DENY Certificate Permissions (Transact-SQL)
Denies permissions on a certificate.
Transact-SQL Syntax Conventions
- permission
-
Specifies a permission that can be denied on a certificate. Listed below.
- ON CERTIFICATE :: certificate_name
-
Specifies the certificate on which the permission is being denied. The scope qualifier "::" is required.
- database_principal
-
Specifies the principal to which the permission is being denied. One of the following:
-
database user
-
database role
-
application role
-
database user mapped to a Windows login
-
database user mapped to a Windows group
-
database user mapped to a certificate
-
database user mapped to an asymmetric key
-
database user not mapped to a server principal.
-
database user
- CASCADE
-
Indicates that the permission being denied is also denied to other principals to which it has been granted by this principal.
- denying_principal
-
Specifies a principal from which the principal executing this query derives its right to deny the permission. One of the following:
-
database user
-
database role
-
application role
-
database user mapped to a Windows login
-
database user mapped to a Windows group
-
database user mapped to a certificate
-
database user mapped to an asymmetric key
-
database user not mapped to a server principal.
-
database user
A certificate is a database-level securable contained by the database that is its parent in the permissions hierarchy. The most specific and limited permissions that can be denied on a certificate are listed below, together with the more general permissions that include them by implication.
| Certificate permission | Implied by certificate permission | Implied by database permission |
|---|---|---|
|
CONTROL |
CONTROL |
CONTROL |
|
TAKE OWNERSHIP |
CONTROL |
CONTROL |
|
ALTER |
CONTROL |
ALTER ANY CERTIFICATE |
|
REFERENCES |
CONTROL |
REFERENCES |
|
VIEW DEFINITION |
CONTROL |
VIEW DEFINITION |
