explicitly denying user rights

Question

explicitly denying user rights

SQLHeap

Hall of Fame

Points: 3572
More actions
August 28, 2012 at 11:19 am

#280890

We do most of our right granting through AD groups. Can I explicitly restrict or deny access to just read for a single person from a group that has read/write? Or, let the group have read/write to DB and deny write rights to a single table for a user in that AD group?
There is an exception to every rule, except this one...

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply

Lowell SSC Guru Points: 323518 More actions · Answer 1

SQLHeap (8/28/2012)
We do most of our right granting through AD groups. Can I explicitly restrict or deny access to just read for a single person from a group that has read/write? Or, let the group have read/write to DB and deny write rights to a single table for a user in that AD group?

Yes, as long as the logon related to the user is not a sysadmin, you can explicitly deny any permissions you want;

DENY INSERT,UPDATE,DELETE ON dbo.PAYROLLTABLE TO [MyDomain\SpecificName]

DENY INSERT,UPDATE,DELETE ON PAYROLLTABLE TO [MyDomain\GroupName]

if they are sysadmin(which is where this exact question often comes up, then you must take away their sysadmin priviledges and give them a role more appropriate to what they should be doing.

you cna never deny a sysadmin, basically.

Lowell

--help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

SQLHeap Hall of Fame Points: 3572 More actions · Answer 2

That works, thanks.

There is an exception to every rule, except this one...