This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 13%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi All,
Have a question regarding database roles in SQL Server.
While assigning the database role for a database user, we have roles like db_datareader & db_writer roles.
Similarly, we have db_denydatareader & db_denydatawriter roles.
My question is, what is the use of these 2 deny roles.
If I don't want to a user to have SELECT , INS, UPD, DEL permissions, then I can simply uncheck or don't give db_datareader, db_writer roles to that user.
What is use of db_denydatareader, db_denydatawriter roles. Is there any specific use case scenarios for these 2 db roles?
Thanks,
Sam
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 46%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi Samanthar-3682,
How are things going?
Do the answers help you?
Please feel free to let us know if you have any other question.
If you find any post in the thread is helpful, you could kindly accept it as answer.
Best Regards,
Amelia
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 71%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
These two roles are typically not used. The only reason to possibly use these roles could be for piece of mind where an extra layer of security (for a deny) so that the read or write permission would not be granted by accident through some other group.
I will have to agree with Robbie. I have severe difficulties to find any practical use cases for these roles. Overall, DENY is something you should use sparingly, because you often run into problems since DENY trumps GRANT.