A user with permission to execute a stored procedure can do so even if he or she does not have permissions on tables or views referenced by the stored procedure. For example, a user might be given permission to execute a stored procedure that updates a row-and-column subset of a specified table even though that user does not have any other permissions for that table.
If a stored procedure updates system tables, updates to the system tables must be allowed when the stored procedure is created. Then the stored procedure can run successfully later even if the system is reconfigured not to allow updates to the system tables.
Note that EXEC ('string') permissions are checked at execution time, even if the execution statement is part of a stored procedure.
For information on managing and using stored procedures, see the Microsoft SQL Server Transact-SQL Reference. For information on managing permissions, see Chapter 9, Managing Security.