SQL Server Forums
Profile | Register | Active Topics | Members | Search | Forum FAQ
Register Now and get your question answered!
Save Password
Forgot your Password?

 All Forums
 SQL Server 2008 Forums
 SQL Server Administration (2008)
 Windows Authentication - Group vs. User
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Aged Yak Warrior

596 Posts

Posted - 08/28/2013 :  14:57:45  Show Profile  Reply with Quote
If I log in with Windows Authentication, does SQL Server combine my Windows User SQL Server rights with my Windows Group SQL Server rights?

For example if I deny a Windows User access to a table. But I grant access to that table to a group that User belongs to.

Or, one group has access granted and another group has access denied and the Windows User belongs to both these groups.

Or anyone with a good link on the topic, thanks.

Almighty SQL Goddess

38113 Posts

Posted - 08/28/2013 :  15:31:37  Show Profile  Visit tkizer's Homepage  Reply with Quote
Yes it combines all permissions and DENY beats out GRANT. So if you are denied anywhere but granted somewhere, the DENY wins.

Tara Kizer
Microsoft MVP for Windows Server System - SQL Server

Subscribe to my blog
Go to Top of Page

James K
Flowing Fount of Yak Knowledge

3865 Posts

Posted - 08/28/2013 :  15:52:59  Show Profile  Reply with Quote
An exception (perhaps the only exception) to the rule Tara mentioned that I know of is on a table level deny and a column level grant. "A table-level DENY does not take precedence over a column-level GRANT. This inconsistency in the permissions hierarchy has been preserved for backward compatibility" http://technet.microsoft.com/en-us/library/ms173724.aspx

Also, "You cannot grant, deny, or revoke permissions to sa, dbo, the entity owner, information_schema, sys, or yourself." http://technet.microsoft.com/en-us/library/ms191291.aspx

Other than that, if there is a deny anywhere, that takes precedence. There is a summary of the permission check algorithm on the second link above. You will see that it evaluates all group memberships and then if it finds any "blocking deny's", the deny is considered to be in effect.
Go to Top of Page

Aged Yak Warrior

596 Posts

Posted - 08/29/2013 :  11:10:30  Show Profile  Reply with Quote
Cool thanks.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.09 seconds. Powered By: Snitz Forums 2000