Grant Authorization Behaviour

Database

Grant Authorization Behaviour

Hi, I have a strange permission issue encountered today, I am wondering how the Grant Authorization behaviour may possibly play into this, here is my situation:

user with no Admin rights was able to grant db to db permisssions on a database that was considered secured off from the main "branch" of db's

example, here is my environment set up, having MAINDB and SECUREDB as separate branches

DBC

  MAINDB

       db1

       db2

       db3

  SECUREDB

       db1

       db2

user has create, drop authorization in users own database plus has grant and drop authorization in another work database throught a database role, for our example user database and work database are located under MAINDB

user has no permissions to SECUREDB but granted db to db rights on 2 databaes in the MAINDB branch - ex. granted select on db1 to db2.

There are no "Grant Admin" or Grant with Grant options selected.

How is this possible? Does the GRANT Authorization span outside of the database where it is granted?

Any assistance please!