Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!eternal-september.org!feeder.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Erland Sommarskog <esquel@sommarskog.se>
Newsgroups: comp.databases.ms-sqlserver
Subject: Re: Extended property permissions
Date: Sat, 21 Dec 2013 00:01:53 +0100
Organization: Erland Sommarskog
Lines: 18
Message-ID: <XnsA29D51FF7CFYazorman@127.0.0.1>
References: <l91ve1$4cs$1@news.albasani.net> <XnsA29CEA25865ADYazorman@127.0.0.1> <l92g75$6lr$1@news.albasani.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Injection-Info: mx05.eternal-september.org; posting-host="fd3d6d0229f14a752f017d8f9903addd"; logging-data="27941"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1+fTCr/80GswWZR6uF8f3ik"
User-Agent: Xnews/2006.08.24 Mime-proxy/2.1.c.0 (Win32)
Cancel-Lock: sha1:h7+LfUbbz90EZrCVG3YqwCvwPKU=
Xref: csiph.com comp.databases.ms-sqlserver:1635

Marco (noreply@no.reply) writes:
> Yes I know that, thanks.  But I'm wondering if there is a way, 
> perhaps through a stored procedure or a view, to give a user 
> read and update permissions to one specific extended property only.
> 

Yes, you could create a procedure that performs the operations you
want to expose. Then you create a certificate and sign that procedure 
with the certificate. Then you create a user from that certificate 
and grant that user ALTER on the object in question. (This user is 
not a real user that log in or anything.)

For a detailed discussion of this technique, please see this article
on my web site: http://www.sommarskog.se/grantperm.html


-- 
Erland Sommarskog, Stockholm, esquel@sommarskog.se