title: "DENY Database Scoped Credential (Transact-SQL) | Microsoft Docs" ms.custom: "" ms.date: "12/16/2016" ms.prod: "sql" ms.prod_service: "database-engine, sql-database" ms.service: "" ms.component: "t-sql|statements" ms.reviewer: "" ms.suite: "sql" ms.technology:
- "database-engine" ms.tgt_pltfrm: "" ms.topic: "article" f1_keywords:
- "DENY DATABASE SCOPED CREDENTIAL"
- "DENY_DATABASE_SCOPED_CREDENTIAL_TSQL" dev_langs:
- "TSQL" helpviewer_keywords:
- "DENY statement, database scoped credentials"
- "denying permissions [SQL Server], database scoped credential" ms.assetid: c508b1c9-169e-4e7a-9a49-7ddf2ca8f848 caps.latest.revision: 2 author: "edmacauley" ms.author: "edmaca" manager: "craigg" ms.workload: "Inactive" monikerRange: "= azuresqldb-current || >= sql-server-2017 || = sqlallproducts-allversions"
[!INCLUDEtsql-appliesto-ss2017-asdb-xxxx-xxx-md]
Denies permissions on a database scoped credential.
Transact-SQL Syntax Conventions
DENY permission [ ,...n ]
ON DATABASE SCOPED CREDENTIAL :: credential_name
TO principal [ ,...n ]
[ CASCADE ]
[ AS denying_principal ]
permission
Specifies a permission that can be denied on a database scoped credential. Listed below.
ON DATABASE SCOPED CREDENTIAL **::**credential_name
Specifies the database scoped credential on which the permission is being denied. The scope qualifier "::" is required.
database_principal
Specifies the principal to which the permission is being denied. One of the following:
-
database user
-
database role
-
application role
-
database user mapped to a Windows login
-
database user mapped to a Windows group
-
database user mapped to a certificate
-
database user mapped to an asymmetric key
-
database user not mapped to a server principal.
CASCADE
Indicates that the permission being denied is also denied to other principals to which it has been granted by this principal.
denying_principal
Specifies a principal from which the principal executing this query derives its right to deny the permission. One of the following:
-
database user
-
database role
-
application role
-
database user mapped to a Windows login
-
database user mapped to a Windows group
-
database user mapped to a certificate
-
database user mapped to an asymmetric key
-
database user not mapped to a server principal.
A database scoped credential is a database-level securable contained by the database that is its parent in the permissions hierarchy. The most specific and limited permissions that can be denied on a database scoped credential are listed below, together with the more general permissions that include them by implication.
| Database scoped credential permission | Implied by database scoped credential permission | Implied by database permission |
|---|---|---|
| CONTROL | CONTROL | CONTROL |
| TAKE OWNERSHIP | CONTROL | CONTROL |
| ALTER | CONTROL | CONTROL |
| REFERENCES | CONTROL | REFERENCES |
| VIEW DEFINITION | CONTROL | VIEW DEFINITION |
Requires CONTROL permission on the database scoped credential. If the AS clause is used, the specified principal must own the database scoped credential.
DENY (Transact-SQL)
GRANT database scoped credential (Transact-SQL)
REVOKE database scoped credential (Transact-SQL)
Permissions (Database Engine)
Principals (Database Engine)
Encryption Hierarchy