SA0150 : The procedure grants permissions at the end of its body. Possible missing GO batch separator command |
 |
Procedures mistakenly modifying permissions can cause security and execution issues.
DescriptionThis problem arises when stored procedures inadvertently include GRANT or REVOKE permissions within their bodies. This typically happens if a procedure’s script removes the GO command that separates the main procedure from permission operations due to a misconception that the procedure body is limited to its BEGIN/END block.
For example:
1CREATE PROCEDURE ExampleProcedure 2AS 3BEGIN 4 -- Procedure logic here 5END 6 7GRANT SELECT ON SomeTable TO SomeUser;
In this case, the permission statement is executed every time the procedure runs. This can be a problem, especially if there is no explicit RETURN statement, leading to unintended security changes.
-
It can alter security permissions unintentionally, affecting the integrity of database access control.
-
It can degrade performance due to the additional overhead of executing permission statements repeatedly.
How to fixEnsure stored procedures do not unintentionally include permission changes in their execution to maintain security and performance.
Follow these steps to address the issue:
-
Review the stored procedure and identify any GRANT or REVOKE statements present within the procedure body after the END block.
-
Separate these permission statements from the procedure body using the GO command to ensure they are not executed every time the stored procedure runs.
-
Insert a GO command after the END statement of the procedure.
-
Place the permission statements (e.g., GRANT SELECT ON SomeTable TO SomeUser) after the GO command to execute them separately from the procedure logic.
For example:
1CREATE PROCEDURE ExampleProcedure 2AS 3BEGIN 4 -- Procedure logic here 5END 6GO 7GRANT SELECT ON SomeTable TO SomeUser;
ScopeThe rule has a Batch scope and is applied only on the SQL script.
Parameters| Name | Description | Default Value |
|---|---|---|
| OnTarget |
The target of on which the permissions are granted or revoked. |
Any |
RemarksThe rule does not need Analysis Context or SQL Connection.
Effort To FixCategoriesDesign Rules, Security Rules
Additional InformationThere is no additional info for this rule.
Example Test SQL|
SQL
1ALTER PROCEDURE dbo.FooGetTableA 2 ( 3 @Parameter varchar(4) 4 ) 5AS 6BEGIN 7 8 SELECT Column1 9 FROM dbo.TableA 10 WHERE Column2 = @Parameter 11 12 GRANT EXEC ON dbo.FooGetTableA TO ApplicationRole -- ignored as it is in the main BEGIN/END block. 13END 14 15-- GO 16REVOKE EXEC ON dbo.FooGetTableB TO ApplicationRole 17GRANT EXEC ON dbo.FooGetTableA TO ApplicationRole |
Analysis Results| Message | Line | Column | |
|---|---|---|---|
| 1 | SA0150 : Possible missing GO command. The procedure FooGetTableA grants/revokes permissions. | 16 | 0 |
| 2 | SA0150 : Possible missing GO command. The procedure FooGetTableA grants/revokes its own permissions. | 17 | 0 |
See Also