Results 1 to 2 of 2
  1. #1
    Join Date
    Jul 2003
    Location
    Michigan
    Posts
    1,941

    Unanswered: Another Permissions question

    I can't find an answer to this in BOL.

    What's the difference between expilicitly denying a user permissions to an object and simply not setting permissions for them in the first place?

    It appears that either way they can't see/touch/feel the object, so why go through the extra steps of denying permissions?
    Inspiration Through Fermentation

  2. #2
    Join Date
    Jan 2003
    Location
    Massachusetts
    Posts
    5,800
    Provided Answers: 11
    Denying permissions on an object guarantees that that principal will not be able to access the object. If a permission is not explicitly denied, it can potentially be inherited by membership in some obscure group. To test it out, try this: Create two users in a database. Then deny select privileges on this table to one of them. Try to select from the table using both users.
    Code:
    create table test1
    (col1 varchar(20))
    insert into test1 values ('hello')
    grant select on test1 to public
    deny select on test1 to sometestuser

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •