%3CLINGO-SUB%20id%3D%22lingo-sub-1552690%22%20slang%3D%22en-US%22%3EInconsistent%20permissions%20or%20ownership%20chaining%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1552690%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EScenario%3C%2FSTRONG%3E%3A%20Two%20schemas%3A%20%3CSTRONG%3EA%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EB%3C%2FSTRONG%3E.%20User%20%3CSTRONG%3Etest%3C%2FSTRONG%3E%20has%20access%20to%20everything%20under%20schema%20A%2C%20he%20does%20not%20have%20permissions%20under%20Schema%20B.%20Schema%20A%20and%20B%20were%20created%20by%20the%20same%20owner.%3C%2FP%3E%0A%3CP%3EA%20view%20was%20created%20under%20schema%20A%20pointing%20to%20a%20select%20under%20schema%20B.%20Customer%20can't%20query%20table%20under%20schema%20B%2C%20but%20once%20he%20does%20a%20select%20on%20the%20view%20under%20Schema%20A%20he%20is%20able%20to%20access%20data%20under%20schema%20B.%20(%3F%3F)%20weird%2C%20is%20not%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E------------------------------%0A--Master%20Database%0ACREATE%20LOGIN%20testUser1%20%0A%20WITH%20PASSWORD%20%3D%20'Lalala!0000'%0A----Change%20to%20SQLDW%0ACREATE%20USER%20testUser1%20FROM%20LOGIN%20testUser1%0A------------------------------------------%0ACREATE%20SCHEMA%20Schema_B%3B%0Ago%0ACREATE%20SCHEMA%20Schema_A%3B%0Ago%0A--------------------------------------%0AGRANT%20CREATE%20SCHEMA%20ON%20DATABASE%20%3A%3A%20%5BSQL_DW_database_name%5D%20TO%20testUser1%20%0A%26nbsp%3B%0AGRANT%20SELECT%2C%20INSERT%2C%20DELETE%2C%20UPDATE%2C%20ALTER%20ON%20Schema%3A%3ASchema_A%20TO%20%20testUser1%20%0A------------------------------------------%0ACREATE%20TABLE%20Schema_B.TestTbl%0AWITH(DISTRIBUTION%3DROUND_ROBIN)%20%20%20%20%0AAS%20%20%20%20%0A%20SELECT%201%20AS%20ID%2C%20100%20AS%20VAL%20UNION%20ALL%0A%20SELECT%202%20AS%20ID%2C%20200%20AS%20VAL%20UNION%20ALL%20%20%20%20%0A%20SELECT%202%20AS%20ID%2C%20200%20AS%20VAL%0Ago%0A%26nbsp%3B%0A%26nbsp%3B%0A----------------------------------------%0ACREATE%20VIEW%20Schema_A.Bypass_VW%20%0AAS%20--%20runs%20successfully%0ASELECT%20*%20FROM%20Schema_B.TestTbl%0A%26nbsp%3B%0Ago%0A%26nbsp%3B%0A-------------------------------------------------------------------------%0A--Log%20into%20SQLDW%20with%20the%20testUser1%20%20%3B%20---%26gt%3Bexecuting%20as%20this%20user.%0A%26nbsp%3B%0AGO%0A%26nbsp%3B%0ASELECT%20*%20FROM%20Schema_B.TestTbl---%26gt%3B%20user%20does%20not%20have%20access%0A%26nbsp%3B%0ASELECT%20*%20FROM%20Schema_A.Bypass_VW%20--%20runs%20successfully%20and%20fetches%20data%20from%20table%20not%20having%20select%20access%20to%0A%26nbsp%3B%0A%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFigure%201%20and%202%20exemplifies%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22onwership_sche.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F208830i21D4144514342143%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22onwership_sche.png%22%20alt%3D%22onwership_sche.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EFigure%201%3A%20Query%20view%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22onwership_sche_deny.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F208831iB21148CBF0172845%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22onwership_sche_deny.png%22%20alt%3D%22onwership_sche_deny.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EFigure%202%3A%20Query%20table%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20the%20documentation%20about%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EA%20user%20with%20ALTER%20permission%20on%20a%20schema%20can%20use%20ownership%20chaining%20to%20access%20securables%20in%20other%20schemas%2C%20including%20securables%20to%20which%20that%20user%20is%20explicitly%20denied%20access.%20This%20is%20because%20ownership%20chaining%20bypasses%20permissions%20checks%20on%20referenced%20objects%20when%20they%20are%20owned%20by%20the%20principal%20that%20owns%20the%20objects%20that%20refer%20to%20them.%20A%20user%20with%20ALTER%20permission%20on%20a%20schema%20can%20create%20procedures%2C%20synonyms%2C%20and%20views%20that%20are%20owned%20by%20the%20schema's%20owner.%20Those%20objects%20will%20have%20access%20(via%20ownership%20chaining)%20to%20information%20in%20other%20schemas%20owned%20by%20the%20schema's%20owner.%20When%20possible%2C%20you%20should%20avoid%20granting%20ALTER%20permission%20on%20a%20schema%20if%20the%20schema's%20owner%20also%20owns%20other%20schemas.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EFor%20example%2C%20this%20issue%20may%20occur%20in%20the%20following%20scenarios.%20These%20scenarios%20assume%20that%20a%20user%2C%20referred%20as%20U1%2C%20has%20the%20ALTER%20permission%20on%20the%20S1%20schema.%20The%20U1%20user%20is%20denied%20to%20access%20a%20table%20object%2C%20referred%20as%20T1%2C%20in%20the%20schema%20S2.%20The%20S1%20schema%20and%20the%20S2%20schema%20are%20owned%20by%20the%20same%20owner.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EThe%20U1%20user%20has%20the%20CREATE%20PROCEDURE%20permission%20on%20the%20database%20and%20the%20EXECUTE%20permission%20on%20the%20S1%20schema.