Post reply

Not granting permission vs. checking Deny

  • March 31, 2019 at 4:25 pm

    #2252539

    For any given permission such as 'Select' if I don't checked 'Grant' the user cannot do a SELECT statement. How is this any different than checking 'Deny' for the permission?

    In other words, if I leave all checkboxes unchecked how is that any different than if I checked the 'Deny' checkbox?

  • April 1, 2019 at 6:39 am

    #2312160

    Effectively, not granting any SELECT permissions is the same as explicitly denying those permissions, except when the user has been granted permission at another level. For example, you can GRANT SELECT at the schema level and users can query any table in the schema.

    A DENY, however, overrides a GRANT. Say for example you have a role that needs SELECT access to 99 out of 100 tables in a schema, but the 100th table has sensitive information that they can't have access to.

    You can either GRANT SELECT on 99 tables and not the 100th, or you can GRANT SELECT on the schema and then DENY SELECT on the 100th table. Users will be able to select data from 99 out of 100 tables as the DENY overrides the GRANT. This has the advantage of allowing you to automatically grant access to new tables in the schema rather than having to manually manage permissions.

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply