Hello Huang, Winston-HR,
To your question regarding principal A and the 'SELECT' permission on schema SC:
- Granting 'SELECT' permission on schema SC to principal A will allow them to select data from objects within SC.
- This action does not remove their ability to
CONTROL
,EXECUTE
, orCONNECT
to the database or other schemas unless those permissions are explicitly revoked. - It's important to review the combination of permissions to ensure they align with the intended level of access and do not inadvertently grant more access than intended.
from the below Microsoft documenation:
A schema is a database-level securable contained by the database that is its parent in the permissions hierarchy.
Please see the example in the doument:
For example, this issue may occur in the following scenarios. These scenarios assume that a user, referred as U1, has the ALTER permission on the S1 schema. The U1 user is denied to access a table object, referred as T1, in the schema S2. The S1 schema and the S2 schema are owned by the same owner.
The U1 user has the CREATE PROCEDURE permission on the database and the EXECUTE permission on the S1 schema. Therefore, the U1 user can create a stored procedure, and then access the denied object T1 in the stored procedure.
The U1 user has the CREATE SYNONYM permission on the database and the SELECT permission on the S1 schema. Therefore, the U1 user can create a synonym in the S1 schema for the denied object T1, and then access the denied object T1 by using the synonym.
The U1 user has the CREATE VIEW permission on the database and the SELECT permission on the S1 schema. Therefore, the U1 user can create a view in the S1 schema to query data from the denied object T1, and then access the denied object T1 by using the view.
When managing permissions, always consider the implications of the permissions hierarchy and how different permissions can interact.
I hope this answers your question.
If this answers your question, please consider accepting the answer by hitting the Accept answer and up-vote as it helps the community look for answers to similar questions.