Results 1 to 2 of 2
  1. #1
    Join Date
    Jul 2003

    Unanswered: Another Permissions question

    I can't find an answer to this in BOL.

    What's the difference between expilicitly denying a user permissions to an object and simply not setting permissions for them in the first place?

    It appears that either way they can't see/touch/feel the object, so why go through the extra steps of denying permissions?
    Inspiration Through Fermentation

  2. #2
    Join Date
    Jan 2003
    Provided Answers: 11
    Denying permissions on an object guarantees that that principal will not be able to access the object. If a permission is not explicitly denied, it can potentially be inherited by membership in some obscure group. To test it out, try this: Create two users in a database. Then deny select privileges on this table to one of them. Try to select from the table using both users.
    create table test1
    (col1 varchar(20))
    insert into test1 values ('hello')
    grant select on test1 to public
    deny select on test1 to sometestuser

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts