Menu
What is the difference between DENY and REVOKE command?
641
REVOKE removes access that has been GRANTed. DENY explicitly rejects, taking precedence over GRANTs. To the last point, if someone is part of the db_denydatawriter role, but you GRANT INSERT to them, the DENY will override that GRANT and they will be unable to INSERT.
Denies a permission to a principal. Prevents that principal from inheriting the permission through its group or role memberships. DENY takes precedence over all permissions, except that DENY does not apply to object owners or members of the sysadmin fixed server role.
The REVOKE statement can be used to remove granted permissions, and the DENY statement can be used to prevent a principal from gaining a specific permission through a GRANT. Granting a permission removes DENY or REVOKE of that permission on the specified securable.
Each object has a list of rules DENYing and GRANTing access.
REVOKE is an operation that removes a rule from the list of access rules.
115
Revoke is the opposite of a Grant (at least in as much as Grant adds an access rule and Revoke Removes an access Rule) While somewhat counter-intuative Deny also adds an access rule (which of course can be removed with a Revoke).
If I grant the sales group access I can later revoke it.
However I could also deny you access, and even through you're in the sales group you'll not have access.
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
