DENY overwrites GRANT, most of the time

SQL Server rights are pretty easy to work with most of the time.  You grant a bunch of rights to an object, then you deny rights to those objects and the user looses the rights.  Pretty easy.  Now the catch is that if you use the fixed database roles, those roles overwrite any denies that are in place.

So if you deny a user access to a bunch of tables, then you put that user into the db_datareader fixed database role that user will have select rights to all the tables in the database, including all the tables that the user has been denied access to.



3 Responses

  1. The topic is “DENY overwrites GRANT, most of the time”
    The post says “that user will have select rights ”

    Which was the point here?

  2. They are both correct. When granting a user rights to an object by using the GRANT statement, any GRANT will be overwritten by a DENY. So if the user is in two domain groups, and both groups are defined in the database security, and one has been granted SELECT rights to a table, and one has DENY SELECT rights to a table the user will not have rights to the table.

    However if the user has been placed into the db_datareader fixed database role, this role overrides any DENY rights which have been granted to the user.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Trust DCAC with your data

Your data systems may be treading water today, but are they prepared for the next phase of your business growth?