%20Therefore%2C%20the%20U1%20user%20can%20create%20a%20stored%20procedure%2C%20and%20then%20access%20the%20denied%20object%20T1%20in%20the%20stored%20procedure.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EThe%20U1%20user%20has%20the%20CREATE%20SYNONYM%20permission%20on%20the%20database%20and%20the%20SELECT%20permission%20on%20the%20S1%20schema.%20Therefore%2C%20the%20U1%20user%20can%20create%20a%20synonym%20in%20the%20S1%20schema%20for%20the%20denied%20object%20T1%2C%20and%20then%20access%20the%20denied%20object%20T1%20by%20using%20the%20synonym.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3EThe%20U1%20user%20has%20the%20CREATE%20VIEW%20permission%20on%20the%20database%20and%20the%20SELECT%20permission%20on%20the%20S1%20schema.%20Therefore%2C%20the%20U1%20user%20can%20create%20a%20view%20in%20the%20S1%20schema%20to%20query%20data%20from%20the%20denied%20object%20T1%2C%20and%20then%20access%20the%20denied%20object%20T1%20by%20using%20the%20view%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E(-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Fstatements%2Fgrant-schema-permissions-transact-sql%3Fview%3Dsql-server-ver15%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Fstatements%2Fgrant-schema-permissions-transact-sql%3Fview%3Dsql-server-ver15%3C%2FA%3E)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENote%20this%20is%20the%20same%20across%20any%20version%20of%20SQL%20Server%3A%20SQLDB%2C%20SQLDW%2C%20SQL%20Server%3C%2FP%3E%0A%3CP%3E%3CU%3E%3CSTRONG%3EWorkaround%3C%2FSTRONG%3E%3C%2FU%3E%3A%3C%2FP%3E%0A%3CP%3EI%20changed%20my%20demo%20based%20on%20the%20documentation.%20The%20point%20here%20is%3A%20there%20are%26nbsp%3B%202%20schemas%20with%20the%20same%20owner.%20So%20let's%20change%20that%3A%20different%20schema%20owners.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EList%20the%26nbsp%3B%20ownership%20and%20keep%20this%20information%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E----Create%20a%20new%20login%0A--Master%20Database%0ACREATE%20LOGIN%20testowner%20%0A%20WITH%20PASSWORD%20%3D%20'Lalala!0000'%0A--SQLDW%0ACREATE%20USER%20testowner%20FROM%20LOGIN%20testowner%0A-------------%0A--list%20objects%20ownership%0ASELECT%20'OBJECT'%20AS%20entity_type%20%20%0A%0A%20%20%20%20%2CUSER_NAME(OBJECTPROPERTY(object_id%2C%20'OwnerId'))%20AS%20owner_name%20%20%0A%0A%20%20%20%20%2Cname%20%20%0A%0AFROM%20sys.objects%0A%0A%20%0A---Keep%20the%20result%20of%20the%20permission.%20Once%20we%20change%20the%20ownership%20of%20the%20schema%20the%20permission%20per%20schema%20will%20be%20reset.%20(%20if%20there%20is%20such%20information)%0ASelect%20USER_NAME(principal_id)%2C*%20from%20sys.schemas%0A%0A---%20I%20will%20change%20Schema_B%20as%20my%20schema%20permissions%20are%20only%20on%20Schema_A%0AALTER%20AUTHORIZATION%20ON%20SCHEMA%3A%3ASchema_B%20TO%20testowner%3B%20%20%20%20%0A%0A----------%0A%0A--list%20objects%20ownership%20again.%20Check%20a%20new%20owner%20was%20added%0ASELECT%20'OBJECT'%20AS%20entity_type%20%20%0A%0A%20%20%20%20%2CUSER_NAME(OBJECTPROPERTY(object_id%2C%20'OwnerId'))%20AS%20owner_name%20%20%0A%0A%20%20%20%20%2Cname%20%20%0A%0AFROM%20sys.objects%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20as%20figure%203%20shows%2C%20the%20ownership%20chaining%20was%20solved%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22onwership_sche_deny_works.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F208832i7104259BC54A9B06%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22onwership_sche_deny_works.png%22%20alt%3D%22onwership_sche_deny_works.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnother%20way%20to%20solve%20this%20would%20include%20for%20example%3A%20Deny%20to%20the%20user%20select%20on%20the%20View(Schema_A.Bypass_VW%20)%20or%20deny%20the%20select%2C%20like%3A%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EDeny%20select%20on%20Schema_A.Bypass_VW%20%26nbsp%3BTO%20testUser1%26nbsp%3B%26nbsp%3B%0ADeny%20SELECT%20ON%20SCHEMA%20%3A%3A%20Schema_A%20TO%20testUser1%26nbsp%3B%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20Joao%20Polisel%20and%20Moises%20Romero%20for%20the%20advice%20on%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat%20is%20it!%3C%2FP%3E%0A%3CP%3ELiliam%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUK%20Engineer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1552690%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20this%20is%20another%20interesting%20case.%20Which%20at%20first%20instance%20lead%20us%20to%20think%20it%20is%20an%20inconsistent%20permission%20issue%20but%20it%20was%20an%20expected%20behaviour%20based%20on%20the%20ownership%20chaining%20concepts.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1552690%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESynapse%20Administration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESynapse%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESynapse%20SQL%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Scenario: Two schemas: A and B. User test has access to everything under schema A, he does not have permissions under Schema B. Schema A and B were created by the same owner.

