How GRANT EXECUTE and cross-database reference works in SQL Server?

Question

I've got 2 databases, let's call them Database1 and Database2, a user with very limited permissions, let's call it User1, and a stored procedure in Database1, let's call it Proc1.

I grant EXECUTE permission to User1 on Proc1; GRANT EXECUTE ON [dbo].[Proc1] TO [User1] and things worked fine as long as all the referenced tables (for SELECT, UPDATE ... etc.) are in Database1, although User1 does not have explicit permission on those tables.

I modified Proc1 to SELECT from a table, let's call it Table1, in Database2. Now when I execute Proc1 I get the following error: The SELECT permission was denied on the object 'Table1', database 'Database2', schema 'dbo'

My understanding is that SQL Server will take care of the required permissions when I grant EXECUTE to a stored procedure; does that work differently when the table (or object) is in another database?

Notes:

• User1 is a user in both databases with same limited permissions
• I'm using SQL Server 2005

Answer 1

To expand on @Szymon's answer with updated text from Microsoft at the end of 2018:

Ownership chaining across databases is turned off by default. Microsoft recommends that you disable cross-database ownership chaining because it exposes you to the following security risks:

• Database owners and members of the db_ddladmin or the db_owners database roles can create objects that are owned by other users. These objects can potentially target objects in other databases. This means that if you enable cross-database ownership chaining, you must fully trust these users with data in all databases.

• Users with CREATE DATABASE permission can create new databases and attach existing databases. If cross-database ownership chaining is enabled, these users can access objects in other databases that they might not have privileges in from the newly created or attached databases that they create.

There is also mention about dynamic SQL and certificate signing for procedures like @Rozwel mentions in their answer.

(Source: https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/sql/enabling-cross-database-access-in-sql-server)

Answer 2

Be sure that the user is actually the same in both databases. Not just NAMED the same. Try deleting the user from both databases, then create the user under the SERVER users, and assign the appropriate permissions on each database from that single user account.

Answer 3

Late to the party, but I recommend taking a look at signed stored procedures for this scenario. They are much more secure than granting users permissions to multiple databases or turning on database ownership chaining.

... To make it possible for a user to run this procedure without SELECT permission on testtbl, you need to take these four steps:

1.Create a certificate.

2.Create a user associated with that certificate.

3.Grant that user SELECT rights on testtbl.

4.Sign the procedure with the certificate, each time you have changed the procedure.

When the procedure is invoked, the rights of the certificate user are added to the rights of the actual user. ...

(From http://www.sommarskog.se/grantperm.html#Certificates)

Further documentation is also available on MSDN.

Answer 4

There seem to be a difference when SQL Server checks the permissions along the permission chain. Specifically:

SQL Server can be configured to allow ownership chaining between specific databases or across all databases inside a single instance of SQL Server. Cross-database ownership chaining is disabled by default, and should not be enabled unless it is specifically required.

(Source: http://msdn.microsoft.com/en-us/library/ms188676.aspx)