Results 1 to 6 of 6
  1. #1
    Join Date
    May 2009
    Posts
    8

    Unanswered: Cross database ownership chaining

    In MS SQL we can disable the 'Cross database ownership chaining' feature by setting the configuration option 'cross db ownership chaining' to 0
    How can we do this in Sybase?

  2. #2
    Join Date
    Sep 2003
    Location
    Switzerland
    Posts
    443
    This is a Sybase forum. And if you are expecting some advice on Sybase equivalent of a MSSQL feature, you need to mention a little bit more in detail what it does so that we can tell you if theres any equivalent in Sybase.

  3. #3
    Join Date
    May 2009
    Posts
    8
    My apologies for not having provided the relevant details. Details follow:
    The concept of ownership chaining allows a non-owner of object who has permissions to execute a stored procedure (or select on view) to access tables referenced by the stored procedure or view, even though he has not been granted direct permissions to these tables. This is allowed since the stored procedure's owner (most likely the dbo) happens to be the owner of the objects which is being referenced by the stored procedure (or view).
    Please see the following link for an e.g.
    SyBooks Online

    In MSSQL,
    Cross-database ownership chaining is just like ownership chaining, but it works across databases. Let's suppose we have two databases - db1 and db2. If a stored procedure in db1 tries to access a table owned by the same login on db2, then access is allowed only if the cross-database ownership chaining is turned ON.
    Please see the following link for more details:
    Ownership Chaining - SQLServerCentral

    I guess this feature should also be available in Sybase, since MSSQL is an inspired version of Sybase.
    So if there is any such configurable item, how do we set it? That was my question.
    Hope I have been able to provide some clarity on my question.

  4. #4
    Join Date
    Sep 2003
    Location
    Switzerland
    Posts
    443
    Hi,

    Thanks for the explanation.

    As far as I know theres no such options for cross-database chaining. If there is cross-database access, then the user needs to be a valid user on each database on top of the permissions you saw on the sybooks site.




    Quote Originally Posted by d_shanke
    My apologies for not having provided the relevant details. Details follow:
    The concept of ownership chaining allows a non-owner of object who has permissions to execute a stored procedure (or select on view) to access tables referenced by the stored procedure or view, even though he has not been granted direct permissions to these tables. This is allowed since the stored procedure's owner (most likely the dbo) happens to be the owner of the objects which is being referenced by the stored procedure (or view).
    Please see the following link for an e.g.
    SyBooks Online

    In MSSQL,
    Cross-database ownership chaining is just like ownership chaining, but it works across databases. Let's suppose we have two databases - db1 and db2. If a stored procedure in db1 tries to access a table owned by the same login on db2, then access is allowed only if the cross-database ownership chaining is turned ON.
    Please see the following link for more details:
    Ownership Chaining - SQLServerCentral

    I guess this feature should also be available in Sybase, since MSSQL is an inspired version of Sybase.
    So if there is any such configurable item, how do we set it? That was my question.
    Hope I have been able to provide some clarity on my question.

  5. #5
    Join Date
    Sep 2003
    Location
    Switzerland
    Posts
    443
    I did come across a similar issue and found something which may interest you.

    If a login is added to db1 with a userid and another database db2 with a different userid, and objects are created by this login and granted permissions to others, it may affect the way implicit permissions work. I have to do a test to confirm this. Dont have time at the moment.

    ------------------

    New 12.0 Concrete Identification feature.

    Concrete identification enables Adaptive Server to verify chains of ownership between procedures, views, and triggers and the objects they reference in other databases. Adaptive Server identifies users during a session by login name or server user ID (suid). This identification applies to all databases in the server. When the user creates an object, the server associates both the owner's database user ID (uid) and the creator's login name with the object in the sysobjects table. This information concretely identifies the object as belonging to that user, which allows the server to recognize when permissions on the object can be granted implicitly.

    To disable this feature, use trace flag 10303. However, this is not recommended as a permanent solution, as it affects intended security in ASE 12.0.
    -----------------

  6. #6
    Join Date
    May 2009
    Posts
    8
    Thanks trvishi!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •