Home > IT Blogs > SQL Server with Mr. Denny > DENY overwrites GRANT, most of the time
>>VIEW ALL POSTS  

SQL Server with Mr. Denny

«
»
Sep 21 2009   11:00AM GMT

DENY overwrites GRANT, most of the time



Posted by: Denny Cherry
Permissions

SQL Server rights are pretty easy to work with most of the time.  You grant a bunch of rights to an object, then you deny rights to those objects and the user looses the rights.  Pretty easy.  Now the catch is that if you use the fixed database roles, those roles overwrite any denies that are in place.

So if you deny a user access to a bunch of tables, then you put that user into the db_datareader fixed database role that user will have select rights to all the tables in the database, including all the tables that the user has been denied access to.

Denny

  Bookmark and Share     Comment     RSS Feed     Email a friend

Comment on this Post

Leave a comment:

BrianTkatch  |   Sep 22, 2009  2:00 PM (GMT)

The topic is “DENY overwrites GRANT, most of the time”
The post says “that user will have select rights ”

Which was the point here?


 

mrdenny  |   Sep 22, 2009  6:57 PM (GMT)

They are both correct. When granting a user rights to an object by using the GRANT statement, any GRANT will be overwritten by a DENY. So if the user is in two domain groups, and both groups are defined in the database security, and one has been granted SELECT rights to a table, and one has DENY SELECT rights to a table the user will not have rights to the table.

However if the user has been placed into the db_datareader fixed database role, this role overrides any DENY rights which have been granted to the user.


 

BrianTkatch  |   Sep 22, 2009  7:57 PM (GMT)

Ah, that explains it. thanx!