Post reply

db_denyreader, db_reader what is really going on?

  • May 10, 2004 at 11:02 am

    #85508

    Could someone point me to why there is a db_reader and db_denyreader (same with writer)?  If I don't grant select, then the user can't read, so why would I use db_denyreader?

     

    Thanks,

    Joseph

  • May 10, 2004 at 11:45 am

    #505848

    I believe it's this way:

    db_writer is the same as GRANT SELECT TO ...

    db_denywriter is the same as DENY SELECT TO...

    Why should you use the later instead of just not giving them SELECT? Here's an example:

    You have two tables A and B. There is a ROLE somedepartment that has SELECT priviliges on A and B.

    User J just got assigned. You grant him SELECT on table A, but you don't want him to be able to SELECT from B, so you don't grant him SELECT on B.

    Time goes by and User J is assigned to somedepartment and gets added to the ROLE, but still doesn't need access to table B. OOOPPPS, he has access because the ROLE has access and you have not DENYed him SELECT on that table.

    -SQLBill

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply