This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 11%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Why does the msdb public role have execute permissions to all sp_sysdac stored procedures?
I can't see any good reason.. Then again, I have no idea what these procedures are intended for.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 8%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUR%3C/text%3E%3C/svg%3E)
Hi Erland,
these procedures are for Data Tier Applications:
Hi @Saransvan ,
From below illustrator, you can see the permission of public role:
SQL Server has many database objects such as table, view, stored procedure, function, constraints, rule, Synonym, triggers. Every database user belongs to the public database role. When a user has not been granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object. Please refer to Database-Level Roles to get more information. And the picture is not very clear, you can download the attachment(PDF) if you needed.
Best regards,
Carrin
If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
73651-microsoft-sql-server-2017-and-azure-sql-database-p.pdf
Hi Carrin,
Your answer does not match the question! The question is not how authorizations are managed on which objects in SQL Server, but WHY there are authorizations for special objects, although they do not seem to make sense.
Thank you for clarifying UweRicken-6497 ! Exactly - my question is why only these SPs . It's hard to find much information about them, but as you said, they are related to data tier functions, DACPACs etc. I need to know why public needs access, concerned that they are a potential security hole.
Hi Saransvan-0628, may I ask why do you want to know msdb public role have execute permissions to all sp_sysdac stored procedures? Are the permissions bring a security issue for you?
Hi yes, It's come up on a security review.
Hi, public is implemented differently than other roles, and permissions can be granted, denied, or revoked from the public fixed server roles. As Erland said, it's possible to revoke the permissions
The link shared by Uwe gives a little more information. I don't think that there is a big security hole here, since the procedure only seems to play with their own tables (but I did not read the code for all of them). They also seem to be doing their own security checks. It seems that you have to be member of the server role dbcreator or have the permission CREATE ANY DATABASE to add a DAC instance.
If no one on the server uses Data-Tier Application, I guess you can revoke the permission on them.
I don't use DACPAC much myself, so I can't say whether this is something useful.