locked
Symmetric Key GRANT REFERENCES or GRANT VIEW DEFINITION RRS feed

  • Question

  • For a Symmetric Key what is the difference between GRANT REFERENCES and GRANT VIEW DEFINITION?

    If my symmetric key is encrypted by a certificate, I need to GRANT CONTROL ON CERTIFICATE. But I am unsure if GRANT REFERENCES or GRANT VIEW DEFINITION is the way to go on the symmetric key or if there is much of a difference.

    Thanks, Amy

    Wednesday, June 23, 2010 2:27 PM

Answers

  •   The definition in BOL (http://msdn.microsoft.com/en-us/library/ms190499.aspx) is correct:

    “The caller must have some permission on the key and must not have been denied VIEW DEFINITION permission on the key.”

      It may be easier to visualize the rule if you think of it in terms of pseudo-code:

    If( has_any_perm(key) AND NOT has_been_denied_permission(key, ‘VIEW DEFINITION’) ) THEN

       SUCCEED

    ELSE

       FAIL

     In the case where you grant REFERENCES permission on the key, you comply with the first part of the requirement, and as long as you have not been explicitly denied VIEW DEFINITION you comply with the whole rule.

      I hope this information helps,

      -Raul Garcia
      SDE/T
      SQL Server Engine


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, June 25, 2010 7:45 PM

All replies

  • Hi Amy,

    Based on my test, these two permission seem to be the same.

    when a use has one of them, this user could retrieve information from sys.symmetric_keys and open this symmetric key.

    However, I could not find any documentation to explain this.

    Might any other peoples know.

    Friday, June 25, 2010 10:28 AM
  •   The definition in BOL (http://msdn.microsoft.com/en-us/library/ms190499.aspx) is correct:

    “The caller must have some permission on the key and must not have been denied VIEW DEFINITION permission on the key.”

      It may be easier to visualize the rule if you think of it in terms of pseudo-code:

    If( has_any_perm(key) AND NOT has_been_denied_permission(key, ‘VIEW DEFINITION’) ) THEN

       SUCCEED

    ELSE

       FAIL

     In the case where you grant REFERENCES permission on the key, you comply with the first part of the requirement, and as long as you have not been explicitly denied VIEW DEFINITION you comply with the whole rule.

      I hope this information helps,

      -Raul Garcia
      SDE/T
      SQL Server Engine


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, June 25, 2010 7:45 PM