Skip to content

Commit 7a6bb7e

Browse files
shohamMSFTshohamMSFT
authored
Update execute-as-transact-sql.md
1 parent 6083cdc commit 7a6bb7e

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

docs/t-sql/statements/execute-as-transact-sql.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -119,7 +119,7 @@ If the user is orphaned (the associated login no longer exists), and the user wa
119119
> The EXECUTE AS statement can succeed as long as the [!INCLUDE[ssDE](../../includes/ssde-md.md)] can resolve the name. If a domain user exists, Windows might be able to resolve the user for the [!INCLUDE[ssDE](../../includes/ssde-md.md)], even though the Windows user does not have access to [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. This can lead to a condition where a login with no access to [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] appears to be logged in, though the impersonated login would only have the permissions granted to public or guest.
120120
121121
## Security Considerations
122-
Executing under the dbo ownership context, such as, by using EXECUTE AS USER = 'dbo', changes how explicit DENY permissions are evaluated. When execution context is switched to the 'dbo' ownership context, permission-based DENY restrictions that apply to the original calling principal are not enforced for the duration of the impersonation. As a result, a principal that is able to switch execution context to dbo, for example through membership in the db_owner fixed database role, can perform actions that would otherwise be blocked by explicit DENY permissions applied to that principal.
122+
Executing under the dbo ownership context, such as, by using the statement `EXECUTE AS USER = 'dbo'`, changes how explicit DENY permissions are evaluated. When execution context is switched to the 'dbo' ownership context, permission-based DENY restrictions that apply to the original calling principal are not enforced for the duration of the impersonation. As a result, a principal that is able to switch execution context to dbo, for example through membership in the db_owner fixed database role, can perform actions that would otherwise be blocked by explicit DENY permissions applied to that principal.
123123

124124
This behavior is by design and should be taken into account when granting permissions that allow ownership impersonation. DENY permissions cannot be relied upon as a compensating control to limit the effective permissions of principals that can execute as dbo.
125125

0 commit comments

Comments
 (0)