patternMinor
SQL 2005 Permission Precedence
Viewed 0 times
sqlprecedencepermission2005
Problem
Very simple question -
I have two database roles (Basic, Admin). Say I explicitly deny the Basic role from deleting from table A and grant that to the Admin role. If I am a user who is in both roles, can I delete from table A?
I have two database roles (Basic, Admin). Say I explicitly deny the Basic role from deleting from table A and grant that to the Admin role. If I am a user who is in both roles, can I delete from table A?
Solution
Never a simple answer...
For a direct DELETE, a user in both roles won't be able to DELETE
DENY always has precedence when permissions are checked
For indirect via a stored procedure, the permissions may not be checked if both table and proc have the same owner. So both GRANT and DENY will be ignored. This is called "ownership chaining"
Personally, I don't really use DENY. Here's why:
In your case, you only need to
For a direct DELETE, a user in both roles won't be able to DELETE
DENY always has precedence when permissions are checked
For indirect via a stored procedure, the permissions may not be checked if both table and proc have the same owner. So both GRANT and DENY will be ignored. This is called "ownership chaining"
Personally, I don't really use DENY. Here's why:
In your case, you only need to
GRANT DELETE to the Admin role. The Basic role needs neither DENY nor GRANT (but run REVOKE DELETE to remove the Basic DELETE permission)- The lack of a DELETE permission (by REVOKE) means a DELETE will fail for a Basic only user. DENY isn't needed to prevent this.
- An Admin user (whether in both roles or not) has a GRANT so the DELETE will succeed. No DENY to block them
Context
StackExchange Database Administrators Q#8851, answer score: 4
Revisions (0)
No revisions yet.