locked
User Permission in SQL Server RRS feed

  • Question

  • Hi Team,

    I created two AD groups.

    abc/Group1 --Read-Write

    abc/Group2--Read

    Now if the user is part of both the groups. In this case which one take precdence?

    Wednesday, August 5, 2020 8:15 PM

Answers

  • Hi Vijay,

    Rights applicable to the login are summed then applied from least restrictive to most restrictive on a per object basis. DENY'd rights take precedence over GRANT'd rights.

    First situation:

    abc/Group1 --Grant Read-- Grant Write    

    abc/Group2 --Grant Read   

    The user who is part of both the groups will have both Read and Write access.

    Second situation:

    abc/Group1 --Grant Read-- Grant Write    

    abc/Group2 --Grant Read -- Deny Write

    The user who is part of both the groups will have only Read access.

    Please also refer below links for more details:

    Effective SQL Server permissions when user is in several AD groups

    Overlapping User and Group Permissions

    Best Wishes

    Melissa


    ""SQL Server related"" forum will be migrated to a new home on Microsoft Q&A SQL Server!
    We invite you to post new questions in the "SQL Server related" forum’s new home on Microsoft Q&A SQL Server !
    For more information, please refer to the sticky post.

    • Marked as answer by VijayKSQL Thursday, August 13, 2020 11:12 PM
    Thursday, August 6, 2020 1:25 AM

All replies