{"id":6205,"date":"2021-03-16T17:27:48","date_gmt":"2021-03-16T22:27:48","guid":{"rendered":"http:\/\/andreas-wolter.com\/?p=6205"},"modified":"2025-07-28T19:24:05","modified_gmt":"2025-07-29T00:24:05","slug":"delegation-of-authority","status":"publish","type":"post","link":"https:\/\/andreas-wolter.com\/en\/delegation-of-authority\/","title":{"rendered":"Security: Delegation of Authority"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-1zf2st-f26289c640a208519bfcb6df051c5910\">\n.flex_column.av-1zf2st-f26289c640a208519bfcb6df051c5910{\nborder-radius:0px 0px 0px 0px;\npadding:0px 0px 0px 0px;\n}\n<\/style>\n<div  class='flex_column av-1zf2st-f26289c640a208519bfcb6df051c5910 av_one_full  avia-builder-el-0  avia-builder-el-no-sibling  first flex_column_div av-zero-column-padding  '     ><section  class='av_textblock_section av-1rmxx9-6f8e9a2934f095f44e6454978d9eabaa '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h3>Security: Delegation of Authority<\/h3>\n<p><em>(part 3 of my series of articles on\u00a0<\/em><a href=\"https:\/\/andreas-wolter.com\/en\/202109_introduction-into-security-principles-in-the-context-of-database-systems\/\">security principles in Microsoft SQL Servers &#038; Databases<\/a><em>)<\/em><\/p>\n<p>To be precise from the beginning: Delegation is a process or concept rather than a principle. But it is a particularly useful practice to keep in mind when designing any security concept and it is strongly connected to the discussed security principles like the Principle of Least Privilege and Separation of Duties as you will find out.<\/p>\n<p>So, what is it about? Delegation (of authority) is the process to pass on certain permissions to other users, often temporarily, without raising their overall privileges to the same level as the delegating account.<\/p>\n<p>There are two slightly different approaches. Delegation can be done either..<\/p>\n<p>1) at the <strong>Identity level:<\/strong> allowing Identity A to be used utilized by identity B. Here B assumes A\u2019s identity and powers\/permissions. Examples in Operating Systems are the \u201cRunas\u201d and \u201csudo\u201d-commands in Windows, respectively Unix\/Linux.<\/p>\n<p>Or<\/p>\n<p>2) it can be done at the <strong>Authorization level<\/strong>: essentially by passing on a specified set of permissions via a form of Role Based Access Control (RBAC*) to another identity.<\/p>\n<p>When you look at two-tier application architectures and the authentication flows, you will probably notice that delegation is somewhat a common pattern.<\/p>\n<h5>OAuth and on-behalf-of token for authentication<\/h5>\n<p>For example, OAuth is an open standard for access delegation which is also utilized in Azure Active Directory (AAD). Using the OAuth 2.0 <strong><em>On-Behalf-Of<\/em><\/strong> flow (OBO) applications can invoke a service API, which in turn needs to call another service API &#8211; like SQL Server.<br \/>\nInstead of using the invoking application\u2019s identity, the delegated user\u2019s identity (and permissions) is propagated through the request chain. To do this, the second-tier application authenticates to the resource for example a SQL database, with its own token, a so called \u201con-behalf-of\u201d token that originated from the first-tier application..<br \/>\nThis is an example of delegation at identity level.<\/p>\n<\/div><\/section>\n<section  class='av_textblock_section av-fiz5st-63e7f804b7400b381f32ab7901e6298e '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h4><a name=\"_Toc58433753\"><\/a>Delegation of Authority in the SQL realm<\/h4>\n<p>In SQL Server there are multiple options available to implement Delegation.<\/p>\n<h5>Azure AD User\u2019s creation<\/h5>\n<p>One scenario where delegation is being used under the covers is the following:<\/p>\n<p>Assume, an AAD principal, such as the AAD admin account for Azure SQL, wants to create an AAD user in the database (statement: CREATE USER FROM EXTERNAL PROVIDER).<br \/>\nIn this case, the managed service identity (MSI) which is assigned to Azure SQL server is required. Using this MSI, Azure SQL server sends the information about the AAD user which the AAD admin account wants to create as a user inside SQL to AAD graph (in future: MS graph) for verification. Therefore, the MSI (and not the AAD admin account) requires the proper permission in Azure AD (such as the \u201cDirectory Readers\u201d role).<\/p>\n<h5><a name=\"_Toc58433754\"><\/a>GRANT WITH GRANT OPTION<\/h5>\n<p>This one may be a less widely known possibility in SQL: it is possible to Grant a permission to Users and to allow them to pass on this permission. This is what the \u201cWITH GRANT OPTION\u201d of the GRANT statement is for.<br \/>\nIn the below example, a User <em>Shakti<\/em> has been granted the various privileges, INSERT, UPDATE, DELETE and SELECT a Schema named \u201cSales\u201d. On top of that, by using the WITH GRANT OPTION, she is allowed to pass on those permissions.<br \/>\nThis is demoed by impersonating her account using the EXECUTE AS clause (btw: this is also an example of using delegation at the identity level) and now \u201cbeing\u201d <em>Shakti<\/em> we can grant permissions to anyone else, <em>Jiao<\/em> in this case.<\/p>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-ejy0kd-46773d1ef3ddbfb10f8ba4cf1d22858c\">\n.avia-image-container.av-ejy0kd-46773d1ef3ddbfb10f8ba4cf1d22858c img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-ejy0kd-46773d1ef3ddbfb10f8ba4cf1d22858c .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-ejy0kd-46773d1ef3ddbfb10f8ba4cf1d22858c av-styling- avia-align-center  avia-builder-el-3  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-6186 avia-img-lazy-loading-not-6186 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_1SQLSecurity_Delegation_GrantWithGrantOption-300x228.png\" alt='' title='202103_1SQLSecurity_Delegation_GrantWithGrantOption'  height=\"228\" width=\"300\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_1SQLSecurity_Delegation_GrantWithGrantOption-300x228.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_1SQLSecurity_Delegation_GrantWithGrantOption-600x456.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_1SQLSecurity_Delegation_GrantWithGrantOption-768x583.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_1SQLSecurity_Delegation_GrantWithGrantOption-1030x782.png 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_1SQLSecurity_Delegation_GrantWithGrantOption-705x535.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_1SQLSecurity_Delegation_GrantWithGrantOption-450x342.png 450w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_1SQLSecurity_Delegation_GrantWithGrantOption.png 1200w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/div><\/div>\n<section  class='av_textblock_section av-bsi73x-69f9803dca00dfbd079971bcdb4470b5 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h5><a name=\"_Toc58433755\"><\/a>EXECUTE AS and privilege bracketing for temporarily delegating permissions<\/h5>\n<p>A powerful and commonly used technique is the possibility to run stored procedures under a separate user account for just the task at hand, no matter who the original caller is, and by that means use the privileges of the impersonated account for the runtime of the stored procedure.<br \/>\nThis is typically used to delegate tasks that otherwise require high privileges in SQL Server and by that helps to maintain the <a href=\"https:\/\/andreas-wolter.com\/en\/202102_principle-of-least-privilege-polp\/\">Principle of Least Privilege<\/a>.<\/p>\n<p>Strictly speaking, the delegation happens when access to the stored procedure is granted. The use of a stored procedure is technically a separate concept, referred to as \u201c<strong>privilege bracketing<\/strong>\u201d which is somewhat in the same space as <strong>just-in-time privileges<\/strong> (JIT). JIT is yet another technique which allows the use of certain elevated permissions for a certain period of time (aka \u201ctime bound\u201d) only.<br \/>\nPrivileged Identity Management in Azure offers these capabilities: <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/privileged-identity-management\/pim-configure\" target=\"_blank\" rel=\"noopener\">What is Privileged Identity Management? &#8211; Azure AD | Microsoft Docs<\/a><\/p>\n<p>See the below example: ALTER is the minimal (\u201cleast\u201d) permission necessary to Update Statistics on tables. But instead of granting ALTER on each table or the whole database, <em>Jiao<\/em> will only get permission to run this stored procedure which in turn runs under elevated permissions that are assumed for the runtime of the procedure only.<\/p>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-ax6kz1-3c74a074d6d83db0c5c98c7f59167c10\">\n.avia-image-container.av-ax6kz1-3c74a074d6d83db0c5c98c7f59167c10 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-ax6kz1-3c74a074d6d83db0c5c98c7f59167c10 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-ax6kz1-3c74a074d6d83db0c5c98c7f59167c10 av-styling- avia-align-center  avia-builder-el-5  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-6188 avia-img-lazy-loading-not-6188 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_2SQLSecurity_Delegation_ExecuteAs-300x228.png\" alt='' title='202103_2SQLSecurity_Delegation_ExecuteAs'  height=\"228\" width=\"300\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_2SQLSecurity_Delegation_ExecuteAs-300x228.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_2SQLSecurity_Delegation_ExecuteAs-600x456.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_2SQLSecurity_Delegation_ExecuteAs-768x584.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_2SQLSecurity_Delegation_ExecuteAs-1030x783.png 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_2SQLSecurity_Delegation_ExecuteAs-705x536.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_2SQLSecurity_Delegation_ExecuteAs-450x342.png 450w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_2SQLSecurity_Delegation_ExecuteAs.png 1200w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/div><\/div>\n<section  class='av_textblock_section av-9w87gd-ccb6da643aec5d44fd75df893bda70b7 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p style=\"padding-left: 40px;\"><em>Note<\/em><br \/>\nIf you are auditing User\u2019s activities (which in general you should, but this is another topic coming up), you need to be aware that since Impersonation has the effect that the \u201ccurrent user\u201d is not the actual User who is acting, looking only at Server or Database Principal ID\u2019s does not give the right picture. Luckily, SQL Auditing by design always captures the <em>session_server_principal_name<\/em>. This contains the name of the principal who is connected to the instance of SQL Server originally, no matter how many levels of impersonations are done. This is the same like using the SQL Function <em>ORIGINAL_LOGIN(),<\/em> which you should use when implementing custom Logging solutions.