20:14:24+00:00

I have an app that allows users to upload large data files and then

  • 0

I have an app that allows users to upload large data files and then parses and stores the data in a SQL Server 2008 R2 database.

I would like to automatically run UPDATE STATISTICS on the table that the data is being imported in to since the users can run reports on the data and the amount of data is very large.

The data access is done through stored procedures and the user has no permissions on the tables, only execute on the stored procedures.

I wrote a stored procedure to take a table name and use sp_Executesql to run UPDATE STATISTICS on the table name that’s passed in. Both the stored proc and the table are owned by dbo. I get an error saying ‘Cannot find the object “table” because it does not exist or you do not have permissions.’ If I grant alter on the table to the user then it works fine but I’d like to avoid doing that. I thought that if the table and stored proc were owned by the same owner then the user’s permissions are ignored.

Is it possible to run UPDATE STATISTICS somehow without having the alter table permission?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The user’s permissions can’t be ignored if you use sp_executesql. Unless you make the procedure execute in the context of someone else. Rather than pick another user, I would rather create a user without a login. So let’s say you have a table called dbo.farb, that user foobarblat cannot ALTER (DENY isn’t necessary but it really proves the point):

    USE master;
GO
CREATE LOGIN foobarblat WITH PASSWORD = 'foobarblat', CHECK_POLICY = OFF;
GO
USE YourDatabase;
GO
CREATE USER foobarblat FROM LOGIN foobarblat;
GO
CREATE TABLE dbo.farb(id INT);
GO
DENY ALTER ON dbo.farb to foobarblat;
GO

    Now let’s create a hidden user – we can give this user all the permissions in the world, because nobody can actually log in as this user, but for this example we can just grant ALTER on our table):

    CREATE USER SuperSecret WITHOUT LOGIN;
GO
GRANT ALTER ON dbo.farb TO SuperSecret;
GO

    Now we can write a stored procedure that executes in the context of our SuperSecret user, but can be executed by foobarblat:

    CREATE PROCEDURE dbo.UpdateStats
    @tablename NVARCHAR(511)
WITH EXECUTE AS 'SuperSecret'
AS
BEGIN
    DECLARE @sql NVARCHAR(MAX);
    SET @sql = N'UPDATE STATISTICS ' + @tablename;
    EXEC sp_executesql @sql;
END
GO
GRANT EXEC ON dbo.UpdateStats TO foobarblat;

    Now connect in a new window using foobarblat – you should be able to execute this no problem:

    EXEC dbo.UpdateStats 'dbo.farb';
    • 0