Re: Application Role

From: Sue Hoegemeier (Sue_H_at_nomail.please)
Date: 09/29/03 

Date: Mon, 29 Sep 2003 07:09:32 -0600

All users, groups and roles belong to public by default. If
you set a deny on public, it affects everyone. Permissions
are cummulative with deny taking precedence so the deny
applies to the application role as well - only the sysadmin
role will "bypass" a deny.

-Sue

On Mon, 29 Sep 2003 02:40:36 -0700, "Amitabha"
<amitinfy@yahoo.com> wrote:

>Hi
>I am trying to activate application role say 'abc' from my
>VB application using RDO I am able to execute
>sp_setapprole but there is some problem regarding the
>Group permissions.
>I want user 'A' not to have any execute permission on
>object 'O' so I revoked the permissions on the user. By
>default user goes to grp 'public' to be safe I revoked the
>permissions from 'public' now in the application I
>activated application role 'AR' this role has all the
>necessary permissions now I tried to execute some Proc
>using the same connection but SQL Server gives error as
>"user doesn't have execute permission on the object 'O' "
>This shouldn't happen with the application role as
>application role takes over group and user level
>permissions from the point it is active.
>
>Any info on this will be of help to me.
>
>Thanks
>Amitabha

Relevant Pages

  • Re: how to restrict users to search in their own Organizational Unit
    ... I also want to say that in fact you shouldn't deny the read permission to anyone and this scenario the MOSS Administrators or who is responsible for Add users to Your Sites should be carefull when performing this action. ... Now, because you're dealing with many users, my recommendation is to create THE NECESARY Security Groups in each OU and related them with your MOSS2007 existing security groups, in future when someone creates some user, you just have to add that user to the necessary group and that user will be given the necessary permissions. ... decided a script can make it possible to accomplish, ... > If I need to create a security group per OU and then add all users ...
    (microsoft.public.windows.server.active_directory)
  • Re: Share Permissions: Deny behaviour
    ... Deny overrides all other permissions. ... There are two types of Deny (again goes for share and NTFS). ... explicit allow permission, then you're stuck with implicit deny. ...
    (microsoft.public.windows.server.general)
  • Re: how to restrict users to search in their own Organizational Unit
    ... decided a script can make it possible to accomplish, ... You could also TRY removing the "Authenticated Users" ... Domain level since using a lot of DENY ... permissions is in and of itself a poor practice. ...
    (microsoft.public.windows.server.active_directory)
  • Re: NTFS Security Question.
    ... I was not sure that deleting the special permissions would work but you ... Since Windows 2000 deny NTFS permission does not work ... originally configured "closer" to the object in the chain of folders. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Exmerge errors
    ... To do this open regedit on the system you are administering Exchange ... A Deny does overrule an allow IF they are both inherited. ... An explicite allow at the store level will over-ride the inherited Deny. ... I cannot see where or how to override these permissions. ...
    (microsoft.public.exchange.admin)