Prevent data modification through stored proc

Question

In my SQL Server 2005 database, a user belongs to a role and that role has been granted execute permission on all the stored procedures. One of the stored procedures inserts data into the table called tableA.

User has been explicit DENY permission on tableA. However, user can still execute stored procedure to insert new data.

Is there a way to prevent user to insert new data into the table (besides removing user from the role which has execute permission)

create table tableA
(id int identity(1,1), data varchar(20)
)

create proc uspInsertTableA
   (@data varchar(20))
with execute as caller
as
begin
insert into tableA
values (@data)
end

DENY INSERT On tableA TO BrianG

GRANT EXECUTE on uspInsertTableA to BrianG

BrianG, can still insert data

exec uspInsertTableA 'yada'

Answer 1

There are two relevant factors:

1. "execute as" of the stored procedure.

2. Ownership chaining.

"EXECUTE as CALLER" is already the default (CREATE PROCEDURE ... WITH EXECUTE AS CALLER ...)

Additionally the stored procedure must have a different owner than TableA, to prevent ownership chaining. The owner of the stored procedure must not have the right to insert into the table.

Alternatively you could use the HAS_PERMS_BY_NAME function within the stored procedure to explicitly check whether the user has the permission.

if HAS_PERMS_BY_NAME('TableA','OBJECT','INSERT') = 0
   raiserror ('User is not allowed to insert into TableA',16,1)

Answer 2

Could you change the database schema of the sproc? ie. change from dbo.Insert to protected.Insert?

Then you could deny exec against this schema?