V-255317
SV-255317r961359_rule
CAT II
Azure SQL Database must restrict execution of stored procedures and functions that utilize [execute as] to necessary cases only.
From: Microsoft Azure SQL Database Security Technical Implementation Guide (V2R3)
Description
<VulnDiscussion>In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking the functionality applications/programs, those users are indirectly provided with greater privileges than assigned by organizations.
Privilege elevation by "Execute As" must be utilized only where necessary and protected from misuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Review the system documentation to obtain a listing of stored procedures and functions that utilize impersonation. Execute the following query:
SELECT S.name AS schema_name, O.name AS module_name,
USER_NAME(CASE M.execute_as_principal_id
WHEN -2 THEN COALESCE(O.principal_id, S.principal_id)
ELSE M.execute_as_principal_id
END) AS execute_as
FROM sys.sql_modules M
JOIN sys.objects O ON M.object_id = O.object_id
JOIN sys.schemas S ON O.schema_id = S.schema_id
WHERE execute_as_principal_id IS NOT NULL
ORDER BY schema_name, module_name
If any procedures or functions are returned that are not documented, this is a finding.
Fix Text
Alter stored procedures and functions to remove the "EXECUTE AS" statement.
CCI Reference
CCI-002233- Created
- 2026-04-07 20:08:22
- Last Updated
- 2026-04-07 20:08:22