revoke vs deny : what is the difference

What is the difference between DE开发者_Go百科NY and REVOKE command?

---

Each object has a list of rules DENYing and GRANTing access.

REVOKE is an operation that removes a rule from the list of access rules.

---

Revoke is the opposite of a Grant (at least in as much as Grant adds an access rule and Revoke Removes an access Rule) While somewhat counter-intuative Deny also adds an access rule (which of course can be removed with a Revoke).

If I grant the sales group access I can later revoke it.

However I could also deny you access, and even through you're in the sales group you'll not have access.

---

REVOKE removes access that has been GRANTed. DENY explicitly rejects, taking precedence over GRANTs.

To the last point, if someone is part of the db_denydatawriter role, but you GRANT INSERT to them, the DENY will override that GRANT and they will be unable to INSERT.

---

1. Granting Permission means that a user can access the object

2. Denying permission overrides a granted permission

3. Revoking a permission removes the permission that has been assigned, regardless of whether it was a denied permission or a granted permission