Stored Procedure Execute as Owner Close Database Connections Not Working

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
2
down vote

favorite












I created a stored procedure to allow users to Close All Db connections in the QA environment. I am SA and created the procedure.



When I modify the SP , run it Without 'Execute as Owner', I get results.
When I add 'Execute as Owner', I do not receive any results.



Trying to understand why.



create procedure [dbo].[DatabaseConnectionClose]
 @DatabaseName varchar(255)
with execute as owner
as


DECLARE @kill varchar(8000) = ''; 
SELECT @kill = @kill + 'kill ' + CONVERT(varchar(5), session_id) + ';' 
FROM sys.dm_exec_sessions
WHERE database_id = db_id(@DatabaseName)

select @kill as CloseConnectionScript

EXEC(@kill);



sql-server sql-server-2012 permissions connections impersonation




share|improve this question


















  • 2




    The script you have is inferior because (a) there's a more efficient way to achieve the same thing and (b) database_id is unreliable since cross-database queries and locks can exist. SET @kill = N'ALTER DATABASE ' + QUOTENAME(@DatabaseName) + N' SET SINGLE_USER WITH ROLLBACK IMMEDIATE;'
    – Aaron Bertrand♦
    Aug 22 at 18:42
















up vote
2
down vote

favorite












I created a stored procedure to allow users to Close All Db connections in the QA environment. I am SA and created the procedure.



When I modify the SP , run it Without 'Execute as Owner', I get results.
When I add 'Execute as Owner', I do not receive any results.



Trying to understand why.



create procedure [dbo].[DatabaseConnectionClose]
 @DatabaseName varchar(255)
with execute as owner
as


DECLARE @kill varchar(8000) = ''; 
SELECT @kill = @kill + 'kill ' + CONVERT(varchar(5), session_id) + ';' 
FROM sys.dm_exec_sessions
WHERE database_id = db_id(@DatabaseName)

select @kill as CloseConnectionScript

EXEC(@kill);



sql-server sql-server-2012 permissions connections impersonation




share|improve this question


















  • 2




    The script you have is inferior because (a) there's a more efficient way to achieve the same thing and (b) database_id is unreliable since cross-database queries and locks can exist. SET @kill = N'ALTER DATABASE ' + QUOTENAME(@DatabaseName) + N' SET SINGLE_USER WITH ROLLBACK IMMEDIATE;'
    – Aaron Bertrand♦
    Aug 22 at 18:42












up vote
2
down vote

favorite









up vote
2
down vote

favorite











I created a stored procedure to allow users to Close All Db connections in the QA environment. I am SA and created the procedure.



When I modify the SP , run it Without 'Execute as Owner', I get results.
When I add 'Execute as Owner', I do not receive any results.



Trying to understand why.



create procedure [dbo].[DatabaseConnectionClose]
 @DatabaseName varchar(255)
with execute as owner
as


DECLARE @kill varchar(8000) = ''; 
SELECT @kill = @kill + 'kill ' + CONVERT(varchar(5), session_id) + ';' 
FROM sys.dm_exec_sessions
WHERE database_id = db_id(@DatabaseName)

select @kill as CloseConnectionScript

EXEC(@kill);



sql-server sql-server-2012 permissions connections impersonation




share|improve this question














I created a stored procedure to allow users to Close All Db connections in the QA environment. I am SA and created the procedure.



When I modify the SP , run it Without 'Execute as Owner', I get results.
When I add 'Execute as Owner', I do not receive any results.



Trying to understand why.



create procedure [dbo].[DatabaseConnectionClose]
 @DatabaseName varchar(255)
with execute as owner
as


DECLARE @kill varchar(8000) = ''; 
SELECT @kill = @kill + 'kill ' + CONVERT(varchar(5), session_id) + ';' 
FROM sys.dm_exec_sessions
WHERE database_id = db_id(@DatabaseName)

select @kill as CloseConnectionScript

EXEC(@kill);




sql-server sql-server-2012 permissions connections impersonation





share|improve this question













share|improve this question




share|improve this question








edited Aug 22 at 19:12









Solomon Rutzky

45.3k473152




45.3k473152










asked Aug 22 at 17:37









MarkAllison

313




313







  • 2




    The script you have is inferior because (a) there's a more efficient way to achieve the same thing and (b) database_id is unreliable since cross-database queries and locks can exist. SET @kill = N'ALTER DATABASE ' + QUOTENAME(@DatabaseName) + N' SET SINGLE_USER WITH ROLLBACK IMMEDIATE;'
    – Aaron Bertrand♦
    Aug 22 at 18:42












  • 2




    The script you have is inferior because (a) there's a more efficient way to achieve the same thing and (b) database_id is unreliable since cross-database queries and locks can exist. SET @kill = N'ALTER DATABASE ' + QUOTENAME(@DatabaseName) + N' SET SINGLE_USER WITH ROLLBACK IMMEDIATE;'
    – Aaron Bertrand♦
    Aug 22 at 18:42







2




2




The script you have is inferior because (a) there's a more efficient way to achieve the same thing and (b) database_id is unreliable since cross-database queries and locks can exist. SET @kill = N'ALTER DATABASE ' + QUOTENAME(@DatabaseName) + N' SET SINGLE_USER WITH ROLLBACK IMMEDIATE;'
– Aaron Bertrand♦
Aug 22 at 18:42




The script you have is inferior because (a) there's a more efficient way to achieve the same thing and (b) database_id is unreliable since cross-database queries and locks can exist. SET @kill = N'ALTER DATABASE ' + QUOTENAME(@DatabaseName) + N' SET SINGLE_USER WITH ROLLBACK IMMEDIATE;'
– Aaron Bertrand♦
Aug 22 at 18:42










1 Answer
1






active

oldest

votes

















up vote
8
down vote













Using the EXECUTE AS clause of the CREATE module_type statement is impersonation, but only at the Database level. The owner is "dbo" (in this case, at least), but that is just a User; a Database-level principal. The KILL command requires an Instance-level permission. By default, when using Database-level impersonation (EXECUTE AS clause or EXECUTE AS USER statement), the process is quarantined to the current Database, even if that User maps to a Login (by having the same SID) that has the appropriate permission. Because of this restriction, the process is not allowed to reach up to the Instance to check Instance-level permissions.



To do this properly:



  1. Get rid of EXECUTE AS


  2. Implement this using Module Signing:



    Safely and Easily Use High-Level Permissions Without Granting Them to Anyone: Server-level (blog post of mine; external, but has better explanation)



    What minimum permissions do I need to provide to a user so that it can check the status of SQL Server Agent Service? (one of my answers, here on DBA.SE)



    The only permission you should need to grant to the Certificate-based Login is: ALTER ANY CONNECTION (as per the documentation for KILL)



For more info on module signing, please visit: Module Signing Info



Also, in addition to the excellent point made by Aaron Bertrand in a comment on the question, you need to be careful not to kill sessions for legitimate processes, such as SQL Server Agent, etc. You should filter on at least the program_name column of sys.dm_exec_sessions, if not also login_name (and possibly others).



However, if ALTER DATABASE [db_name] SET... ends up being the way to proceed, then use the following post as a guide since you won't be concerned with Instance-level permissions in that case:



Safely and Easily Use High-Level Permissions Without Granting Them to Anyone: Database-level






share|improve this answer






















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "182"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f215623%2fstored-procedure-execute-as-owner-close-database-connections-not-working%23new-answer', 'question_page');

    );

    Post as a guest

















    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    8
    down vote













    Using the EXECUTE AS clause of the CREATE module_type statement is impersonation, but only at the Database level. The owner is "dbo" (in this case, at least), but that is just a User; a Database-level principal. The KILL command requires an Instance-level permission. By default, when using Database-level impersonation (EXECUTE AS clause or EXECUTE AS USER statement), the process is quarantined to the current Database, even if that User maps to a Login (by having the same SID) that has the appropriate permission. Because of this restriction, the process is not allowed to reach up to the Instance to check Instance-level permissions.



    To do this properly:



    1. Get rid of EXECUTE AS


    2. Implement this using Module Signing:



      Safely and Easily Use High-Level Permissions Without Granting Them to Anyone: Server-level (blog post of mine; external, but has better explanation)



      What minimum permissions do I need to provide to a user so that it can check the status of SQL Server Agent Service? (one of my answers, here on DBA.SE)



      The only permission you should need to grant to the Certificate-based Login is: ALTER ANY CONNECTION (as per the documentation for KILL)



    For more info on module signing, please visit: Module Signing Info



    Also, in addition to the excellent point made by Aaron Bertrand in a comment on the question, you need to be careful not to kill sessions for legitimate processes, such as SQL Server Agent, etc. You should filter on at least the program_name column of sys.dm_exec_sessions, if not also login_name (and possibly others).



    However, if ALTER DATABASE [db_name] SET... ends up being the way to proceed, then use the following post as a guide since you won't be concerned with Instance-level permissions in that case:



    Safely and Easily Use High-Level Permissions Without Granting Them to Anyone: Database-level






    share|improve this answer


























      up vote
      8
      down vote













      Using the EXECUTE AS clause of the CREATE module_type statement is impersonation, but only at the Database level. The owner is "dbo" (in this case, at least), but that is just a User; a Database-level principal. The KILL command requires an Instance-level permission. By default, when using Database-level impersonation (EXECUTE AS clause or EXECUTE AS USER statement), the process is quarantined to the current Database, even if that User maps to a Login (by having the same SID) that has the appropriate permission. Because of this restriction, the process is not allowed to reach up to the Instance to check Instance-level permissions.



      To do this properly:



      1. Get rid of EXECUTE AS


      2. Implement this using Module Signing:



        Safely and Easily Use High-Level Permissions Without Granting Them to Anyone: Server-level (blog post of mine; external, but has better explanation)



        What minimum permissions do I need to provide to a user so that it can check the status of SQL Server Agent Service? (one of my answers, here on DBA.SE)



        The only permission you should need to grant to the Certificate-based Login is: ALTER ANY CONNECTION (as per the documentation for KILL)



      For more info on module signing, please visit: Module Signing Info



      Also, in addition to the excellent point made by Aaron Bertrand in a comment on the question, you need to be careful not to kill sessions for legitimate processes, such as SQL Server Agent, etc. You should filter on at least the program_name column of sys.dm_exec_sessions, if not also login_name (and possibly others).



      However, if ALTER DATABASE [db_name] SET... ends up being the way to proceed, then use the following post as a guide since you won't be concerned with Instance-level permissions in that case:



      Safely and Easily Use High-Level Permissions Without Granting Them to Anyone: Database-level






      share|improve this answer
























        up vote
        8
        down vote










        up vote
        8
        down vote









        Using the EXECUTE AS clause of the CREATE module_type statement is impersonation, but only at the Database level. The owner is "dbo" (in this case, at least), but that is just a User; a Database-level principal. The KILL command requires an Instance-level permission. By default, when using Database-level impersonation (EXECUTE AS clause or EXECUTE AS USER statement), the process is quarantined to the current Database, even if that User maps to a Login (by having the same SID) that has the appropriate permission. Because of this restriction, the process is not allowed to reach up to the Instance to check Instance-level permissions.



        To do this properly:



        1. Get rid of EXECUTE AS


        2. Implement this using Module Signing:



          Safely and Easily Use High-Level Permissions Without Granting Them to Anyone: Server-level (blog post of mine; external, but has better explanation)



          What minimum permissions do I need to provide to a user so that it can check the status of SQL Server Agent Service? (one of my answers, here on DBA.SE)



          The only permission you should need to grant to the Certificate-based Login is: ALTER ANY CONNECTION (as per the documentation for KILL)



        For more info on module signing, please visit: Module Signing Info



        Also, in addition to the excellent point made by Aaron Bertrand in a comment on the question, you need to be careful not to kill sessions for legitimate processes, such as SQL Server Agent, etc. You should filter on at least the program_name column of sys.dm_exec_sessions, if not also login_name (and possibly others).



        However, if ALTER DATABASE [db_name] SET... ends up being the way to proceed, then use the following post as a guide since you won't be concerned with Instance-level permissions in that case:



        Safely and Easily Use High-Level Permissions Without Granting Them to Anyone: Database-level






        share|improve this answer














        Using the EXECUTE AS clause of the CREATE module_type statement is impersonation, but only at the Database level. The owner is "dbo" (in this case, at least), but that is just a User; a Database-level principal. The KILL command requires an Instance-level permission. By default, when using Database-level impersonation (EXECUTE AS clause or EXECUTE AS USER statement), the process is quarantined to the current Database, even if that User maps to a Login (by having the same SID) that has the appropriate permission. Because of this restriction, the process is not allowed to reach up to the Instance to check Instance-level permissions.



        To do this properly:



        1. Get rid of EXECUTE AS


        2. Implement this using Module Signing:



          Safely and Easily Use High-Level Permissions Without Granting Them to Anyone: Server-level (blog post of mine; external, but has better explanation)



          What minimum permissions do I need to provide to a user so that it can check the status of SQL Server Agent Service? (one of my answers, here on DBA.SE)



          The only permission you should need to grant to the Certificate-based Login is: ALTER ANY CONNECTION (as per the documentation for KILL)



        For more info on module signing, please visit: Module Signing Info



        Also, in addition to the excellent point made by Aaron Bertrand in a comment on the question, you need to be careful not to kill sessions for legitimate processes, such as SQL Server Agent, etc. You should filter on at least the program_name column of sys.dm_exec_sessions, if not also login_name (and possibly others).



        However, if ALTER DATABASE [db_name] SET... ends up being the way to proceed, then use the following post as a guide since you won't be concerned with Instance-level permissions in that case:



        Safely and Easily Use High-Level Permissions Without Granting Them to Anyone: Database-level







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Aug 23 at 16:52

























        answered Aug 22 at 17:53









        Solomon Rutzky

        45.3k473152




        45.3k473152



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f215623%2fstored-procedure-execute-as-owner-close-database-connections-not-working%23new-answer', 'question_page');

            );

            Post as a guest
































































            Comments

            Post a Comment

            Popular posts from this blog

            Long meetings (6-7 hours a day): Being “babysat” by supervisor

            Image
            Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
            Read more

            Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
            Read more

            Confectionery

            Image
            Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
            Read more