You administer a SQL Server 2012 server that contains a database named SalesDB. SalesDb contains
a schema named Customers that has a table named Regions. A user named UserA is a member of a
role named Sales.
UserA is granted the Select permission on the Regions table. The Sales role is granted the Select
permission on the Customers schema.
You need to ensure that the Sales role, including UserA, is disallowed to select from any of the tables
in the Customers schema.
Which Transact-SQL statement should you use?
A.
REVOKE SELECT ON Schema::Customers FROM UserA
B.
DENY SELECT ON Object::Regions FROM UserA
C.
EXEC sp_addrolemember ‘Sales’, ‘UserA’
D.
DENY SELECT ON Object::Regions FROM Sales
E.
REVOKE SELECT ON Object::Regions FROM UserA
F.
DENY SELECT ON Schema::Customers FROM Sales
G.
DENY SELECT ON Schema::Customers FROM UserA
H.
EXEC sp_droprolemember ‘Sales’, ‘UserA’
I.
REVOKE SELECT ON Object::Regions FROM Sales
J.
REVOKE SELECT ON Schema::Customers FROM Sales
Explanation:
http://msdn.microsoft.com/en-us/library/ms188369.aspx
http://msdn.microsoft.com/en-us/library/ms187750.aspx
http://msdn.microsoft.com/en-us/library/ff848791.aspx
http://msdn.microsoft.com/en-us/library/ms187728.aspx
deny select on securable —-TO—- principal:
therefor its E + J (revoking the existing grants)
it’s disallowed, not revoke the permission. why F is not correct?
F might not be correct just because of syntax. DENY command look like this:
DENY SELECT ON OBJECT::Name TO USER/ROLE
and in all of answers there is FROM statement, which is used for REVOKE command.
It is really confusing.
answer F will be best answer even with wrong syntax.
REVOKE Grant on Role does not revoke individual users grant. and DENY on role override all grants for members of role.
BUT if u can choose multiple answers, then I and J will be best options.
You need to ensure that the Sales role, including UserA, is disallowed to select ….
Straight F answer :).
https://www.mssqltips.com/sqlservertip/2894/understanding-grant-deny-and-revoke-in-sql-server/