February 16, 2012 at 8:18 am
We are in the process of rolling out a new security plan. This involves transitioning to a new set of groups and eliminating the old ones. Many of the users are members in both of the groups, this is by design.
I created the new logins & users and granted them the proper permissions. For the old groups I decided to DENY
them permission to connect to the db engine. We've seen that these users are now unable to connect to the dataserver.
My question is does the Denial of connect perms in one group overide the granted connect perms in another group ?
February 16, 2012 at 8:49 am
DENY overrides GRANT.
Try REVOKE instead.
-- Gianluca Sartori
February 16, 2012 at 9:12 am
Thanks for responding...will that allow the user to connect under the other group ?
February 16, 2012 at 9:29 am
I believe so. Try it yourself and, possibly, let us know.
-- Gianluca Sartori
February 16, 2012 at 10:05 am
YES...that worked !
Thank You...Andy
February 16, 2012 at 10:13 am
Great! Thanks for the feedback.
However, please make sure that the REVOKE command did not REVOKE the DENY specification.
I know it could sound confusing and I'll try to expand it a bit more...
When you GRANT a privilege to a login/user, you can revoke that privilege using REVOKE.
The same applies to DENY: if you want to delete the DENY privilege, you use REVOKE again.
Long story short: if you just REVOKED connect, you did nothing but delete the DENY privileges. You should REVOKE once again to remove any GRANTs still in place.
-- Gianluca Sartori
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply