Explicitly denies a permission to a user or role. When a DENY is in place, it generally overrides an explicit or inherited GRANT at the same level.

Syntax

DENY cirroprivilege,...
ON securable TO {username | rolename};

Arguments

  • cirroprivilege - A privilege on a supported securable.

  • securable - A supported securable. If omitted, the privilege is applied to all available datasources.

  • username - Cirro user account name. Can be internal to CIRRO or an external Directory Service user.

  • rolename - Cirro Role.

Additional Information

  • DENY overrides GRANT on the same object.

  • An error is generated if you execute DENY on a user that exists only on a Federated System.

  • When a user is given a DB credential there is an implied PASSTHROUGH permission. You can assign a deny permission directly to a user or via a role.

Examples

Deny the SELECT privilege on all objects to a user.

DENY SELECT ON mysql1 TO myUser1;

Deny the alter system on all datasources to a user.

DENY ALTER SYSTEM ON * TO myUser1;

Deny the create temp table privilege on a datasource to a role.

DENY CREATE Temp TABLE ON Oracle1 TO myRole1;

Deny the SELECT privilege on a named datasource to a role.

DENY SELECT ON Oracle1.Accounting2016DB.* TO accountingUsersRole;

Deny PASSTHROUGH for all datasources globally

DENY PASSTHROUGH to om4;

Deny PASSTHROUGH for a specific datasource

DENY PASSTHROUGH on datasource to om4;

See Also