{"id":1788,"date":"2014-01-10T11:00:45","date_gmt":"2014-01-10T16:00:45","guid":{"rendered":"http:\/\/sqlity.net\/en\/?p=1788"},"modified":"2014-11-13T13:21:44","modified_gmt":"2014-11-13T18:21:44","slug":"prevent-unauthorized-reverting-after-execute-as","status":"publish","type":"post","link":"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/","title":{"rendered":"Prevent unauthorized REVERTing after EXECUTE AS"},"content":{"rendered":"
\n

Introduction<\/h3>\n

\nYesterday<\/a> we talked about the EXECUTE AS<\/span> and the REVERT<\/span> statements. To execute the REVERT<\/span> statement, no special permissions are required. That means, anybody getting hold of a connection with a switched security context can switch back to the original security context at any time.\n<\/p>\n

\nIn some situations that might not be desirable. For example if you, following the Principle of Least Privilege<\/a> used EXECUTE AS<\/span> to reduce the active permissions on a given connection. For those situations there is a way to prevent the REVERT<\/span> action.\n<\/p>\n

Preventing REVERT<\/h3>\n

\nThere are actually two ways to prevent the execution of REVERT<\/span>. The first is to specify WITH NO REVERT<\/span> when executing EXECUTE AS<\/span>. Let's look at an example:\n<\/p>\n

\n[sql]\nCREATE LOGIN TestLogin1 WITH PASSWORD='********', CHECK_POLICY = OFF;
\nCREATE USER TestUser1 FOR LOGIN TestLogin1;
\nGO
\nEXECUTE AS LOGIN='TestLogin1' WITH NO REVERT;
\nGO
\nSELECT 'login' AS token_type,principal_id,name FROM sys.login_token AS LT
\nUNION ALL
\nSELECT 'user' AS token_type,principal_id,name FROM sys.user_token AS UT;
\nGO
\nREVERT;
\nGO
\nSELECT 'login' AS token_type,principal_id,name FROM sys.login_token AS LT
\nUNION ALL
\nSELECT 'user' AS token_type,principal_id,name FROM sys.user_token AS UT;
\n[\/sql]\n<\/div>\n

\nThese statements first create a login and an associated user. Then the security context is switched using EXECUTE AS WITH NO REVERT<\/span>. Using the token DMVs we can see that the switch was successful. Afterwards a REVERT<\/span> is attempted. However, executing the REVERT<\/span> statement here fails with error 15196 and the token DMVs confirm that the security context was not switched back:\n<\/p>\n

\n\"EXECUTE<\/a>\n<\/p>\n<\/p>\n

EXECUTE AS WITH COOKIE<\/h3>\n

\nIn some situations you want to prevent others from switching the security context back, but you want to be able to go back yourself. For that case SQL Server offers EXECUTE AS with a cookie. For an example let's connect to SQL Server with TestLogin1<\/span> and then use the EXECUTE AS WITH COOKIE<\/span> statement to switch the security context to the login TestLogin2<\/span>:\n<\/p>\n

\n[sql]\nDECLARE @cookie VARBINARY(8000);
\nEXECUTE AS LOGIN='TestLogin2' WITH COOKIE INTO @cookie;
\nSELECT @cookie AS cookie;
\n[\/sql]\n<\/div>\n

\nThe EXECUTE AS WITH COOKIE<\/span> statement returns a VARBINARY(8000)<\/span> value through the provided output variable:\n<\/p>\n

\n\"EXECUTE<\/a>\n<\/p>\n

\nThe returned value is actually a VRABINARY(100)<\/span> value, but the documentation explicitly mentions that the length might change anytime and that you should therefore always provide a variable of data type VARBINARY(8000)<\/span> for the cookie.\n<\/p>\n

\nAny attempt to revert without this exact cookie value will now fail:\n<\/p>\n

\n\"REVERT<\/a>\n<\/p>\n

\nTo successfully revert you need to use the REVERT WITH COOKIE<\/span> statement and provide the same value that was returned by the EXECUTE AS<\/span> statement:\n<\/p>\n

\n[sql]\nREVERT WITH COOKIE = 0x094DACF9798499803059E31A83A97F4096C9D69F6335001C66F88F3775891711328E6A8E2BDA1EBF77CA0FA1F961E2A40100;
\n[\/sql]\n<\/div>\n<\/p>\n

Summary<\/h3>\n

\nEXECUTE AS WITH NO REVERT<\/span> and EXECUTE AS WITH COOKIE<\/span> provide ways to change the security context of a connection while preventing unauthorized reverting to the original security context. This can come in handy in situations where you want to use EXECUTE AS<\/span> to deliberately reduce the active set of permissions.\n<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Worried about unauthorized REVERTing after using EXECUTE AS? Read on to get all the details about EXECUTE AS WITH NO REVERT and EXECUTE AS WITH COOKIE.<\/p>\n

