Very simple question - I have two database roles (Basic, Admin). Say I explicitly deny the Basic role from deleting from table A and grant that to the Admin role. If I am a user who is in both roles, can I delete from table A?
Asked
Active
Viewed 313 times
2 Answers
4
Never a simple answer...
For a direct DELETE, a user in both roles won't be able to DELETE
DENY always has precedence when permissions are checked
For indirect via a stored procedure, the permissions may not be checked if both table and proc have the same owner. So both GRANT and DENY will be ignored. This is called "ownership chaining"
Personally, I don't really use DENY. Here's why:
In your case, you only need to GRANT DELETE to the Admin role. The Basic role needs neither DENY nor GRANT (but run REVOKE DELETE to remove the Basic DELETE permission)
- The lack of a DELETE permission (by REVOKE) means a DELETE will fail for a Basic only user. DENY isn't needed to prevent this.
- An Admin user (whether in both roles or not) has a GRANT so the DELETE will succeed. No DENY to block them
1
If you're the dbo (or aliased to dbo) or sa (which is implicit dbo on all databases), then you automatically have all permissions. Otherwise, a DENY anywhere on the permissions chain overrides any GRANT.
I'm not 100% certain on this, but I think if you have a user in two roles, it will apply all the granted permissions from the roles, then layer any DENY over the top.
Simon Righarts
- 4,753
- 1
- 28
- 31