A view was created under schema A pointing to a select under schema B. Customer can't query table under schema B, but once he does a select on the view under Schema A he is able to access data under schema B. (??) weird, is not?

 

 

 

 

 

------------------------------
--Master Database
CREATE LOGIN testUser1 
	WITH PASSWORD = 'Lalala!0000'
----Change to SQLDW
CREATE USER testUser1 FROM LOGIN testUser1
------------------------------------------
CREATE SCHEMA Schema_B;
go
CREATE SCHEMA Schema_A;
go
--------------------------------------
GRANT CREATE SCHEMA ON DATABASE :: [SQL_DW_database_name] TO testUser1 
 
GRANT SELECT, INSERT, DELETE, UPDATE, ALTER ON Schema::Schema_A TO  testUser1 
------------------------------------------
CREATE TABLE Schema_B.TestTbl
WITH(DISTRIBUTION=ROUND_ROBIN)    
AS    
	SELECT 1 AS ID, 100 AS VAL UNION ALL
	SELECT 2 AS ID, 200 AS VAL UNION ALL    
	SELECT 2 AS ID, 200 AS VAL
go
 
 
----------------------------------------
CREATE VIEW Schema_A.Bypass_VW 
AS -- runs successfully
SELECT * FROM Schema_B.TestTbl
 
go
 
-------------------------------------------------------------------------
--Log into SQLDW with the testUser1  ; --->executing as this user.
 