[more…]<\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[5,34],"tags":[50,38,60,51,56,15],"class_list":["post-1788","post","type-post","status-publish","format-standard","hentry","category-general","category-security","tag-permission","tag-security-2","tag-security-context","tag-security-tokens","tag-server-principals","tag-sql-server"],"acf":[],"yoast_head":"\nPrevent unauthorized REVERTing after EXECUTE AS - sqlity.net<\/title>\n<meta name=\"description\" content=\"Worried about unauthorized REVERTing after using EXECUTE AS? Read on to get all the details about EXECUTE AS WITH NO REVERT and EXECUTE AS WITH COOKIE.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Prevent unauthorized REVERTing after EXECUTE AS - sqlity.net\" \/>\n<meta property=\"og:description\" content=\"Worried about unauthorized REVERTing after using EXECUTE AS? Read on to get all the details about EXECUTE AS WITH NO REVERT and EXECUTE AS WITH COOKIE.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/\" \/>\n<meta property=\"og:site_name\" content=\"sqlity.net\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/sqlity.net\" \/>\n<meta property=\"article:published_time\" content=\"2014-01-10T16:00:45+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2014-11-13T18:21:44+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/01\/EXECUTE_AS_with_NO_REVERT_in_action.jpg\" \/>\n<meta name=\"author\" content=\"Sebastian Meine\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@sqlity\" \/>\n<meta name=\"twitter:site\" content=\"@sqlity\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sebastian Meine\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/1788\\\/prevent-unauthorized-reverting-after-execute-as\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/1788\\\/prevent-unauthorized-reverting-after-execute-as\\\/\"},\"author\":{\"name\":\"Sebastian Meine\",\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/#\\\/schema\\\/person\\\/bcffd8c572bc2f1bd10fdba80135e53c\"},\"headline\":\"Prevent unauthorized REVERTing after EXECUTE AS\",\"datePublished\":\"2014-01-10T16:00:45+00:00\",\"dateModified\":\"2014-11-13T18:21:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/1788\\\/prevent-unauthorized-reverting-after-execute-as\\\/\"},\"wordCount\":573,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/1788\\\/prevent-unauthorized-reverting-after-execute-as\\\/#primaryimage\"},\"thumbnailUrl\":\"http:\\\/\\\/sqlity.net\\\/wp-content\\\/uploads\\\/2014\\\/01\\\/EXECUTE_AS_with_NO_REVERT_in_action.jpg\",\"keywords\":[\"Permission\",\"security\",\"security context\",\"Security Tokens\",\"server principals\",\"SQL Server\"],\"articleSection\":[\"General\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/sqlity.net\\\/en\\\/1788\\\/prevent-unauthorized-reverting-after-execute-as\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/1788\\\/prevent-unauthorized-reverting-after-execute-as\\\/\",\"url\":\"https:\\\/\\\/sqlity.net\\\/en\\\/1788\\\/prevent-unauthorized-reverting-after-execute-as\\\/\",\"name\":\"Prevent unauthorized REVERTing after EXECUTE AS - sqlity.net\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/1788\\\/prevent-unauthorized-reverting-after-execute-as\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/1788\\\/prevent-unauthorized-reverting-after-execute-as\\\/#primaryimage\"},\"thumbnailUrl\":\"http:\\\/\\\/sqlity.net\\\/wp-content\\\/uploads\\\/2014\\\/01\\\/EXECUTE_AS_with_NO_REVERT_in_action.jpg\",\"datePublished\":\"2014-01-10T16:00:45+00:00\",\"dateModified\":\"2014-11-13T18:21:44+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/#\\\/schema\\\/person\\\/bcffd8c572bc2f1bd10fdba80135e53c\"},\"description\":\"Worried about unauthorized REVERTing after using EXECUTE AS? Read on to get all the details about EXECUTE AS WITH NO REVERT and EXECUTE AS WITH COOKIE.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/1788\\\/prevent-unauthorized-reverting-after-execute-as\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/sqlity.net\\\/en\\\/1788\\\/prevent-unauthorized-reverting-after-execute-as\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/1788\\\/prevent-unauthorized-reverting-after-execute-as\\\/#primaryimage\",\"url\":\"http:\\\/\\\/sqlity.net\\\/wp-content\\\/uploads\\\/2014\\\/01\\\/EXECUTE_AS_with_NO_REVERT_in_action.jpg\",\"contentUrl\":\"http:\\\/\\\/sqlity.net\\\/wp-content\\\/uploads\\\/2014\\\/01\\\/EXECUTE_AS_with_NO_REVERT_in_action.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/1788\\\/prevent-unauthorized-reverting-after-execute-as\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/sqlity.net\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Prevent unauthorized REVERTing after EXECUTE AS\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/sqlity.net\\\/en\\\/\",\"name\":\"sqlity.net\",\"description\":\"Quality for SQL\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/sqlity.net\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/#\\\/schema\\\/person\\\/bcffd8c572bc2f1bd10fdba80135e53c\",\"name\":\"Sebastian Meine\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4ab0a6d02dd494849a584a2c3c8bc3bdcef1d0aa5f87e98bf905dbdb9ad2ce3a?