CREATE LOGIN [Sam] WITH PASSWORD=N'MyPassw0rd!_', DEFAULT_DATABASE=[AdventureWorks], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
CREATE LOGIN [Joe] WITH PASSWORD=N'MyPassw0rd!_', DEFAULT_DATABASE=[AdventureWorks], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
USE [AdventureWorks]
CREATE USER [Joe] FOR LOGIN [Joe] WITH DEFAULT_SCHEMA=[dbo]
CREATE USER [Sam] FOR LOGIN [Sam] WITH DEFAULT_SCHEMA=[dbo]
CREATE ROLE [Sales] AUTHORIZATION [dbo]
EXEC sp_addrolemember N'Sales', N'Joe'
EXEC sp_addrolemember N'Sales', N'Sam'
CREATE ROLE [Marketing] AUTHORIZATION [dbo]
EXEC sp_addrolemember N'Marketing', N'Sam'
To understand revoke, we need to understand that GRANT and DENY are two permissions, which a user or role can have. There are few rules related to these permissions
- GRANT and DENY are mutually exclusive permissions. That means, a user or role cannot have both GRANT and DENY permissions working. If both statements are issued against a user/role directly, the latest statement will stand as valid. (However, they could be given indirectly; the next rule explains it further.)
GRANT EXECUTE ON [dbo].[uspLogError] TO [Joe]
DENY EXECUTE ON [dbo].[uspLogError] TO [Joe]
- DENY has higher priority over GRANT. That means, when a person gets both GRANT and DENY permissions, DENY will be in effect. (There are exceptions and mechanisms to overcome them. But it does not happen at the same level) For example, use Joe could be a member of sales role. Joe may have GRANT permission to perform select operation over a table where, the sales role may have deny permission over the same table. In this case Joe will not have read permission as DENY has higher priority. Similarly, if Joe has a DENY permission, even if his group has GRANT permission, DENY permission will work against him.
GRANT EXECUTE ON [dbo].[uspLogError] TO [Sales]
The above statement, grants execute permission to sales role. As Joe and Sam are members of Sales role, they should get access to execute the procedure. But Joe has explicit DENY permission and it takes priority over GRANT permission. That makes only Sam having permission to execute the procedure.
REVOKE is not a permission. Rather it is a command which removes the permission the user/role already has. Assume that you execute the next statement.
REVOKE EXECUTE ON [dbo].[uspLogError] TO [Joe]
As the last statement was REVOKE, it will remove the permission given at the previous statement. As Joe was given DENY rights before it will be removed. It does not mean that he has GRANT permission now. The state is no permission is set for Joe on Execution of uspLogError.
Now Joe is also a member of Sales role. So he can execute the procedure in his capacity of member of sales role.
Now consider this example:
GRANT EXECUTE ON [dbo].[uspLogError] TO [Marketing]
The first statement, grants execute permission to Marketing role.
REVOKE EXECUTE ON [dbo].[uspLogError] TO [Sales]
I hope this explains REVOKE statement.
2 comments:
Great explanation!
One note on this: Column GRANT overrides DENY permission on a table, means GRANT is higher in this case. Once I posted on this: http://dinesql.blogspot.com/2010/05/column-grant-overrides-deny-table.html
Thanks
Thanks Dinesh. I totally agree with your post. That is one reason I mentioned this: (You can see this under the second bullet point.
"(There are exceptions and mechanisms to overcome them. But it does not happen at the same level)"
Nice to have a similar blog.
Post a Comment