July 16, 2019 at 2:20 am
July 16, 2019 at 1:57 pm
1. Adding the with grant option allows the account to grant the permissions to another account. The account needs the permissions in the first place to grant to another account so if you are setting permissions using the GUI, that would be why checking With Grant automatically check the grant option.
2. Correct with no permissions they wouldn't have access to that column. Permissions are cumulative with deny taking precedence (other than column level permissions work a bit differently). So in a case where you have some role and a group of users are in that role but one of the users shouldn't have access to a particular table, you can deny permissions on that table to that one user. So they may have permissions through the role membership but the added deny means that deny takes precedence so they don't have permissions to that one table. So often you use deny for exceptions like that. In the long run it's easier to manage when you can address most of the permissions through user defined or builtin role membership. You may also want to explicitly deny if you want to ensure that an account or role never gets access, permissions to something - like a table with sensitive data that you really want to protect. You ensure that it won't matter what role the account is added to or what windows group and permissions they have through that group, they have that deny in place.
Sue
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply