If you want users to select from the view, why are you granting to the table? By "revoke" do you mean explicitly revoke/deny? Deny will override grant so there's your problem... you should be able to accomplish this by adding grant to the view and not doing anything either way on the tables.
Here's a quick example where SELECT
has not been explicitly granted on the table, but has been on the view. The user can select from the view but not the table.
CREATE USER foo WITHOUT LOGIN;
GO
CREATE TABLE dbo.a(id INT);
CREATE TABLE dbo.b(id INT);
GO
CREATE VIEW dbo.v
AS
SELECT a.id FROM a INNER JOIN b ON a.id = b.id;
GO
GRANT SELECT ON dbo.v TO foo;
GO
EXECUTE AS USER = N'foo';
GO
-- works:
SELECT id FROM dbo.v;
GO
-- Msg 229, SELECT denied:
SELECT id FROM dbo.a;
GO
REVERT;
Note that this assumes foo
has not been granted elevated privileges through explicit permissions on the schema or database, or through role or group membership.
Since you are using tables in multiple databases (sorry I missed the end of that first sentence initially), you also may need explicit grants on the table(s) in the database where the view does not exist. In order to avoid granting select to the table(s), you could create a view in each database, and then join the views.
Create two databases and a login:
CREATE DATABASE d1;
GO
CREATE DATABASE d2;
GO
USE [master];
GO
CREATE LOGIN blat WITH PASSWORD = 'x', CHECK_POLICY = OFF;
GO
In database d1
, create a user, then create a table and a simple view against that table. Grant select to the user only against the view:
USE d1;
GO
CREATE USER blat FROM LOGIN blat;
GO
CREATE TABLE dbo.t1(id INT);
GO
CREATE VIEW dbo.v1
AS
SELECT id FROM dbo.t1;
GO
GRANT SELECT ON dbo.v1 TO blat;
GO
Now, in the second database, create the user, then create another table and a view that joins that table to the view in d1
. Grant select only to the view.
USE d2;
GO
CREATE USER blat FROM LOGIN blat;
GO
CREATE TABLE dbo.t2(id INT);
GO
CREATE VIEW dbo.v2
AS
SELECT v1.id FROM dbo.t2
INNER JOIN d1.dbo.v1 AS v1
ON t2.id = v1.id;
GO
GRANT SELECT ON dbo.v2 TO blat;
GO
Now launch a new query window and change the credentials to be for the login blat
(EXECUTE AS
does not work here). Then run the following from the context of either database, and it should work fine:
SELECT id FROM d1.dbo.v2;
These should both yield Msg 229 errors:
SELECT id FROM d1.dbo.t1;
GO
SELECT id FROM d2.dbo.t2;
Results:
Msg 229, Level 14, State 5, Line 1
The SELECT permission was denied on the object 't1', database 'd1', schema 'dbo'.
Msg 229, Level 14, State 5, Line 3
The SELECT permission was denied on the object 't2', database 'd2', schema 'dbo'.
Specify only the columns you want to see.
select (column1+column2) AS column1,
column3,
column4,
column5
from table1
It is bad form to use table1.*, as your SQL code will be vulnerable to changes in the table structure. It is a good habit to always specify the exact columns you want.
Best Answer
Unfortunately, there is no granularity for the UNMASK permission in SQL Server, users either see all masked data as masked or unmasked depending on whether they have UNMASK granted.
You could create a low-privilege user that has SELECT and UNMASK and create a stored procedure to retrieve only the columns you're after into a temporary table while impersonating this user. These results can then be joined back to your masked table after reverting the impersonation so that the columns that should be masked are and those that should be unmasked are retrieved from the temp table.