SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


REVOKE ability to GRANT


REVOKE ability to GRANT

Author
Message
rocky
rocky
SSC-Addicted
SSC-Addicted (404 reputation)SSC-Addicted (404 reputation)SSC-Addicted (404 reputation)SSC-Addicted (404 reputation)SSC-Addicted (404 reputation)SSC-Addicted (404 reputation)SSC-Addicted (404 reputation)SSC-Addicted (404 reputation)

Group: General Forum Members
Points: 404 Visits: 246
I want to revoke the ability for a particular user (who owns a schema) to grant permissions on objects in that schema to other users. How do I do this?
From what I read I need to use the REVOKE [GRANT OPTION FOR] clause but I cannot get it to work and can't find a good example of this in regards to the schema.
Tried this:

revoke [GRANT OPTION FOR] on schema :: schema1 from user1

Any assistance is welcome.
Thanks!
rollercoaster43
rollercoaster43
SSC Veteran
SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)

Group: General Forum Members
Points: 241 Visits: 435
Hi rocky,

What I understand from the below link is that REVOKE doesn't cancel a GRANT. It doesn't block a GRANT. It removes a permission at the level specified to the security principal (user or role) specified. That's why we say it undoes a permission :

http://www.mssqltips.com/sqlservertip/2894/understanding-grant-deny-and-revoke-in-sql-server/

But even I am clueless on the solution Sad
Matthew Darwin
Matthew Darwin
Ten Centuries
Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)

Group: General Forum Members
Points: 1251 Visits: 878
You cannot grant, deny or revoke permissions on an object to the object owner and by default the owner receives the CONTROL permission on the schema which means that they can grant permissions as they please on that object.

If you really want to prevent this, then the only way to do this is to transfer the ownership to a different user using an ALTER AUTHORIZATION statement and grant the appropriate permissions to that user so they can carry out whatever tasks are appropriate.

Follow me on twitter @EvoDBACheck out my blog Natural Selection DBA
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search