SQL Server with Mr. Denny

Sep 21 2009   11:00AM GMT

DENY overwrites GRANT, most of the time

Denny Cherry Denny Cherry Profile: Denny Cherry


SQL Server rights are pretty easy to work with most of the time.  You grant a bunch of rights to an object, then you deny rights to those objects and the user looses the rights.  Pretty easy.  Now the catch is that if you use the fixed database roles, those roles overwrite any denies that are in place.

So if you deny a user access to a bunch of tables, then you put that user into the db_datareader fixed database role that user will have select rights to all the tables in the database, including all the tables that the user has been denied access to.


3  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • BrianTkatch
    The topic is "DENY overwrites GRANT, most of the time" The post says "that user will have select rights " Which was the point here?
    0 pointsBadges:
  • Denny Cherry
    They are both correct. When granting a user rights to an object by using the GRANT statement, any GRANT will be overwritten by a DENY. So if the user is in two domain groups, and both groups are defined in the database security, and one has been granted SELECT rights to a table, and one has DENY SELECT rights to a table the user will not have rights to the table. However if the user has been placed into the db_datareader fixed database role, this role overrides any DENY rights which have been granted to the user.
    68,390 pointsBadges:
  • BrianTkatch
    Ah, that explains it. thanx!
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: