locked
User account access RRS feed

  • Question

  • Good morning,

    We're in the process of cleaning out old accounts and re-structuring our security process. Our users have access to the Database Engine via Active Directory accounts (groups & individuals). Some users have access through their individual AND group AD accounts. When I attempt to deny a group account access to the Database Engine (in development environment), an user will contact me saying that they no longer have access to the Database Engine? How can that be if their individual account has access? Does it matter if the user was granted access through the group account first? Any advice would greatly be appreciated.

    Wednesday, November 7, 2018 4:10 PM

Answers

  • Hello,

    DENY goes always before GRANT. If you grant permissions for a user and denied for a AD group where the user is member of then the DENY takes effect.


    Olaf Helper

    [ Blog] [ Xing] [ MVP]

    • Proposed as answer by pituachMVP Wednesday, November 7, 2018 6:12 PM
    • Marked as answer by MichelleLG3 Wednesday, November 7, 2018 6:29 PM
    Wednesday, November 7, 2018 5:15 PM

All replies

  • Hello,

    DENY goes always before GRANT. If you grant permissions for a user and denied for a AD group where the user is member of then the DENY takes effect.


    Olaf Helper

    [ Blog] [ Xing] [ MVP]

    • Proposed as answer by pituachMVP Wednesday, November 7, 2018 6:12 PM
    • Marked as answer by MichelleLG3 Wednesday, November 7, 2018 6:29 PM
    Wednesday, November 7, 2018 5:15 PM
  • Ah! Thank you so much. If I were to delete the group account from SQL all together, then the user would have access via their individual account right?
    Wednesday, November 7, 2018 6:07 PM