Subject Question about user rights and procedures
Author Josef KokeŇ°
Hi!

I feel a bit overwhelmed by user rights in a database in respect to
stored procedures.

I have a database owned by user OWNER. I want to give limited access to
user ATTACKER, so that he can read and write the database through a
stored procedure MODIFY_DATABASE. So I grant:

GRANT EXECUTE ON PROCEDURE modify_database TO attacker;

But I also need to grant required rights to the procedure:

GRANT SELECT ON readonly_table TO PROCEDURE modify_database;
GRANT SELECT, INSERT, UPDATE ON other_table TO PROCEDURE modify_database;

Suppose the procedure MODIFY_DATABASE calls other procedures to read or
write the database. That would mean that I would have to add execute
rigths on those procedures to MODIFY_DATABASE, and grant
EXECUTE/SELECT/INSERT etc. rights to those procedures and the procedures
called by them, etc. Can I somehow avoid this? I mean, somehow make
MODIFY_DATABASE to have all rights on all objects, as if it were called
by OWNER and not ATTACKER?

Thanks,

Josef