SQL 2005's Column Level Permissions

SQL server only allows you to restrict access to the table columns indirectly. The approach is create views and stored procedures and grant them to ceitain users. Now SQL 2005 allows you to manuplate column-level permissions directly. So let's look at a SQL sample below: 

        CREATE TABLE student (
        id		INT,
        name    NCHAR(20),
        ssn		VARCHAR(11)
        )
       
        INSERT INTO student
        (id, name, ssn) VALUES (1, 'david', '999-12-1234')
       
        GRANT SELECT (id, name) ON student TO [DAFFIDIO\David]
        DENY SELECT (ssn) ON student TO [DAFFIDIO\David]    -- DENY SELECT on column SSN
        
        Execute AS LOGIN  = 'DAFFIDIO\David'  -- IMPERSONATE using "Execute AS"
        SELECT SUSER_NAME(), USER_NAME()

        SELECT id, name FROM student

        SELECT ssn FROM student 

        REVERT  -- undo IMPERSONATE

Now David can see id and name, but not ssn. He will see an error message as below: 

        Msg 230, Level 14, State 1, Line 2
        SELECT permission denied on column 'ssn' of object 'student', database 'Test', schema 'dbo'.

The syntax is:

        GRANT { ALL [ PRIVILEGES ] }
              | permission [ ( column [ ,...n ] ) ] [ ,...n ]
              [ ON [ class :: ] securable ] TO principal [ ,...n ] 
              [ WITH GRANT OPTION ] [ AS principal ]

You can use GRANT, REVOKE AND DENY to set granular permissions on column level now.

See also

  • SQL: Use Dynamic SQL Query Correctly
  • SQL 2005: Use DMV and CROSS APPLY to Get Cached Plans
  • SQL 2005: Discontinued or Deprecated Features in SQL Server 2005
  • SQL 2005: Default Trace Enabled Option
  • SQL 2005: Column Level Permissions
  • SQL 2005: SQLCMD Supports Parameterized Variables and Macro Features
  • SQL 2005: DTS Has Become SSIS now
  • SQL 2005: Microsoft SQL Server 2005 JDBC Driver
  • SQL 2005: Query Notifications in ADO.Net 2.0
  • SQL 2005: Overcome SQL Index Size Limit
  • SQL 2005: DDL Triggers
  • SQL 2005: Why Should Use 64 Bit Now
  • SQL 2005: How to Rebuild The Master Database
  • SQL 2005: A Little Trick to Install SQL 2005 Onto Your Dirty DEV Machine
  • SQL 2005: New Resource Database
  • SQL 2005: Alter Index Rebuild
  • SQL 2005: XQuery Sample
  • SQL 2005: How to Move Database
  • SQL: Use COALESCE to Generate a List
  • SQL: How to Debug SQL Deadlocks
  • .Net: How to Bypass Strong Name Check
  • Agile: Lean Software Development - An Agile Toolkit
  • ORM: How to Use nHibernate 1.2 to Call Stored Procedure to Return a Dataset Without a Mapping Entity
  • AJAX: ASP.NET AJAX Tips
  • .Net: Debugging Commands
  • .Net: How to Run NUnit And Debug Your Test Fixtures Directly from VS 2005
  • .Net: How to Add Domain User to Local Group
  • .Net: Lock Value Type?
  • .Net: How to Create an Instance of a Generic Type with Parameters
  • .Net: How to Get Address of a Managed Type
  • ORM: New Features of nHibernate 1.2
  • .Net: How to Get System Error Message from HRESULT in Managed Code
  • .Net: Use Windows PowerShell Now
  • WMI: Use WMI to Run Commands on Remote Machine
  • API: GetLogicalProcessorInformation to Detect CPUs
  • .Net: How to Implement Singleton Correctly
  • .Net: There is no MTS object context (Exception from HRESULT: 0x8004E004)
  • .Net: The Net Objectives Pattern Repository
  • Web: Access Denied When ASP.Net Accesses Eventlog
  • Nant: Error Loading GUID of Project
  • AJAX: Ajax in Action
  • DTC: DtcGetTransactionManager Fails
  • .Net: Run .Net 1.1 COM+ Serviced Components Under .Net 2.0 Framework
  • .Net: Debugging Managed Code Tip
  • .Net: Assembly Binding Log Viewer (Fuslogvw.exe)
  • .Net: .Net Framework Design Guidelines
  • .Net: Use Global Catalog and CheckTokenMembership to Check AD Group Membership



    • THIS POST IS PROVIDED "AS-IS" WITH NO WARRANTIES AND CONFERS NO RIGHTS. Build time: Sun 03/30/2008 . ©2007 Dalun Software. All rights reserved. Back to Article List