As you saw in the SSMS Permissions pages, three options exist for assigning every permission: GRANT, DENY, and REVOKE.
Each option has its own T-SQL statements that can be used to manage
permissions as well. The simplified syntax for the GRANT command is as
follows:
GRANT { ALL [ PRIVILEGES ] }
| permission [ ( column [ ,...n ] ) ] [ ,...n ]
[ ON [ class :: ] securable ] TO principal [ ,...n ]
[ WITH GRANT OPTION ] [ AS principal ]
This basic GRANT
syntax is similar to that in SQL Server 2000, but the addition of many
permissions and securables in SQL Server 2005 and SQL Server 2008 has
expanded the scope of the command. SQL Server 2005 also introduced the WITH GRANT
option which allows a permission to be granted to a principal and
allows the principal to grant that permission to another principal. The
WITH GRANT option has been carried forward to SQL Server 2008 and is a good way to delegate administrative functions to others.
The simplified syntax for the DENY and REVOKE commands is as follows:
DENY { ALL [ PRIVILEGES ] }
| permission [ ( column [ ,...n ] ) ] [ ,...n ]
[ ON [ class :: ] securable ] TO principal [ ,...n ]
[ CASCADE] [ AS principal ]
REVOKE [ GRANT OPTION FOR ]
{
[ ALL [ PRIVILEGES ] ]
|
permission [ ( column [ ,...n ] ) ] [ ,...n ]
}
[ ON [ class :: ] securable ]
{ TO | FROM } principal [ ,...n ]
[ CASCADE] [ AS principal ]
You can see that the simplified syntax for DENY and REVOKE is similar in structure to the GRANT statement. All the statements must identify the permission, securable, and principal that will receive the permission.
The ALL clause has been deprecated in SQL Server 2008. If ALL
is specified, it does not affect all permissions on the object; it
affects only a subset of the permissions related to the securable. The
subset of permissions is dependent on the securable.
The following examples demonstrate several different types of permissions you can manage by using T-SQL commands:
--Grant permissions to create a table
-- to a user named Chris
GRANT CREATE TABLE TO Chris
--Grant ALL permissions on a stored procedure
-- to a database role named TestDBRole
GRANT ALL ON dbo.uspGetBillOfMaterials TO TestDBRole
--DENY UPDATE permission on the Customer table
-- to user named Laura
DENY UPDATE ON OBJECT::sales.customer TO Laura
--REVOKE UPDATE permissions on the Customer table
-- to user named Laura.
REVOKE UPDATE ON OBJECT::sales.customer TO Laura
There are many different flavors of the GRANT, DENY, and REVOKE
statements, depending on the securable they are affecting. Books Online
outlines the syntax for each securable and the permissions that can be
applied.
Remember that you can use the
Script option to generate the T-SQL from SSMS. The Script button is
available when you’re managing permissions, and using it is a great way
to familiarize yourself with the T-SQL that is used to effect changes.
You can select the permissions you want to apply via the GUI screen and
then click the Script button to generate the T-SQL.
