Symmetric Key GRANT REFERENCES or GRANT VIEW DEFINITION

Question

For a Symmetric Key what is the difference between GRANT REFERENCES and GRANT VIEW DEFINITION?

If my symmetric key is encrypted by a certificate, I need to GRANT CONTROL ON CERTIFICATE. But I am unsure if GRANT REFERENCES or GRANT VIEW DEFINITION is the way to go on the symmetric key or if there is much of a difference.

Thanks, Amy

Answer 1

Hi Amy,

Based on my test, these two permission seem to be the same.

when a use has one of them, this user could retrieve information from sys.symmetric_keys and open this symmetric key.

However, I could not find any documentation to explain this.

Might any other peoples know.

Answer 2

  The definition in BOL (http://msdn.microsoft.com/en-us/library/ms190499.aspx) is correct:

“The caller must have some permission on the key and must not have been denied VIEW DEFINITION permission on the key.”

  It may be easier to visualize the rule if you think of it in terms of pseudo-code:

If( has_any_perm(key) AND NOT has_been_denied_permission(key, ‘VIEW DEFINITION’) ) THEN

   SUCCEED

ELSE

   FAIL

 In the case where you grant REFERENCES permission on the key, you comply with the first part of the requirement, and as long as you have not been explicitly denied VIEW DEFINITION you comply with the whole rule.

  I hope this information helps,

  -Raul Garcia
  SDE/T
  SQL Server Engine

---

This posting is provided "AS IS" with no warranties, and confers no rights.