Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

GRANT versus DENY and REVOKE

Status
Not open for further replies.
TheBugSlayer

TheBugSlayer

Programmer
Sep 22, 2002
887
US
Hi,

Can someone clearly explains what happens when a DENY clause is applied to a permission on a principal?

I am preparing for MCTS 70-432 and according to the book I am reading
You add permissions to an object with the GRANT statement. Access to an object is
prevented with the DENY statement. To access an object, permission must be granted explicitly.
Each time you issue a GRANT statement, SQL Server places an entry in a security table for the
corresponding permission granted. Each time you issue a DENY, an entry is placed in a security
table for the DENY. Because a DENY overrides any other permission, a DENY overrides a GRANT.
The REVOKE statement removes permission entries for the object referenced. For example,
if you issue a GRANT SELECT ON Person.Address TO Test, you can remove the access by
executing REVOKE SELECT ON Person.Address FROM Test. Similarly, if you issue DENY SELECT
ON Person.Address TO Test, you can remove the DENY by executing REVOKE SELECT ON
Person.Address FROM Test.

While I straighten out my install, here is a question I would like to ask: If you issue a DENY SELECT, the principal will not be able to select, OK. But if you did not explicitly GRANT SELECT on the principal, will it be able to select?
 
Sort by date Sort by votes
I will try to explain with an example:
If you have an "EMP" table with following col's
PKID, FNAME, LNAME, SSN, DOB
Acct1==> FULL Privilege
(GRANT SELECT,INSERT, UPDATE, DELETE ON EMP TO ACCT1)
Acct2==> ONLY SELECT Privilege
GRANT SELECT ON EMP TO ACCT2
Acct3==> Have full privilege with the exception of update SSN
GRANT SELECT,INSERT, UPDATE, DELETE ON EMP TO ACCT3
DENY UPDATE (SSN) ON EMP TO ACCT3
Acct4==> REVOKE a single action.
REVOKE SELECT,INSERT, UPDATE, DELETE ON EMP TO ACCT4

Basically with DENY you can control access more granular compared to REVOKE.
If I come across any good article will post it.
Thanks


Dr.Sql
Good Luck.
 
Upvote 0 Downvote
Hey DrSQL, thanks for the reply.

So you are saying that I can achieve with DENY what REVOKE does. But I believe REVOKE removes the entry to the sec tables whereas DENY keeps it there and just marks the action as not granted, true?

If you did not explicitly GRANT UPDATE to Acct3, would it be able to UPDATE?

I finally got the sample databases installed. What a useless challenge. The lecturer gave me his copy of refresh 1; my refresh 3 did not work.
Thanks again.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DougNaf
  • Locked
  • Question
SQL 2016 - DB attachment and error 3415
Replies
1
Views
156
fredericofonseca
fredericofonseca
JoPaBC
  • Locked
  • Question
Delphi/Borland program and SQL Express 2017
Replies
6
Views
284
JoPaBC
JoPaBC
JoPaBC
  • Locked
  • Question
Schedule and automate backups of SQL Express databases in SQL Server Express 1
Replies
5
Views
297
JoPaBC
JoPaBC
tekpr00
  • Locked
  • Question
Backups in a multiserver environment while using Central Management Server and Server Groups
Replies
0
Views
95
tekpr00
tekpr00
tekpr00
  • Locked
  • Question
Capture and Replicate Changes from Source to Target.
Replies
0
Views
66
tekpr00
tekpr00

Part and Inventory Search

Sponsor

Back
Top