I'm studying for exam 70-462 and I'm practicing with some exercises I find around the web. In the site "Microsoft Questions and Answers" there's one solution I don't understand.
The solution's last step is to "Deny SELECT access to the SalaryDetails table to the Employees role." However, all company employees were added to this role and because "HR Administrators are also company employees," then HR Administrators should end up without any access to the SalaryDetails table, which is not what's being requested.
Is the solution wrong, or am I missing something?
Thanks in advance for any help!
Best Answer
It has to do with the hierarchy of permissions and using role membership over granting permissions directly to each login. This SQLMag article shows a good image of the hierachy in SQL Server. [In the event the article ever goes dead I have copied the image below.]You are granting
DENY
to the roleEmployees
so the HR Administrators being a member of a higher level role should mean they do not directly inherit theDENY
. At least that is how I understand it.The particular section of the article referenced speaks on
DENY
:I stand corrected
Let me first state I apoligize for not first testing what I was saying as I ended up proving myself wrong. I should have known better.
First lesson to learn: Test everything.
Second lesson to learn: Not all Microsoft Exam questions are perfect. I would suggest sticking with those test engines that Microsoft supports (e.g. MeasureUp.com)
Answer before the details
I will first give you what I discovered, then show you how I tested it. So my finding is that basically option D can be correct if you use
REVOKE
instead ofDENY
. This is based on the statement from Bob Beauchemin's whitepaper on SQL Server 2005 Security Best Practices:So basically
REVOKE
removes the permissions and basically would be not applying any permissions to the table itself. You are not explicitly denying anyone access to the table. So if you really wanted to deny permissions you would have to remove the HRAdmins group from the Employees roles for it to work correctly.I do not have access to Azure SQL so I could only test this on a local SQL Server 2014 instance. The script below is what I went through, included comments as I go.