<\/p>\n<\/div><\/section>\n<section  class='av_textblock_section av-7c1nv1-09efcfd0e8ff999cb56afffb31de05e1 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h5>Signing Modules for temporarily delegating permissions<\/h5>\n<p>There is an alternative option when using modules for delegation to EXECUTE AS: signing the module. In SQL Server, modules (such as stored procedures, functions and triggers) can be signed with an asymmetric key or a certificate (technically just another form of asymmetric key).<br \/>\nThe trick is that this key or certificate can be mapped to a database user. And when the module is executed, and the signature has been verified, the module will inherit the permissions of the mapped user. And here is the difference to the EXECUTE AS-clause: the permissions of the certificate-mapped user will be <u>added<\/u> to the permissions of the original caller, not replace them. This is because the execution context actually does not change. Which leads to the second big difference: All the built-in functions that return login and user names return the name of the caller, not the certificate user name.<br \/>\nIn the resources you will find a couple of links with various examples.<\/p>\n<p>Here is a diagram of how this can be used in a simple example:<\/p>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-5823x9-5c566a723024e2335b1f29f5152d5a52\">\n.avia-image-container.av-5823x9-5c566a723024e2335b1f29f5152d5a52 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-5823x9-5c566a723024e2335b1f29f5152d5a52 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-5823x9-5c566a723024e2335b1f29f5152d5a52 av-styling- avia-align-center  avia-builder-el-8  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-6190 avia-img-lazy-loading-not-6190 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_3SQLSecurity_Delegation_SignedModule.png\" alt='' title='202103_3SQLSecurity_Delegation_SignedModule'  height=\"616\" width=\"1000\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_3SQLSecurity_Delegation_SignedModule.png 1000w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_3SQLSecurity_Delegation_SignedModule-600x370.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_3SQLSecurity_Delegation_SignedModule-300x185.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_3SQLSecurity_Delegation_SignedModule-768x473.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_3SQLSecurity_Delegation_SignedModule-705x434.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/04\/202103_3SQLSecurity_Delegation_SignedModule-450x277.png 450w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/div><\/div><\/div>\n<section  class='av_textblock_section av-3tpwq5-1a650983058a813d5dc6ca421644e602 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>In this example, Ben alone only has SELECT on the table <em>Orders<\/em>, but does not have access to the <em>OrderDetails<\/em>-tables. Instead, the intention is, that he can only access this table by using the specifically prepared stored procedure <em>ProcAccountforInternalCalc<\/em>.<br \/>\nOnly at runtime of this procedure, the permissions of the original caller, Ben, are extended with the permissions of another user, <em>ProcAccountforInternalCalc<\/em>, which has been specifically created for this use-case: to grant the SELECT permission on the table <em>OrderDetails<\/em> only when the stored procedure <em>sel_OrderDetails_with_margin<\/em> is being used. For that, this user is mapped to a certificate, <em>Cert<br \/>\n_ProcAccountforInternalCalc<\/em>, which has been used to sign the stored procedure.<br \/>\nNow, anyone who has permission to execute this procedure, will inherit the additional permissions of <em>ProcAccountforInternalCalc<\/em> and can then see the data from the table \u2013 using the business logic from the procedure only.<\/p>\n<p style=\"padding-left: 40px;\"><em>Note<\/em><br \/>\nModule signing should only ever be used to GRANT permissions, and not be used as a mechanism to enforce DENY, let alone REVOKE permissions.<\/p>\n<p>Most SQL Server environments I have seen already use these concepts one way or the other. Delegation is an immensely powerful and useful technique: As you may realize from the last two examples, those techniques can also help ensuring the <a href=\"https:\/\/andreas-wolter.com\/en\/202102_principle-of-least-privilege-polp\/\">Principle of Least Privilege<\/a> is adhered to. And it also can help implement Separation of Duties, which is the reason to talk about it specifically within the context of the general <a href=\"https:\/\/andreas-wolter.com\/en\/202109_introduction-into-security-principles-in-the-context-of-database-systems\/\">Security Principles<\/a>.