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4ab0a6d02dd494849a584a2c3c8bc3bdcef1d0aa5f87e98bf905dbdb9ad2ce3a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4ab0a6d02dd494849a584a2c3c8bc3bdcef1d0aa5f87e98bf905dbdb9ad2ce3a?s=96&d=mm&r=g\",\"caption\":\"Sebastian Meine\"},\"sameAs\":[\"http:\\\/\\\/sqlity.net\",\"https:\\\/\\\/x.com\\\/sqlity\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Prevent unauthorized REVERTing after EXECUTE AS - sqlity.net","description":"Worried about unauthorized REVERTing after using EXECUTE AS? Read on to get all the details about EXECUTE AS WITH NO REVERT and EXECUTE AS WITH COOKIE.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/","og_locale":"en_US","og_type":"article","og_title":"Prevent unauthorized REVERTing after EXECUTE AS - sqlity.net","og_description":"Worried about unauthorized REVERTing after using EXECUTE AS? Read on to get all the details about EXECUTE AS WITH NO REVERT and EXECUTE AS WITH COOKIE.","og_url":"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/","og_site_name":"sqlity.net","article_publisher":"https:\/\/www.facebook.com\/sqlity.net","article_published_time":"2014-01-10T16:00:45+00:00","article_modified_time":"2014-11-13T18:21:44+00:00","og_image":[{"url":"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/01\/EXECUTE_AS_with_NO_REVERT_in_action.jpg","type":"","width":"","height":""}],"author":"Sebastian Meine","twitter_card":"summary_large_image","twitter_creator":"@sqlity","twitter_site":"@sqlity","twitter_misc":{"Written by":"Sebastian Meine","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/#article","isPartOf":{"@id":"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/"},"author":{"name":"Sebastian Meine","@id":"https:\/\/sqlity.net\/en\/#\/schema\/person\/bcffd8c572bc2f1bd10fdba80135e53c"},"headline":"Prevent unauthorized REVERTing after EXECUTE AS","datePublished":"2014-01-10T16:00:45+00:00","dateModified":"2014-11-13T18:21:44+00:00","mainEntityOfPage":{"@id":"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/"},"wordCount":573,"commentCount":0,"image":{"@id":"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/#primaryimage"},"thumbnailUrl":"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/01\/EXECUTE_AS_with_NO_REVERT_in_action.jpg","keywords":["Permission","security","security context","Security Tokens","server principals","SQL Server"],"articleSection":["General","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/","url":"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/","name":"Prevent unauthorized REVERTing after EXECUTE AS - sqlity.net","isPartOf":{"@id":"https:\/\/sqlity.net\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/#primaryimage"},"image":{"@id":"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/#primaryimage"},"thumbnailUrl":"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/01\/EXECUTE_AS_with_NO_REVERT_in_action.jpg","datePublished":"2014-01-10T16:00:45+00:00","dateModified":"2014-11-13T18:21:44+00:00","author":{"@id":"https:\/\/sqlity.net\/en\/#\/schema\/person\/bcffd8c572bc2f1bd10fdba80135e53c"},"description":"Worried about unauthorized REVERTing after using EXECUTE AS? Read on to get all the details about EXECUTE AS WITH NO REVERT and EXECUTE AS WITH COOKIE.","breadcrumb":{"@id":"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/#primaryimage","url":"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/01\/EXECUTE_AS_with_NO_REVERT_in_action.jpg","contentUrl":"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/01\/EXECUTE_AS_with_NO_REVERT_in_action.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/sqlity.net\/en\/1788\/prevent-unauthorized-reverting-after-execute-as\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/sqlity.net\/en\/"},{"@type":"ListItem","position":2,"name":"Prevent unauthorized REVERTing after EXECUTE AS"}]},{"@type":"WebSite","@id":"https:\/\/sqlity.net\/en\/#website","url":"https:\/\/sqlity.net\/en\/","name":"sqlity.net","description":"Quality for SQL","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sqlity.net\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/sqlity.net\/en\/#\/schema\/person\/bcffd8c572bc2f1bd10fdba80135e53c","name":"Sebastian Meine","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/4ab0a6d02dd494849a584a2c3c8bc3bdcef1d0aa5f87e98bf905dbdb9ad2ce3a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/4ab0a6d02dd494849a584a2c3c8bc3bdcef1d0aa5f87e98bf905dbdb9ad2ce3a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4ab0a6d02dd494849a584a2c3c8bc3bdcef1d0aa5f87e98bf905dbdb9ad2ce3a?s=96&d=mm&r=g","caption":"Sebastian Meine"},"sameAs":["http:\/\/sqlity.net","https:\/\/x.com\/sqlity"]}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2wXuw-sQ","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/posts\/1788","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/comments?post=1788"}],"version-history":[{"count":0,"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/posts\/1788\/revisions"}],"wp:attachment":[{"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/media?parent=1788"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/categories?post=1788"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/tags?post=1788"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}