Does EXECUTE permission on a stored proc automatically give permissions to the caller (if EXECUTE AS CALLER is set, by default) to any and all objects in the proc, without having to give them directly to the caller?
For example, if I had a table with data in it, called "Table_A" and I wrote a stored procedure that had "DELETE FROM TABLE_A" and left the default "execute as caller". If I give Execute permission to Bob and he executes this proc, it will delete all
data from TABLE_A, even though Bob hasn't been given DELETE permissions on that table?
I might be missing something here, but if Bob tried to just run "DELETE FROM TABLE_A" in SSMS and it balked at him, he could write a stored proc with this statement, and execute the proc and delete the data?
View Complete Post