Hi. the only effective way to do this is:
1. Create a VIEW of the table for the low-security user with the columns that s/he may see.
2. Set up two database roles: Let's call one GRUNTS and the other MANAGERS.
3. Give the Supervisor the GRUNTS role and the Manager the MANAGERS role.
4. REMOVE db_datareader from both users
5. GRANT SELECT on all table names to MANAGERS. Example code:
select
'GRANT SELECT ON ' + [name] + ' to MANAGERS;'
as Execute_this
from sys.tables;
Run the outputs in a new SSMS window.
6. GRANT SELECT on all table names EXCEPT those you want to limit to GRUNTS. Example code:
select
'GRANT SELECT ON ' + [name] + ' to GRUNTS;' as Execute_this
from sys.tables
where [name] not in ('notallowed1','notallowed2',etc.);
Run the outputs in a new SSMS window.
7. DENY on all table names you want to limit to GRUNTS. Example code:
select
'DENY SELECT, INSERT,UPDATE,DELETE ON ' + [name] + ' to GRUNTS;' as Execute_this
from sys.tables
where [name] in ('notallowed1','notallowed2',etc.);
8. GRANT on all views you want to allow to GRUNTS. Example code:
select
GRANT SELECT ON ' + [name] + ' to GRUNTS;' as Execute_this
from sys.views
where [name] in ('allowed1','allowed2',etc.);
Run the outputs in a new SSMS window.
And you should have yourself covered.
Thanks
John.