Re: Conflicting AD groups



Josh,

Within SQL Server rights are additive. This means that the sum of rights granted to all groups (with rights to SQL Server) for a particular login are applied. This sums both GRANT and DENY, with DENY overriding any GRANTs for the same permission.

Here are articles:
http://sqlserverpedia.com/wiki/Object_&_Statement_Permissions
http://technet.microsoft.com/en-us/library/ms174927(SQL.90).aspx

And (off topic) an interesting follow-on about properties (as opposed to permissions) being assigned to groups.
http://blogs.msdn.com/lcris/archive/2008/08/22/sql-server-windows-groups-default-schemas-and-other-properties.aspx

RLF

"JRStern" <JRStern@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:414E90D7-22E1-41E0-BCB2-8886DF7D953F@xxxxxxxxxxxxxxxx
I'm not a security guy, don't know if this is a simple or complex question,
but it seems it would be common.

We're setting up a new environment where most SQL Server security will be by
the Active Directory group membership a Windows login has. If a login is in
several groups with different levels of privileges, how is this resolved?
Point to a KB article would be fine.

Thanks.


Josh


.