Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
denis_the_thief
Aged Yak Warrior
596 Posts |
 Posted - 2013-08-28 : 14:57:45
|
| If I log in with Windows Authentication, does SQL Server combine my Windows User SQL Server rights with my Windows Group SQL Server rights?For example if I deny a Windows User access to a table. But I grant access to that table to a group that User belongs to. Or, one group has access granted and another group has access denied and the Windows User belongs to both these groups.Or anyone with a good link on the topic, thanks. |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
|
|
James K
Master Smack Fu Yak Hacker
3873 Posts |
Posted - 2013-08-28 : 15:52:59
|
| An exception (perhaps the only exception) to the rule Tara mentioned that I know of is on a table level deny and a column level grant. "A table-level DENY does not take precedence over a column-level GRANT. This inconsistency in the permissions hierarchy has been preserved for backward compatibility" http://technet.microsoft.com/en-us/library/ms173724.aspxAlso, "You cannot grant, deny, or revoke permissions to sa, dbo, the entity owner, information_schema, sys, or yourself." http://technet.microsoft.com/en-us/library/ms191291.aspxOther than that, if there is a deny anywhere, that takes precedence. There is a summary of the permission check algorithm on the second link above. You will see that it evaluates all group memberships and then if it finds any "blocking deny's", the deny is considered to be in effect. |
 |
|
|
denis_the_thief
Aged Yak Warrior
596 Posts |
Posted - 2013-08-29 : 11:10:30
|
| Cool thanks. |
|
|
|
|
|
|
|
|
Windows Authentication - Group vs. User