<\/p>\n<p>The T-SQL code-examples are available as a download below this article.<\/p>\n<p>Happy delegating<\/p>\n<p>Andreas<\/p>\n<p><strong>Thank you to my Reviewer:<\/strong><\/p>\n<p>Mirek Sztajno, Senior Program Manager in SQL Security and expert in Authentication<\/p>\n<\/div><\/section>\n<section  class='av_textblock_section av-2bqjb1-6122aa944c9aeacc04401a181188d125 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h4><a name=\"_Toc58433756\"><\/a>Resources<\/h4>\n<ul>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/OAuth\" target=\"_blank\" rel=\"noopener\">OAuth &#8211; Wikipedia<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-oauth2-on-behalf-of-flow\" target=\"_blank\" rel=\"noopener\">Microsoft identity platform and OAuth2.0 On-Behalf-Of flow &#8211; Microsoft identity platform | Microsoft Docs<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/connect\/odbc\/using-azure-active-directory?view=sql-server-ver15\" target=\"_blank\" rel=\"noopener\">Using Azure Active Directory with the ODBC Driver &#8211; SQL Server | Microsoft Docs<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-sql\/database\/authentication-aad-service-principal\" target=\"_blank\" rel=\"noopener\">Azure Active Directory service principal with Azure SQL &#8211; Azure SQL Database | Microsoft Docs<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-sql\/database\/authentication-aad-service-principal-tutorial\" target=\"_blank\" rel=\"noopener\">Create Azure AD users using service principals &#8211; Azure SQL Database | Microsoft Docs<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/itshowcase\/using-azure-ad-privileged-identity-management-for-elevated-access\" target=\"_blank\" rel=\"noopener\">Using Azure AD Privileged Identity Management for elevated access<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-australia\/role-privileged\" target=\"_blank\" rel=\"noopener\">Azure role-based access control (Azure RBAC) and Privileged Identity Management &#8211; Azure Australia | Microsoft Docs<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/t-sql\/statements\/grant-transact-sql#with-grant-option\" target=\"_blank\" rel=\"noopener\">GRANT WITH GRANT OPTION<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/t-sql\/statements\/execute-as-clause-transact-sql\" target=\"_blank\" rel=\"noopener\">EXECUTE AS Clause<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/t-sql\/functions\/original-login-transact-sql?view=sql-server-ver15\" target=\"_blank\" rel=\"noopener\">ORIGINAL_LOGIN (Transact-SQL) &#8211; SQL Server | Microsoft Docs<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/t-sql\/statements\/add-signature-transact-sql?view=sql-server-ver15\" target=\"_blank\" rel=\"noopener\">ADD SIGNATURE (Transact-SQL) &#8211; SQL Server | Microsoft Docs<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/dotnet\/framework\/data\/adonet\/sql\/signing-stored-procedures-in-sql-server\" target=\"_blank\" rel=\"noopener\">Signing Stored Procedures in SQL Server &#8211; ADO.NET | Microsoft Docs<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/sql\/sql-server-2008\/ms345102(v=sql.100)\" target=\"_blank\" rel=\"noopener\">Module Signing (Database Engine) | Microsoft Docs<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/relational-databases\/tutorial-signing-stored-procedures-with-a-certificate?view=sql-server-ver15\" target=\"_blank\" rel=\"noopener\">Tutorial: Signing Stored Procedures with a Certificate &#8211; SQL Server | Microsoft Docs<\/a><\/li>\n<li>Wikipedia-Article on Delegation: <a href=\"https:\/\/en.wikipedia.org\/wiki\/Delegation_(computer_security)\" target=\"_blank\" rel=\"noopener\">https:\/\/en.wikipedia.org\/wiki\/Delegation_(computer_security)<\/a><\/li>\n<li>Wikipedia-Article on Privilege bracketing: <a href=\"https:\/\/en.wikipedia.org\/wiki\/Privilege_bracketing\" target=\"_blank\" rel=\"noopener\">https:\/\/en.wikipedia.org\/wiki\/Privilege_bracketing<\/a><\/li>\n<li>Article by a Community member and MVP on Packaging Permissions in Stored Procedures <a href=\"http:\/\/www.sommarskog.se\/grantperm.html\" target=\"_blank\" rel=\"noopener\">http:\/\/www.sommarskog.se\/grantperm.html<\/a><\/li>\n<\/ul>\n<\/div><\/section><\/div>","protected":false},"excerpt":{"rendered":"","protected":false},"author":2,"featured_media":6190,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[28],"tags":[],"class_list":["post-6205","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-28"],"_links":{"self":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6205","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/comments?post=6205"}],"version-history":[{"count":4,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6205\/revisions"}],"predecessor-version":[{"id":6923,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6205\/revisions\/6923"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media\/6190"}],"wp:attachment":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media?parent=6205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/categories?post=6205"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/tags?post=6205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}