--- title: "DENY Asymmetric Key Permissions (Transact-SQL) | Microsoft Docs" ms.custom: "" ms.date: "06/10/2016" ms.prod: "sql-non-specified" ms.reviewer: "" ms.suite: "" ms.technology: - "database-engine" ms.tgt_pltfrm: "" ms.topic: "language-reference" dev_langs: - "TSQL" helpviewer_keywords: - "denying permissions [SQL Server], asymmetric keys" - "encryption [SQL Server], asymmetric keys" - "permissions [SQL Server], asymmetric keys" - "asymmetric keys [SQL Server], permissions" - "DENY statement, asymmetric keys" - "cryptography [SQL Server], asymmetric keys" ms.assetid: dd7d8cd5-536b-460c-ab5b-cb4752bbdfaa caps.latest.revision: 14 author: "BYHAM" ms.author: "rickbyh" manager: "jhubbard" --- # DENY Asymmetric Key Permissions (Transact-SQL) [!INCLUDE[tsql-appliesto-ss2008-asdb-xxxx-xxx_md](../../includes/tsql-appliesto-ss2008-asdb-xxxx-xxx-md.md)] Denies permissions on an asymmetric key. ![Topic link icon](../../database-engine/configure-windows/media/topic-link.gif "Topic link icon") [Transact-SQL Syntax Conventions](../../t-sql/language-elements/transact-sql-syntax-conventions-transact-sql.md) ## Syntax ``` DENY { permission [ ,...n ] } ON ASYMMETRIC KEY :: asymmetric_key_name TO database_principal [ ,...n ] [ CASCADE ] [ AS denying_principal ] ``` ## Arguments *permission* Specifies a permission that can be denied on an asymmetric key. Listed below. ON ASYMMETRIC KEY **::***asymmetric_key_name* Specifies the asymmetric key on which the permission is being denied. The scope qualifier "::" is required. *database_principal* Specifies the principal to which the permission is being denied. One of the following: - database user - database role - application role - database user mapped to a Windows login - database user mapped to a Windows group - database user mapped to a certificate - database user mapped to an asymmetric key - database user not mapped to a server principal. CASCADE Indicates that the permission being denied is also denied to other principals to which it has been granted by this principal. *denying_principal* Specifies a principal from which the principal executing this query derives its right to deny the permission. One of the following: - database user - database role - application role - database user mapped to a Windows login - database user mapped to a Windows group - database user mapped to a certificate - database user mapped to an asymmetric key - database user not mapped to a server principal. ## Remarks An asymmetric key is a database-level securable contained by the database that is its parent in the permissions hierarchy. The most specific and limited permissions that can be granted on an asymmetric key are listed below, together with the more general permissions that include them by implication. |Asymmetric Key permission|Implied by asymmetric key permission|Implied by database permission| |-------------------------------|------------------------------------------|------------------------------------| |CONTROL|CONTROL|CONTROL| |TAKE OWNERSHIP|CONTROL|CONTROL| |ALTER|CONTROL|ALTER ANY ASYMMETRIC KEY| |REFERENCES|CONTROL|REFERENCES| |VIEW DEFINITION|CONTROL|VIEW DEFINITION| ## Permissions Requires CONTROL permission on the asymmetric key. If the AS clause is used, the specified principal must own the asymmetric key. ## See Also [DENY (Transact-SQL)](../../t-sql/statements/deny-transact-sql.md) [Permissions (Database Engine)](../../relational-databases/security/permissions-database-engine.md) [Principals (Database Engine)](../../relational-databases/security/authentication-access/principals-database-engine.md) [CREATE CERTIFICATE (Transact-SQL)](../../t-sql/statements/create-certificate-transact-sql.md) [CREATE ASYMMETRIC KEY (Transact-SQL)](../../t-sql/statements/create-asymmetric-key-transact-sql.md) [Encryption Hierarchy](../../relational-databases/security/encryption/encryption-hierarchy.md)