Sql Server: how to write trigger on a table with denied SELECT

Question

Hello I have a table on which I have denied SELECT privs to a user.
This table has a trigger which references the INSERTED table, basically doing an

AFTER UPDATE SET <table>.[UPDATED] = getdate() 
  WHERE ROWID IN SELECT ROWID FROM INSERTED

It is giving me an error though, saying "SELECT PERMISSIONS DENIED", I am guessing because of the SELECT FROM INSERTED.

How can I keep the SELECT deny, but allow the trigger to SELECT from the INSERTED pseudotable?

Thanks in advance!

Answer 1

Consider adding an EXECUTE AS clause so the trigger runs with the schema owner's permissions.

CREATE TRIGGER [dbo].[TR_Product_Update] ON [Product]
   WITH EXECUTE AS OWNER
   AFTER UPDATE
AS
SELECT ProductId
FROM INSERTED

Answer 2

Why did you deny select? What about just not granting select to them? There is a subtle difference between denying select and just not granting it to them. Also, if you denied select to any of the system level roles, then that would also probably be part of the problem.

--EDIT--

In the comments you asked whether or not SQL Server has context info. 2005 does and you can see how to use it here.

Session Variable – Context_Info: Session is a powerful tool in any of the programming language. SQL-Server is not a full fledge programming language but it do supports session variable for current session or connection. It stores value of session in 128 byte of binary information.

Answer 3

join to the inserted table instead something like:

update t1
set updated = getdate()
from table1 t1
join inserted i
on i.rowid = t1.rowid

This will probaly also perfom better than a subselect anyway.

Answer 4

I suspect your problem is that your UPDATE statement itself requires the SELECT permission.

I created a test database as follows:

DROP DATABASE triggerPermissionTest
CREATE DATABASE triggerPermissionTest
GO
USE triggerPermissionTest
GO
CREATE USER foo FROM LOGIN tester
GO
CREATE TABLE triggerTable (id int)
GO
DENY SELECT ON triggerTable to foo
GRANT UPDATE ON triggerTable to foo
GO
CREATE TRIGGER execAsTrigger ON triggerTable
AFTER UPDATE AS SELECT * FROM triggerTable
GO
INSERT INTO triggerTable VALUES (1)
GO


and tried the following Update statements with the 'tester' login:

UPDATE triggerTable SET id = 2
GO
UPDATE triggerTable SET id = id *2
GO


The first one executes fine and the trigger executes (providing the results of select * from triggerTable to the user without select permissions, demonstrating that it managed to do a select).

The second one gives me an error stating that I don't have select permission on triggerTable (because it needs to select from triggerTable in order to get the value of id to do the update).

This leads me to conclude that the trigger is incidental to the problem, and the UPDATE statement is the cause of the permission issue.