I’m probably missing something obvious or going about this in the wrong way, but here it goes:
I’ve written a scalar CLR function in SQL Server 2005. It has one parameter (int) and returns a varchar(2000). I’m having trouble figuring out how to specifically grant permissions to sysadmin role and restrict any other role, including db_owner, from executing it.
I’m guessing that granting and revoking permissions is the same for CLR functions as any other UDF. This is a sensitive function because it decrypts a password that’s stored in a SecurityUser table for the application. I don’t want anyone to be able to run it except members of the sysadmin role.
In the database, I first tried granting to sysadmin from the database:
grant execute ON dbo.fCrossTabDx1 TO sysadmin
and of course received the error:
Msg 15151, Level 16, State 1, Line 1
Cannot find the user
‘sysadmin’, because it does not exist or you do not have permission.
I then tried to grant permission to db_securityadmin, which is a role in the database and got error:
Msg 4617, Level 16, State 1, Line 1
Cannot grant, deny or revoke
permissions to or from special roles.
So, would appreciate someone steering me in the right direction, if this is possible.
- Can I restrict a user with db_owner permissions from executing a function, and
- Can I allow only sysadmin role execution permission on a function?
Thanks.
You cannot restrict permissions on the securable owner. By definition members of
db_ownerown every securable in a database. A function is a database securable. Ergo, you cannot restrict permissions on a function to dbo or members of db_owner role.You are doing it wrong:
Do read and internalize the Encryption Hierarchy. Do follow standard practices. Do not invent your own.