MCT USE ONLY.

STUDENT USE PROHIBITED

3-6 Authorizing Users to Access Resources

WITH GRANT Option

When you grant permissions to a principal, you
can also give them the right to regrant the same
permissions to other principals by using the WITH
GRANT OPTION clause. This means you can
delegate the responsibility for managing
permissions, but you should use this with
caution—because you then lose control of the
security of that securable.

In the following example, User1 is given

permission to perform updates on the
Marketing.Salesperson table, in addition to the
right to grant this same permission to other users:

Using the WITH GRANT OPTION Clause

GRANT UPDATE ON Marketing.Salesperson TO User1 WITH GRANT OPTION;
GO

CASCADE
The challenge of the WITH GRANT OPTION clause comes when you need to REVOKE or DENY the
permission that you granted to James using the WITH GRANT OPTION. You do not know which other
users James has already granted the permission to.
When revoking or denying a permission, you can use the CASCADE clause to also revoke or deny
permissions from any users who had been granted them by User1.

Using the CASCADE Clause

REVOKE UPDATE ON Marketing.Salesperson FROM User1 CASCADE;
GO

In this example, the REVOKE statement will fail if you omit the CASCADE clause, because the GRANT
statement included the WITH GRANT OPTION clause.

Demonstration: Authorizing User Access to Objects

In this demonstration, you will see how to view principals and grant permissions on database objects.

Demonstration Steps
1. Ensure that the MT17B-WS2016-NAT, 20764C-MIA-DC, and MIA20764C-MIA-SQL virtual
machines are running, and log on to 20764C-MIA-SQL as ADVENTUREWORKS\Student with the
password Pa55w.rd.

2. Run Setup.cmd in the D:\Demofiles\Mod03 folder as Administrator.

3. In the User Account Control dialog box, click Yes.

4. On the taskbar, click the Microsoft SQL Server Management Studio.

5. In the Connect to Server dialog box, click Connect.

6. On the File menu, point to Open, and then click File.

 MCT USE ONLY. STUDENT USE PROHIBITED
Administering a SQL Database Infrastructure 3-7

7. In the Open File dialog box, navigate to D:\Demofiles\Mod03, click

AuthorizingUserAccessToObjects.sql, and then click Open.

8. Execute the code under the heading for Step 1 to create a user for the demonstration.

9. Execute the code under the heading for Step 2 to query the list of server principals. Note
Mod03Login at the end of the list.

10. Execute the code under the heading for Step 3 to query the list of database principals. Again, note
Mod03Login in the list.
11. Execute the code under the heading for Step 4 to grant SELECT permissions on the Product table to
Mod03Login.

12. Execute the code under the heading for Step 5 to change the execution context.
13. Execute the code under the heading for Step 6 to test the permissions. Note that you can select from
the Product table that you were granted permissions on, but not from the ProductInventory table.

14. Execute the code under the heading for Step 7 to revert the execution context.
15. Execute the code under the heading for Step 8 to grant SELECT permissions on specific columns in
the ProductInventory table to Mod03Login.

16. Execute the code under the heading for Step 9 to change the execution context.

17. Execute the code under the heading for Step 10 to test the permissions. Note that the first query to
select the two specific columns executes, but you cannot select all the columns from the
ProductInventory table.

18. Execute the code under the heading for Step 11 to revert the execution context.
19. On the File menu, click Close.

20. Leave SQL Server Management Studio open for the next demonstration.

Question: What is the REFERENCES permission used for?