{"id":2003,"date":"2014-02-09T11:00:25","date_gmt":"2014-02-09T16:00:25","guid":{"rendered":"http:\/\/sqlity.net\/en\/?p=2003"},"modified":"2014-11-13T13:17:31","modified_gmt":"2014-11-13T18:17:31","slug":"deny-vs-revoke-2","status":"publish","type":"post","link":"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/","title":{"rendered":"DENY vs. REVOKE &#8211; Part 2 &#8211; Hierarchies of Principals"},"content":{"rendered":"<div>\n<h3>Introduction<\/h3>\n<p>\nYesterday we asked this question: <a href=\"http:\/\/sqlity.net\/en\/1993\/deny-vs-revoke-1\/\">Are <span class=\"tt\">REVOKE<\/span> and <span class=\"tt\">DENY<\/span> just synonyms of each other?<\/a>\n<\/p>\n<p>\nWe did see that they behave identical when looking just at a single security principal and a single securable in isolation. However, I did promise to show you that there is indeed a difference between the two if you look at security hierarchies.\n<\/p>\n<p>\nTo follow up on that promise, today I am going to show you an example that involves roles.\n<\/p>\n<h3>Role Member DENY Example<\/h3>\n<p>\nBefore we can get started we need a database role with a member and a table:\n<\/p>\n<div>\n[sql]\nCREATE LOGIN TestLogin1 WITH PASSWORD='********', CHECK_POLICY = OFF;<br \/>\nCREATE USER TestUser1 FOR LOGIN TestLogin1;<\/p>\n<p>CREATE ROLE TestRole1;<br \/>\nALTER ROLE TestRole1 ADD MEMBER TestUser1;<\/p>\n<p>CREATE TABLE dbo.tst(id INT);<br \/>\nINSERT INTO dbo.tst VALUES(42);<br \/>\n[\/sql]\n<\/p><\/div>\n<p>\nNow we can <span class=\"tt\">GRANT SELECT<\/span> on the table to <span class=\"tt\">TestRole1<\/span>. That will give <span class=\"tt\">TestUser1<\/span> access to the table, as <span class=\"tt\">TestUser1<\/span> is a member of <span class=\"tt\">TestRole1<\/span>:\n<\/p>\n<p>\n<a href=\"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/Role_permission_in_effect_for_role_member.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/Role_permission_in_effect_for_role_member.jpg\" alt=\"Role permission in effect for role member\" width=\"768\" height=\"466\" class=\"aligncenter size-full wp-image-2004\" srcset=\"https:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/Role_permission_in_effect_for_role_member.jpg 768w, https:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/Role_permission_in_effect_for_role_member-300x182.jpg 300w, https:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/Role_permission_in_effect_for_role_member-150x91.jpg 150w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/a>\n<\/p>\n<p>\nThis is how we expect role permissions to work. If you need a refresher on roles, check out my previous posts about <a href=\"http:\/\/sqlity.net\/en\/1770\/using-database-roles-database-level-security-management\/\">database roles<\/a> and <a href=\"http:\/\/sqlity.net\/en\/1759\/using-server-roles-server-level-security-management\/\">server roles<\/a>.\n<\/p>\n<p>\nNow let's <span class=\"tt\">REVOKE<\/span> the <span class=\"tt\">SELECT<\/span> permission on the table from <span class=\"tt\">TestUser1<\/span> and see what that does to <span class=\"tt\">TestUser1<\/span>'s ability to access to table:\n<\/p>\n<p>\n<a href=\"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/REVOKE_from_role_member_does_not_REVOKE_role_permission.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/REVOKE_from_role_member_does_not_REVOKE_role_permission.jpg\" alt=\"REVOKE from role member does not remove role permission\" width=\"768\" height=\"466\" class=\"aligncenter size-full wp-image-2006\" srcset=\"https:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/REVOKE_from_role_member_does_not_REVOKE_role_permission.jpg 768w, https:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/REVOKE_from_role_member_does_not_REVOKE_role_permission-300x182.jpg 300w, https:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/REVOKE_from_role_member_does_not_REVOKE_role_permission-150x91.jpg 150w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/a>\n<\/p>\n<p>\nAs you can see, <span class=\"tt\">TestUser1<\/span> still has access to the table. When I introduced <a href=\"http:\/\/sqlity.net\/en\/1951\/revoke-undoing-granted-permissions\/\">the <span class=\"tt\">REVOKE<\/span> statement<\/a> a few days ago I wrote: \"The REVOKE statement causes a previously granted identical privilege to be revoked. It works only on the same privilege on the same securable for the same grantee.