We have two stored procedures in the same Azure SQL DB, [a].[doA] and [b].[doB]
User has SELECT, INSERT, UPDATE, DELETE, EXECUTE on schema [a], and nothing on other schemas.
All db schemas have owner [dbo]
Both procedures do selects, inserts, updates on other schemas, and both run dynamic queries on other schemas with EXEC @sql syntax (we don't use sp_excutesql, as it breaks the ownership chain).
[a].[doA] also calls [b].[doB] in some cases, and in those cases the ownership chain seems to break in the dynamic sql part of [b].[doB], we receive an error when executing the dynamic query there: The SELECT permission was denied on the object 'table', database 'db', schema 'c'
We are very surprised, as ownership chain works in all other cases, both [a].[doA] executing dynamic sql on schema [c], and [b].[doB] running queries on schema [c].
Why is this the case? How can we prevent it?
We already tried the following workarounds, both didn't work:
EXECUTE on schema [b][doB] to schema [a]Edit: I do understand that EXEC @sql is supposed to break the ownership chain just like sp_executesql, but in our environment, whenever we use sp_executesql, our ownership chain breaks, and when we use EXEC @sql, it only breaks in this one case
We have changed [b].[doB] to EXECUTE AS OWNER, and it works now.
Thanks David Browne for the suggestion!
Thanks Thom A for your well researched answer, we ended up going in another direction!
Thanks for everyone suggesting to use sp_executesql! I do agree that it is a good practice, and would normally always use it, but in our case (I also don't understand why) it causes permission problems. As the dynamic queries only need a numeric parameter at runtime, in this special case we decided that EXEC @sql was an acceptable solution.