GO
 
SELECT * FROM Schema_B.TestTbl---> user does not have access
 
SELECT * FROM Schema_A.Bypass_VW -- runs successfully and fetches data from table not having select access to
 

 

 

 

 

 

Figure 1 and 2 exemplifies:

onwership_sche.png

Figure 1: Query view

 

onwership_sche_deny.png

Figure 2: Query table

 

Here is the documentation about this:

 

A user with ALTER permission on a schema can use ownership chaining to access securables in other schemas, including securables to which that user is explicitly denied access. This is because ownership chaining bypasses permissions checks on referenced objects when they are owned by the principal that owns the objects that refer to them. A user with ALTER permission on a schema can create procedures, synonyms, and views that are owned by the schema's owner. Those objects will have access (via ownership chaining) to information in other schemas owned by the schema's owner. When possible, you should avoid granting ALTER permission on a schema if the schema's owner also owns other schemas.

For example, this issue may occur in the following scenarios. These scenarios assume that a user, referred as U1, has the ALTER permission on the S1 schema. The U1 user is denied to access a table object, referred as T1, in the schema S2. The S1 schema and the S2 schema are owned by the same owner.

The U1 user has the CREATE PROCEDURE permission on the database and the EXECUTE permission on the S1 schema. Therefore, the U1 user can create a stored procedure, and then access the denied object T1 in the stored procedure.

The U1 user has the CREATE SYNONYM permission on the database and the SELECT permission on the S1 schema. Therefore, the U1 user can create a synonym in the S1 schema for the denied object T1, and then access the denied object T1 by using the synonym.

The U1 user has the CREATE VIEW permission on the database and the SELECT permission on the S1 schema. Therefore, the U1 user can create a view in the S1 schema to query data from the denied object T1, and then access the denied object T1 by using the view

 

(https://docs.microsoft.com/en-us/sql/t-sql/statements/grant-schema-permissions-transact-sql?view=sql...)

 

Note this is the same across any version of SQL Server: SQLDB, SQLDW, SQL Server

Workaround:

I changed my demo based on the documentation. The point here is: there are  2 schemas with the same owner. So let's change that: different schema owners.

 

List the  ownership and keep this information:

 

 

 

----Create a new login
--Master Database
CREATE LOGIN testowner 
	WITH PASSWORD = 'Lalala!0000'
--SQLDW
CREATE USER testowner FROM LOGIN testowner
-------------
--list objects ownership
SELECT 'OBJECT' AS entity_type  

    ,USER_NAME(OBJECTPROPERTY(object_id, 'OwnerId')) AS owner_name  

    ,name  

FROM sys.objects

 
---Keep the result of the permission. Once we change the ownership of the schema the permission per schema will be reset. ( if there is such information)
Select USER_NAME(principal_id),* from sys.schemas

--- I will change Schema_B as my schema permissions are only on Schema_A
ALTER AUTHORIZATION ON SCHEMA::Schema_B TO testowner;    

----------

--list objects ownership again. Check a new owner was added
SELECT 'OBJECT' AS entity_type  

    ,USER_NAME(OBJECTPROPERTY(object_id, 'OwnerId')) AS owner_name  

    ,name  

FROM sys.objects

 

 

 

And as figure 3 shows, the ownership chaining was solved:

 

onwership_sche_deny_works.png

 

Another way to solve this would include for example: Deny to the user select on the View(Schema_A.Bypass_VW ) or deny the select, like:

Deny select on Schema_A.Bypass_VW  TO testUser1  
Deny SELECT ON SCHEMA :: Schema_A TO testUser1 

 

Thanks Joao Polisel and Moises Romero for the advice on this.

 

That is it!

Liliam 

UK Engineer