"Dan Guzman" <danguzman@nospam-earthlink.net> wrote in message news:<MUikc.17962$e4.1986@newsread2.news.pas.earth link.net>...
> > We also placed an 'X' in
> > all columns for guest and public account.
>
> The red 'X' denotes an explicit DENY. Because DENY takes precedence over a
> GRANT, the effective result is that no users can access the view because all
> users are members of the public role. It is generally best to avoid using
> DENY unless you have a specific reason to use it.
>
> > Should I create roles, then add users to the roles (so I can remove
> > public). This seems a little different than the NT model of
> > users/groups.
>
> Yes, it's a good practice to grant permissions to roles rather than
> individual users. This allows you to more easily control data access via
> role membership. You can ignore the public role unless you want to grant
> permissions to all database users.
>
> I suggest you clear (REVOKE) all permissions on the view and then grant
> permissions only to those roles as desired.
>
> --
> Hope this helps.
>
> Dan Guzman
> SQL Server MVP
>
> ...
>

Hi Dan,

Thanks for the reply.

> You can ignore the public role unless you want to grant
> permissions to all database users.
We found if we revoke the deny role, other roles loose access. So
would you suggest we simply revoke (not deny) the public role and add
a role to encompass our users? If we deny the public role, then our
additional role does not have access to the view.

Also, what is the difference between revoke and deny. I've seen the
behavior it exhibits, but I was not able to get a good definition from
the help files.

Thanks,
Jeff
noloader@yahoo.com