Over the last few weeks I have written quite a few posts about grantable grants. For example the introductory article about how GRANT ... WITH GRANT OPTION can help with security management delegation. But then there was the other article on how REVOKE CASCADE can make security management delegation questionable at best, as the CASCADE keyword is required when revoking a grantable grant. That causes all the "grant"-work that a security principal did while it held the grantable grant to be undone if the permissions needs to be removed from that principal.
Today I want to show you, how you can use grantable grants while avoiding the problems that come with the CASCADE keyword.
To see how roles can help alleviate the cascade problem let's look at an example. First we need a securable, a role and two principals:
CREATE USER TestUser1 FOR LOGIN TestLogin1;
CREATE USER TestUser2 FOR LOGIN TestLogin2;
CREATE ROLE TestRole1;
ALTER ROLE TestRole1 ADD MEMBER TestUser1;
CREATE SCHEMA TestSchema1;
CREATE TABLE TestSchema1.tst(id INT);
INSERT INTO TestSchema1.tst VALUES(42);
The above code also added the principal TestUser1 as a member to the role. Now instead of granting a grantable permission to our principal directly, we are going to grant it to the role. As the principal TestUser1 is a member of that role, it inherits the grantable permission. However, as shown in Using GRANT ... WITH GRANT OPTION on roles, TestUser1 now needs to use the AS TestRole1 postfix when trying to grant the permission to another principal:
As you can see, TestUser1 is able to grant the permission to other principals. If we now need to revoke that right, we can just drop TestUser1 from the role:
After the drop, TestUser1 cannot access the table anymore (and consequently cannot grant access to it anymore either). However, TestUser2's ability to access the table was not affected.
You can use roles in conjunction with grantable grants to get the benefits of permission delegation without the disadvantages that come from the requirement to use CASCADE when revoking a grantable permission.