Update security considerations for EXECUTE AS statement

shohamMSFT · web-flow · commit 6083cdcef69b · 2026-04-16T16:43:12.000-07:00
Added security considerations regarding EXECUTE AS USER = 'dbo' and its implications on DENY permissions.
diff --git a/docs/t-sql/statements/execute-as-transact-sql.md b/docs/t-sql/statements/execute-as-transact-sql.md
@@ -117,6 +117,11 @@ If the user is orphaned (the associated login no longer exists), and the user wa
   
 > [!CAUTION]  
 >  The EXECUTE AS statement can succeed as long as the [!INCLUDE[ssDE](../../includes/ssde-md.md)] can resolve the name. If a domain user exists, Windows might be able to resolve the user for the [!INCLUDE[ssDE](../../includes/ssde-md.md)], even though the Windows user does not have access to [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. This can lead to a condition where a login with no access to [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] appears to be logged in, though the impersonated login would only have the permissions granted to public or guest.  
+
+## Security Considerations  
+ Executing under the dbo ownership context, such as, by using EXECUTE AS USER = 'dbo', changes how explicit DENY permissions are evaluated. When execution context is switched to the 'dbo' ownership context, permission-based DENY restrictions that apply to the original calling principal are not enforced for the duration of the impersonation. As a result, a principal that is able to switch execution context to dbo, for example through membership in the db_owner fixed database role, can perform actions that would otherwise be blocked by explicit DENY permissions applied to that principal.
+ 
+ This behavior is by design and should be taken into account when granting permissions that allow ownership impersonation. DENY permissions cannot be relied upon as a compensating control to limit the effective permissions of principals that can execute as dbo.
   
 ## Using WITH NO REVERT  
  When the EXECUTE AS statement includes the optional WITH NO REVERT clause, the execution context of a session cannot be reset using REVERT or by executing another EXECUTE AS statement. The context set by the statement remains in effect until the session is dropped.  
