Execute AS Windows Group Name

Question

Hello!

Would you please help me with one more question?

The theory:

The user or login name specified in EXECUTE AS <context_specification> must exist as a principal in sys.database_principals or sys.server_principals, respectively, or the EXECUTE AS statement fails. Additionally, IMPERSONATE permissions must be granted on the principal. Unless the caller is the database owner, or is a member of the sysadmin fixed server role, the principal must exist even when the user is accessing the database or instance of SQL Server through a Windows group membership.

The practice:

Both principals ('user login' Test and 'Windows group login' SQLusers) exist in the sys.server_principals but EXECUTE AS fails for the Windows group login - why?

Thank you in advance,
Michael

Answer 1

Hi @Mikhail Firsov ,

but EXECUTE AS fails for the Windows group login - why?

This is because the name in EXECUTE AS statement must be a singleton account, and cannot be a group, role, certificate, key, or built-in account.
Please refer to Arguments for more details.

Best Regards,
Amelia

---

If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Tthe error message in your screenshot includes the passage * this type of principal cannot be impersonated*, and there you have the answer to your question.

Answer 3

Oh, sorry - missed this: "name must be a singleton account, and cannot be a group, role, ..."

Regards,
Michael