Thread: Cross database ownership chaining
View Single Post
  #5 (permalink)  
Old 06-10-09, 12:35
trvishi trvishi is offline
Registered User
  
Join Date: Sep 2003
Location: Switzerland
Posts: 443
I did come across a similar issue and found something which may interest you.

If a login is added to db1 with a userid and another database db2 with a different userid, and objects are created by this login and granted permissions to others, it may affect the way implicit permissions work. I have to do a test to confirm this. Dont have time at the moment.

------------------

New 12.0 Concrete Identification feature.

Concrete identification enables Adaptive Server to verify chains of ownership between procedures, views, and triggers and the objects they reference in other databases. Adaptive Server identifies users during a session by login name or server user ID (suid). This identification applies to all databases in the server. When the user creates an object, the server associates both the owner's database user ID (uid) and the creator's login name with the object in the sysobjects table. This information concretely identifies the object as belonging to that user, which allows the server to recognize when permissions on the object can be granted implicitly.

To disable this feature, use trace flag 10303. However, this is not recommended as a permanent solution, as it affects intended security in ASE 12.0.
-----------------
Reply With Quote