Roman Rehak : Granting EXECUTE on all stored procedures

Granting EXECUTE on all stored procedures

I came across this a few months ago when I was researching security in 2005 and now thought it would be useful to post it here. I have saved code that loops through all stored procedures in the database and grants execute privileges to a database user. I've had it around since SQL Server 7.0. Now I discovered that in SQL Server 2005 you can create a server role and grant it EXECUTE privileges on all stored procedures. This solution is much more elegant, plus I don't have to rerun my script if I add more procs:

-- create custom database role
CREATE ROLE db_executor

-- grant EXECUTE permission

GRANT EXECUTE TO db_executor

-- add security account to the role

exec sp_addrolemember 'db_executor', 'YourSecurityAccount'

Note - security account can be a database user, database role, a Windows login or Windows group.

Cross-posted from SQLBlog! - http://www.sqlblog.com

posted on Wednesday, January 16, 2008 6:39 PM by Roman

# re: Granting EXECUTE on all stored procedures @ Wednesday, January 16, 2008 8:31 PM

I saw the same thing a while ago. I just wonder what the benefit of the group is. If the user is just granted execute, the same thing is accomplished and there's no overhead of creating the group and managing the group, since the user has to be part of the database anyway. So, the following works just as well:

GRANT EXECUTE TO [YourSecurityAccount]

DonRWatters

Roman Rehak

Search

Navigation

SQL Server Sites

Subscriptions

News

Post Categories

Granting EXECUTE on all stored procedures

# re: Granting EXECUTE on all stored procedures @ Wednesday, January 16, 2008 8:31 PM