J. Mini
Reputation: 1610
What happens if you GRANT permissions on a view, but DENY those same permissions on its schema?
Imagine that I have a schema FOO. I DENY my mother the SELECT permission on it, but GRANT her it on the view FOO.BAR. What are the consequences of this?
Upvotes: 0
Views: 155
Answers (1)
Charlieface
Reputation: 72298
SQL Server permissions work in a similar way to Windows and other permissions: a Deny always overrides a Grant. And a permission to a parent object normally includes its children, so permissions on a schema also apply to its objects.
So if you were to try select from FOO.BAR, the server would aggregate the grants and denies from the database, schema and object levels, leaving it with a GRANT and a DENY. Since the DENY always overrides the GRANT, permission will not be granted.
Note also
- A
DENYcannot be placed on an object's owner against that object. REVOKEis different fromDENY: it removes theGRANTorDENY.
Upvotes: 1
Related Questions
- Can I grant a database user permission to create views in a schema?
- Grant SELECT permission on a view, but not on underlying objects
- grant read access on a view but not on it's underlying tables from other databases
- What's the purpose of GRANT DML rights on view in SQL Server?
- REVOKE database level DENY VIEW DEFINITION on object level
- Cross-schema view query possible with different access rights?
- SQL is it possible to grant permission to the view and not the user to access other db?
- SQL Server: Let user create/modify new views, but not alter existing
- Deny read permission can be circumvented with a view?
- Grant permission to only a view