Reputation: 45325
revoke vs deny : what is the difference
What is the difference between the DENY and REVOKE commands in SQL Server?
Upvotes: 37
Views: 23968
Answers (4)
Reputation: 238196
Each object has a list of rules DENYing and GRANTing access.
REVOKE is an operation that removes a rule from the list of access rules.
Upvotes: 26
Reputation: 1835
REVOKE removes access that has been GRANTed. DENY explicitly rejects, taking precedence over GRANTs.
To the last point, if someone is part of the db_denydatawriter role, but you GRANT INSERT to them, the DENY will override that GRANT and they will be unable to INSERT.
Upvotes: 12
Reputation: 21
Granting Permission means that a user can access the object
Denying permission overrides a granted permission
Revoking a permission removes the permission that has been assigned, regardless of whether it was a denied permission or a granted permission
Upvotes: 2
Reputation: 21108
Revoke is the opposite of a Grant (at least in as much as Grant adds an access rule and Revoke Removes an access Rule) While somewhat counter-intuative Deny also adds an access rule (which of course can be removed with a Revoke).
If I grant the sales group access I can later revoke it.
However I could also deny you access, and even through you're in the sales group you'll not have access.
Upvotes: 23
Related Questions
- Deny doesn't take priority in case of permission chain?
- What is difference between deny user on database and each table
- What is a default behaviour when revoking permissions in SQL?
- In Microsoft SQL Server, what's the difference between not checking "Grant" and checking "Deny"?
- What is difference between revoke session and account lock?
- Why is "Deny" used in Data Control Language?
- sql server grant, revoke permission to a user
- How to replace REVOKE ALL in SQL Server 2008 R2
- Using variables with GRANT and DENY in SQL Server 2005
- Specific rights to GRANT, REVOKE or DENY on stored procedures