Cloud Migration Made Easy

Considering a move to the cloud? Axial SQL brings you proven migration strategies to streamline your transition. Our expert team ensures a smooth, efficient shift, keeping your data safe and accessible. Start your journey to the cloud with confidence!

Contact Us

SQL Performance Optimization

Is your SQL running slower than expected? Don't let sluggish performance hinder your business. Our optimization experts at Axial SQL specialize in tuning your databases for peak performance. Speed up your SQL and supercharge your data processing today!

Contact Us

Database Stability Solutions

Tired of frequent database outages? Discover stability with Axial SQL! Our comprehensive analysis identifies and resolves your database vulnerabilities. Enhance reliability, reduce downtime, and keep your operations running smoothly with our expert guidance.

Contact Us

Expert Database Team Evaluation

Questioning your database team's efficiency? Let Axial SQL provide an expert, unbiased analysis. We assess your team's strategies and workflows, offering insights and improvements to boost productivity. Elevate your database management to new heights!

Contact Us

Data Security Assurance

Concerned about your database security? Axial SQL is here to fortify your data defenses. Our specialized security assessments identify potential risks and implement robust protections. Keep your sensitive data secure and your peace of mind intact with our expert services.

Contact Us

Published on

November 3, 2014

Understanding GRANT and DENY in SQL Server

Being a database administrator (DBA) is a rewarding experience as it allows you to have control over the server and manage user permissions. In this blog post, we will discuss the importance of GRANT and DENY in SQL Server and how they can be used to secure the environment.

Let’s consider a common requirement that often arises from application developers and business users – securing sensitive information. Imagine you have a table in your database that contains personally identifiable information, such as Social Security Numbers (SSN). Your organization mandates that no one should be able to read the SSN column, but reading other columns is allowed. Implementing such requirements can be challenging, but with the use of GRANT and DENY, it becomes much simpler.

Let’s start by creating our database and the table with the SSN field:

CREATE DATABASE PermissionsDB
GO

USE PermissionsDB
GO

CREATE USER Pinal WITHOUT LOGIN;
GO

CREATE TABLE SecureTbl (
    ID INT,
    Name VARCHAR(50),
    SSN VARCHAR(20)
)
GO

INSERT INTO SecureTbl VALUES (1, 'Pinal', '111-22-3333')
GO

In addition, we have created a user called ‘Pinal’ who needs to be denied permission to access the SSN column.

Now, let’s grant SELECT rights to everyone using this database:

-- Explicitly grant at object level
GRANT SELECT ON SecureTbl TO PUBLIC

We can also restrict the SELECT permission to specific user accounts if needed.

Next, we will explicitly deny access to the SSN column:

-- DENY at the column level
DENY SELECT (SSN) ON SecureTbl TO Pinal
GO

Now, let’s check if the user ‘Pinal’ has SELECT privileges on the table. We will change the user context using the EXECUTE AS command and try to access the table:

-- Switch the context
EXECUTE AS USER = 'Pinal'

-- The following SELECT statement will result in an error as we are selecting the SSN column
SELECT * FROM SecureTbl

-- The following SELECT statement will not result in an error as the SSN column is not in the select list
SELECT ID, Name FROM SecureTbl

-- Revert back to the original user context
REVERT

The first SELECT statement will result in an error because we have explicitly denied permission to user ‘Pinal’ from accessing the SSN field. The error message clearly indicates this:

Msg 230, Level 14, State 1, Line 21
The SELECT permission was denied on the column 'SSN' of the object 'SecureTbl', database 'PermissionsDB', schema 'dbo'.

Therefore, even though we have granted permission to read the table object, the DENY statement ensures that we cannot read the column values.

This is a simple example of how GRANT and DENY can be implemented in SQL Server to control access to sensitive information. If you have similar requirements in your environment, this technique can be useful.

Let us know if you have used this technique in your environments.

Click to rate this post!
[Total: 0 Average: 0]
, , , , , , , , ,

Let's work together

Send us a message or book free introductory meeting with us using button below.

Book a meeting with an expert