Issue Revoke before Grant

denis_the_thief · June 9, 2019, 3:14pm

I hope everyone's doing well. I had a one line script to assign access to something:

GRANT privileges ON object TO user;

My co-worker, Senior Database Developer said instead it should be:

REVOKE Execute ON object TO user;
GRANT Execute ON object TO user;

He said this was a 'safety' thing and that we should take the privilege away before granting it. Essentially a best practice thing.

I searched this up and couldn't find anything. Has anyone experienced this or heard of this before? i.e. requiring a Revoke before Grant

graz · June 9, 2019, 11:04pm

I've not heard of this before? What's the specific situation it is supposed to protect against?

GRANT is a little unusual in that it doesn't generate an error if you grant the same permission twice. If you try to add a user to role twice, you get an error.

I'm not coming up with anything ...

But please post their reasoning. I'm very curious

denis_the_thief · June 9, 2019, 11:11pm

Thankyou. It didn't make sense to me either. I hope to get more info.

yosiasz · June 9, 2019, 11:35pm

It could be a good practice.

User dthief was granted execute permission
Now you want to get away from giving user specific permissions but use best practice group or role permission

So before giving permission to group revoke it for user dthief

User in your sample code might not be the same user.

graz · June 10, 2019, 1:04am

The problem described is revoking it from a user before granting to the same user. If it's a different user then it's just revoking from one user and granting to a different user.

yosiasz · June 10, 2019, 1:30am

I guess I am not seeing the question as being for the same exact user🤓

denis_the_thief · June 10, 2019, 12:58pm

Thankyou both. I don't think this would change anything but... It was actually involving a schema and a Database Role. And yes the same Role in both the Revoke and the Grant

REVOKE EXECUTE ON SCHEMA::[schema1] TO [DBRole1];
GRANT EXECUTE ON SCHEMA::[schema1] TO [DBRole1];

The rational provided to me was: A Revoke/Grant is more explicit than a Grant only.

yosiasz · June 10, 2019, 3:29pm

different shops have their own "culture" of doing things. to me I have never ran into this type of approach. it is just DB Admin's way of doing things. nothing technically wrong with it, just the DB Admin way.

denis_the_thief · June 10, 2019, 3:40pm

Thanks.
I'm not keen on doing things that are unsubstantiated. Then again no harm in this approach either

graz · June 10, 2019, 7:22pm

Hmm. In some shops I work in, we'd have a second event to reconcile for auditing purposes. That's about the only downside I see.

ScottPletcher · June 10, 2019, 8:58pm

Not "DBA", "Senior Database Developer" said. Hopefully a DBA wouldn't do that; he/she would at least check for existence before issuing a REVOKE. (Yes, I am a "Senior DBA".)

denis_the_thief · June 10, 2019, 9:14pm

It checks that both the Schema and Role exist first. I didn't post that as I didn't want to clutter the post. I was focused on the Revoke/Grant vs Grant only