DENY Certificate Permissions (Transact-SQL)
Applies to: 
SQL Server
Azure SQL Database
Azure SQL Managed Instance
Denies permissions on a certificate.
Transact-SQL syntax conventions
Syntax
DENY permission [ ,...n ]
ON CERTIFICATE :: certificate_name
TO principal [ ,...n ]
[ CASCADE ]
[ AS denying_principal ]
Arguments
permission
Specifies a permission that can be denied on a certificate. Listed below.
ON CERTIFICATE ::certificate_name
Specifies the certificate on which the permission is being denied. The scope qualifier "::" is required.
database_principal
Specifies the principal to which the permission is being denied. One of the following:
database user
database role
application role
database user mapped to a Windows login
database user mapped to a Windows group
database user mapped to a certificate
database user mapped to an asymmetric key
database user not mapped to a server principal.
CASCADE
Indicates that the permission being denied is also denied to other principals to which it has been granted by this principal.
denying_principal
Specifies a principal from which the principal executing this query derives its right to deny the permission. One of the following:
database user
database role
application role
database user mapped to a Windows login
database user mapped to a Windows group
database user mapped to a certificate
database user mapped to an asymmetric key
database user not mapped to a server principal.
Remarks
A certificate is a database-level securable contained by the database that is its parent in the permissions hierarchy. The most specific and limited permissions that can be denied on a certificate are listed below, together with the more general permissions that include them by implication.
| Certificate permission | Implied by certificate permission | Implied by database permission |
|---|---|---|
| CONTROL | CONTROL | CONTROL |
| TAKE OWNERSHIP | CONTROL | CONTROL |
| ALTER | CONTROL | ALTER ANY CERTIFICATE |
| REFERENCES | CONTROL | REFERENCES |
| VIEW DEFINITION | CONTROL | VIEW DEFINITION |
Permissions
Requires CONTROL permission on the certificate. If the AS clause is used, the specified principal must own the certificate.
See Also
DENY (Transact-SQL)
Permissions (Database Engine)
Principals (Database Engine)
CREATE CERTIFICATE (Transact-SQL)
CREATE ASYMMETRIC KEY (Transact-SQL)
CREATE APPLICATION ROLE (Transact-SQL)
Encryption Hierarchy