SQL Server Forums - Revoke or Deny?

Home | Weblogs | Forums | SQL Server Links

Active Forum Topics | Popular Articles | All Articles by Tag | SQL Server Books | About

SQL Server Forums

Register Now and get your question answered!

Username:	Password:
Save Password
Forgot your Password?

All Forums

SQL Server 2008 Forums

SQL Server Administration (2008)

Revoke or Deny?

New Topic

Reply to Topic

Printer Friendly

Author

Topic

jbates99
Constraint Violating Yak Guru

285 Posts

Posted - 12/11/2012 : 16:23:18

We have far too many logins that can create databases.

Which is better:
Revoke CREATE DATABASE from UserX CASCADE;or

Deny CREATE DATABASE from UserX CASCADE; ?

I seem to remember that one of these will be removed at some point.

Thanks, Jack

robvolk
Most Valuable Yak

USA
15559 Posts

Posted - 12/11/2012 : 16:42:52

They are not the same command. DENY specifically prevents someone from performing that action, even if they were GRANTed that permission via another means (role membership). REVOKE removes any GRANT or DENY on that permission for that user. Therefore, if you want to prevent them from creating databases, you have to use DENY.

I would be extremely careful about using CASCADE unless you absolutely know that the entire grantor-grantee path is valid for that operation.

jbates99
Constraint Violating Yak Guru

285 Posts

Posted - 12/11/2012 : 17:34:33

Thank you, robvolk.

I expected to be able to use DENY DROP DATABASE to userX but that fails. How can I deny use of drop database?
Thanks.

robvolk
Most Valuable Yak

USA
15559 Posts

Posted - 12/11/2012 : 17:56:35

I would think DENY CREATE ANY DATABASE should do it, and DENY ALTER ANY DATABASE may be necessary. Make sure they are removed from the sysadmin server role as well.

Topic

New Topic

Reply to Topic

Printer Friendly

Jump To:

SQL Server Forums

This page was generated in 0.05 seconds.