Administering Microsoft SQL Server 2012/2014 Databases — Question 36

Note: This question is part of a series of questions that use the same set of answer choices. An answer choice may be correct for more than one question in the series.
You administer a SQL Server database server that contains a database named SalesDb. SalesDb contains a schema named Customers that has a table named
Regions. A user named UserA is a member of a role named Sales.
UserA is granted the Select permission on the Regions table. The Sales role is granted the Select permission on the Customers schema.
You need to ensure that UserA is disallowed to select from any of the tables in the Customers schema.
Which Transact-SQL statement should you use?

Answer options

• A. DENY SELECT ON Object::Regions FROM Sales
• B. DENY SELECT ON Schema::Customers FROM Sales
• C. REVOKE SELECT ON Object::Regions FROM Sales
• D. REVOKE SELECT ON Schema::Customers FROM Sales
• E. DENY SELECT ON Object::Regions FROM UserA
• F. DENY SELECT ON Schema::Customers FROM UserA
• G. REVOKE SELECT ON Object::Regions FROM UserA
• H. REVOKE SELECT ON Schema::Customers FROM UserA
• I. EXEC sp_addrolemember 'Sales', 'UserA'
• J. EXEC sp_droprolemember 'Sales', 'UserA'

Correct answer: F

Explanation

The correct answer is F: DENY SELECT ON Schema::Customers FROM UserA, which explicitly denies UserA the ability to select from any table within the Customers schema, overriding any permissions granted through the Sales role. The other options either deny permissions at the role level or revoke permissions, which would not achieve the goal of specifically disallowing UserA from selecting from the Customers schema.