What access does a Windows authenticated user in T-SQL need to create an External_Access or Unsafe Assembly?

Question

I'm trying to do a POC using Sqlclr and C# to call .Net code (dll) from a stored procedure. I'm trying to write to EventLogs. I was able to create a safe assembly and then create a stored procedure wrapper around my dll. But while executing the code it failed - for Event Log access the Assembly needs to be created with an External_Access/ Unsafe permission set.

When I tried the same with an External Assembly it didn't work. So I went with the route of creating a Login from the signed dll.

• I signed the dll using Visual Studio. Under project properties signing tab, I signed it without a password (snk file).

• I then created an asymmetric key in sql with the dll.

• Using this asymmetric key I have created a Login in Master.
• I then granted this Login External Access Assembly.
• Changed Database to use the particular one in which I am trying to create the wrapper procedure
• In the next step I tried to create the Assembly with External_Access permission set.
• This failed with the Error Message -

Msg 300 - External Access Assembly Permission was denied on object 'server', database 'master'

• I then tried going through the route of setting Database Trustworthy to ON just to check if the concept actually works.
• This failed with the same exception.

My question is does my Windows authenticated login need to have more permissions to be able to set the External_Access permissions. Does it require an SA account?

Answer 1

First of all, did you mean to run this on master (as per the error message)?

To use TRUSTWORTHY, the user needs sysadmin as per here, but it is generally a bad idea to use TRUSTWORTHY.

To create an assembly with EXTERNAL_ACCESS the login needs EXTERNAL ACCESS ASSEMBLY permission on the server. To create the assembly as UNSAFE the login needs UNSAFE ASSEMBLY permission on the server. You can read more about that here.

Niels