\"\n<\/p>\n<p>\nWith those two sentences in mind, the above behavior is exactly as expected. The permission in question was granted to the role, so trying to revoke it from the role member should not do anything.\n<\/p>\n<p>\nNow let's see what happens if we use <span class=\"tt\">DENY<\/span> instead:\n<\/p>\n<p>\n<a href=\"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/DENY_to_role_member_trumps_GRANT_to_role.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/DENY_to_role_member_trumps_GRANT_to_role.jpg\" alt=\"DENY to role member trumps GRANT to role\" width=\"768\" height=\"466\" class=\"aligncenter size-full wp-image-2005\" srcset=\"https:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/DENY_to_role_member_trumps_GRANT_to_role.jpg 768w, https:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/DENY_to_role_member_trumps_GRANT_to_role-300x182.jpg 300w, https:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/DENY_to_role_member_trumps_GRANT_to_role-150x91.jpg 150w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/a>\n<\/p>\n<p>\nNow <span class=\"tt\">TestUser1<\/span> does not have access to the table anymore. So, other than a <span class=\"tt\">REVOKE<\/span> that just can remove existing identical grants, a <span class=\"tt\">DENY<\/span> overrules grants on different levels of the principal hierarchy.\n<\/p>\n<p>\nIn my post about <a href=\"http:\/\/sqlity.net\/en\/1778\/secret-security-token-sql-server-determines-active-permissions\/\">The Secret of the Security Token<\/a> I showed you that SQL Server actually looks at quite a few principals when determining the active permissions for the current request. The token DMVs return together one row for each principal involved. That includes in particular any database role that the current user is a member of. If any of those principals has been granted access to the securable, access is permitted. However, if any other database or server principal in that list has been denied access to that securable, the <span class=\"tt\">DENY<\/span> overrides the grant and access is refused.\n<\/p>\n<p>\nThis means in particular, that it does not matter which of the principals was granted and which was denied. Any deny anywhere in the hierarchy overrides any number of grants on the same resource.\n<\/p>\n<h3>Summary<\/h3>\n<p>\nWhile <span class=\"tt\">REVOKE<\/span> and <span class=\"tt\">DENY<\/span> might seem similar at first glance, the <span class=\"tt\">DENY<\/span> statement is actually a lot more powerful as it can override a <span class=\"tt\">GRANT<\/span> that happened at a different level of the principal hierarchy.\n<\/p>\n<h3>DENY vs. REVOKE Series<\/h3>\n<p>\nThis post is part of a five-part series comparing the <span class=\"tt\">DENY<\/span> and the <span class=\"tt\">REVOKE<\/span> statements.<br \/>\nBelow is a list of links to the posts that are already available.\n<\/p>\n<div class=\"wp-cpl-sc-wrap wp-cpl-sc-theme-4\">\n        <div class=\"wp-cpl-sc-post\">\n        <h2><a href=\"https:\/\/sqlity.net\/en\/1993\/deny-vs-revoke-1\/\" title=\"Permalink to: DENY vs. REVOKE - Part 1 - Are they just synonyms?\">DENY vs. REVOKE &#8211; Part 1 &#8211; Are they just synonyms?<\/a><\/h2>\n            <div class=\"clear\"><\/div>\n<\/div>\n<div class=\"wp-cpl-sc-post\">\n        <h2><a href=\"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/\" title=\"Permalink to: DENY vs. REVOKE - Part 2 - Hierarchies of Principals\">DENY vs. REVOKE &#8211; Part 2 &#8211; Hierarchies of Principals<\/a><\/h2>\n            <div class=\"clear\"><\/div>\n<\/div>\n<div class=\"wp-cpl-sc-post\">\n        <h2><a href=\"https:\/\/sqlity.net\/en\/2009\/deny-vs-revoke-3\/\" title=\"Permalink to: DENY vs. REVOKE - Part 3 - Hierarchies of Securables\">DENY vs. REVOKE &#8211; Part 3 &#8211; Hierarchies of Securables<\/a><\/h2>\n            <div class=\"clear\"><\/div>\n<\/div>\n<div class=\"wp-cpl-sc-post\">\n        <h2><a href=\"https:\/\/sqlity.net\/en\/2011\/deny-vs-revoke-4\/\" title=\"Permalink to: DENY vs. REVOKE - Part 4 - Hierarchies of Privileges\">DENY vs. REVOKE &#8211; Part 4 &#8211; Hierarchies of Privileges<\/a><\/h2>\n            <div class=\"clear\"><\/div>\n<\/div>\n<div class=\"wp-cpl-sc-post\">\n        <h2><a href=\"https:\/\/sqlity.net\/en\/2051\/deny-vs-revoke-5\/\" title=\"Permalink to: DENY vs. REVOKE - Part 5 - Durability\">DENY vs. REVOKE &#8211; Part 5 &#8211; Durability<\/a><\/h2>\n            <div class=\"clear\"><\/div>\n<\/div>\n<\/div>\n\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>REVOKE and DENY are similar at first glance. However, DENY can be very powerful when used in the context of security principal hierarchies.  Read on to get all the details.<\/p>\n<p> <a href=\"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/\">[more&#8230;]<\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[104,5,34,27],"tags":[59,57,103,98,38,58,51,56,55,15],"class_list":["post-2003","post","type-post","status-publish","format-standard","hentry","category-deny-vs-revoke","category-general","category-security","category-series","tag-database-principals","tag-database-roles","tag-deny","tag-revoke","tag-security-2","tag-security-management","tag-security-tokens","tag-server-principals","tag-server-roles","tag-sql-server"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>DENY vs. REVOKE - Part 2 - Hierarchies of Principals - sqlity.net<\/title>\n<meta name=\"description\" content=\"REVOKE and DENY are similar at first glance. However, DENY can be very powerful when used in the context of security principal hierarchies.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DENY vs. REVOKE - Part 2 - Hierarchies of Principals - sqlity.net\" \/>\n<meta property=\"og:description\" content=\"REVOKE and DENY are similar at first glance. However, DENY can be very powerful when used in the context of security principal hierarchies.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/\" \/>\n<meta property=\"og:site_name\" content=\"sqlity.net\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/sqlity.net\" \/>\n<meta property=\"article:published_time\" content=\"2014-02-09T16:00:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2014-11-13T18:17:31+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/Role_permission_in_effect_for_role_member.jpg\" \/>\n<meta name=\"author\" content=\"Sebastian Meine\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@sqlity\" \/>\n<meta name=\"twitter:site\" content=\"@sqlity\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sebastian Meine\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/2003\\\/deny-vs-revoke-2\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/2003\\\/deny-vs-revoke-2\\\/\"},\"author\":{\"name\":\"Sebastian Meine\",\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/#\\\/schema\\\/person\\\/bcffd8c572bc2f1bd10fdba80135e53c\"},\"headline\":\"DENY vs. REVOKE &#8211; Part 2 &#8211; Hierarchies of Principals\",\"datePublished\":\"2014-02-09T16:00:25+00:00\",\"dateModified\":\"2014-11-13T18:17:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/2003\\\/deny-vs-revoke-2\\\/\"},\"wordCount\":628,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/2003\\\/deny-vs-revoke-2\\\/#primaryimage\"},\"thumbnailUrl\":\"http:\\\/\\\/sqlity.net\\\/wp-content\\\/uploads\\\/2014\\\/02\\\/Role_permission_in_effect_for_role_member.jpg\",\"keywords\":[\"database principals\",\"database roles\",\"DENY\",\"REVOKE\",\"security\",\"security management\",\"Security Tokens\",\"server principals\",\"server roles\",\"SQL Server\"],\"articleSection\":[\"DENY vs. REVOKE\",\"General\",\"Security\",\"Series\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/sqlity.net\\\/en\\\/2003\\\/deny-vs-revoke-2\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/2003\\\/deny-vs-revoke-2\\\/\",\"url\":\"https:\\\/\\\/sqlity.net\\\/en\\\/2003\\\/deny-vs-revoke-2\\\/\",\"name\":\"DENY vs. REVOKE - Part 2 - Hierarchies of Principals - sqlity.net\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/2003\\\/deny-vs-revoke-2\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/2003\\\/deny-vs-revoke-2\\\/#primaryimage\"},\"thumbnailUrl\":\"http:\\\/\\\/sqlity.net\\\/wp-content\\\/uploads\\\/2014\\\/02\\\/Role_permission_in_effect_for_role_member.jpg\",\"datePublished\":\"2014-02-09T16:00:25+00:00\",\"dateModified\":\"2014-11-13T18:17:31+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/#\\\/schema\\\/person\\\/bcffd8c572bc2f1bd10fdba80135e53c\"},\"description\":\"REVOKE and DENY are similar at first glance. However, DENY can be very powerful when used in the context of security principal hierarchies.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/2003\\\/deny-vs-revoke-2\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/sqlity.net\\\/en\\\/2003\\\/deny-vs-revoke-2\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/2003\\\/deny-vs-revoke-2\\\/#primaryimage\",\"url\":\"http:\\\/\\\/sqlity.net\\\/wp-content\\\/uploads\\\/2014\\\/02\\\/Role_permission_in_effect_for_role_member.jpg\",\"contentUrl\":\"http:\\\/\\\/sqlity.net\\\/wp-content\\\/uploads\\\/2014\\\/02\\\/Role_permission_in_effect_for_role_member.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/2003\\\/deny-vs-revoke-2\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/sqlity.net\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"DENY vs. REVOKE &#8211; Part 2 &#8211; Hierarchies of Principals\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/sqlity.net\\\/en\\\/\",\"name\":\"sqlity.net\",\"description\":\"Quality for SQL\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/sqlity.net\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/sqlity.net\\\/en\\\/#\\\/schema\\\/person\\\/bcffd8c572bc2f1bd10fdba80135e53c\",\"name\":\"Sebastian Meine\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4ab0a6d02dd494849a584a2c3c8bc3bdcef1d0aa5f87e98bf905dbdb9ad2ce3a?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4ab0a6d02dd494849a584a2c3c8bc3bdcef1d0aa5f87e98bf905dbdb9ad2ce3a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4ab0a6d02dd494849a584a2c3c8bc3bdcef1d0aa5f87e98bf905dbdb9ad2ce3a?s=96&d=mm&r=g\",\"caption\":\"Sebastian Meine\"},\"sameAs\":[\"http:\\\/\\\/sqlity.net\",\"https:\\\/\\\/x.com\\\/sqlity\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"DENY vs. REVOKE - Part 2 - Hierarchies of Principals - sqlity.net","description":"REVOKE and DENY are similar at first glance. However, DENY can be very powerful when used in the context of security principal hierarchies.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/","og_locale":"en_US","og_type":"article","og_title":"DENY vs. REVOKE - Part 2 - Hierarchies of Principals - sqlity.net","og_description":"REVOKE and DENY are similar at first glance. However, DENY can be very powerful when used in the context of security principal hierarchies.","og_url":"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/","og_site_name":"sqlity.net","article_publisher":"https:\/\/www.facebook.com\/sqlity.net","article_published_time":"2014-02-09T16:00:25+00:00","article_modified_time":"2014-11-13T18:17:31+00:00","og_image":[{"url":"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/Role_permission_in_effect_for_role_member.jpg","type":"","width":"","height":""}],"author":"Sebastian Meine","twitter_card":"summary_large_image","twitter_creator":"@sqlity","twitter_site":"@sqlity","twitter_misc":{"Written by":"Sebastian Meine","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/#article","isPartOf":{"@id":"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/"},"author":{"name":"Sebastian Meine","@id":"https:\/\/sqlity.net\/en\/#\/schema\/person\/bcffd8c572bc2f1bd10fdba80135e53c"},"headline":"DENY vs. REVOKE &#8211; Part 2 &#8211; Hierarchies of Principals","datePublished":"2014-02-09T16:00:25+00:00","dateModified":"2014-11-13T18:17:31+00:00","mainEntityOfPage":{"@id":"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/"},"wordCount":628,"commentCount":0,"image":{"@id":"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/#primaryimage"},"thumbnailUrl":"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/Role_permission_in_effect_for_role_member.jpg","keywords":["database principals","database roles","DENY","REVOKE","security","security management","Security Tokens","server principals","server roles","SQL Server"],"articleSection":["DENY vs. REVOKE","General","Security","Series"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/","url":"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/","name":"DENY vs. REVOKE - Part 2 - Hierarchies of Principals - sqlity.net","isPartOf":{"@id":"https:\/\/sqlity.net\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/#primaryimage"},"image":{"@id":"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/#primaryimage"},"thumbnailUrl":"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/Role_permission_in_effect_for_role_member.jpg","datePublished":"2014-02-09T16:00:25+00:00","dateModified":"2014-11-13T18:17:31+00:00","author":{"@id":"https:\/\/sqlity.net\/en\/#\/schema\/person\/bcffd8c572bc2f1bd10fdba80135e53c"},"description":"REVOKE and DENY are similar at first glance. However, DENY can be very powerful when used in the context of security principal hierarchies.","breadcrumb":{"@id":"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/#primaryimage","url":"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/Role_permission_in_effect_for_role_member.jpg","contentUrl":"http:\/\/sqlity.net\/wp-content\/uploads\/2014\/02\/Role_permission_in_effect_for_role_member.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/sqlity.net\/en\/2003\/deny-vs-revoke-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/sqlity.net\/en\/"},{"@type":"ListItem","position":2,"name":"DENY vs. REVOKE &#8211; Part 2 &#8211; Hierarchies of Principals"}]},{"@type":"WebSite","@id":"https:\/\/sqlity.net\/en\/#website","url":"https:\/\/sqlity.net\/en\/","name":"sqlity.net","description":"Quality for SQL","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sqlity.net\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/sqlity.net\/en\/#\/schema\/person\/bcffd8c572bc2f1bd10fdba80135e53c","name":"Sebastian Meine","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/4ab0a6d02dd494849a584a2c3c8bc3bdcef1d0aa5f87e98bf905dbdb9ad2ce3a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/4ab0a6d02dd494849a584a2c3c8bc3bdcef1d0aa5f87e98bf905dbdb9ad2ce3a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4ab0a6d02dd494849a584a2c3c8bc3bdcef1d0aa5f87e98bf905dbdb9ad2ce3a?s=96&d=mm&r=g","caption":"Sebastian Meine"},"sameAs":["http:\/\/sqlity.net","https:\/\/x.com\/sqlity"]}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2wXuw-wj","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/posts\/2003","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/comments?post=2003"}],"version-history":[{"count":0,"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/posts\/2003\/revisions"}],"wp:attachment":[{"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/media?parent=2003"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/categories?post=2003"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sqlity.net\/en\/wp-json\/wp\/v2\/tags?post=2003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}