user belonging to multiple nt groups as well has his own nt login

  • In this instance which permissions would he get? His nt login or the permissions from one of the nt groups? I read it would be conclusive meaning all of them combined. Is this true because it doesnt seem to be?

  • Permissions are cumulative. So someone accesses SQL server via Windows Authentication, and they have their own login, but also they belong to two Active Directory groups that has access to log in, then they will have the cumulative permissions of their login and the two groups.

    For example, the Login is mapped to a user that has dbowner access on [testDB], The group Sales is mapped to a user that on the database [Customer] that has SELECT access and the group Accounts is mapped to a user on the database  [Payments]  that has SELECT, INSERT and UPDATE permissions. If the Windows account is also part of the Groups Sales and Accounts, they will have access to all 3 databases, and the respective permissions listed previously

    It is worth also noting that a DENY permission overrides GRANT. So, for example, if the Login for the Windows Account had DENY on UPDATE on the database [Payments], they would be unable to UPDATE the records, even though they have permissive access from the Group Accounts.

    Thom~

    Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
    Larnu.uk

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply