Set priority for an SQL Server role

Posted on

Question :

Is there any way to set priority for a role if a user falls in two roles?

EXAMPLE : If the user is a member of the manager and staff roles, I want to get the features of the manager on conflicting issues.

Delete is denied in staff while granted in manager and user1 is a member of both, then user1 could delete the data.

Answer :

Unfortunately for you, it does not work that way. Users in multiple roles are subject to the complete set of permissions from all of their roles, and deny permissions always trump grant permissions. You have to keep that in mind as you design your user and role assignments.

In this case, you might find that you don’t need the DENY rule at all. A user can’t do anything without explicit grant permissions, so if you remove the deny rule from your staff role they likely still won’t be able to delete anything: the rule is redundant for them.

When a user is a member of multiple roles, their allowed permissions are the union of the individual role’s GRANTs and DENYs – with DENYs always taking precedence over GRANTs.

So, in your case, if it’s merely that staff are not GRANTed permission to delete, and managers are GRANTed delete, then a member of both roles will be allowed to delete.

There are no ways to change this policy – its built into SQL Server.

Leave a Reply

Your email address will not be published. Required fields are marked *