SQL Server 2008 with Windows Authentication: Windows login gets mapped to several DB users at the same time?

Question

I have configured two users inside a SQL Server 2008 Express database: red and round.

• red maps to a local Windows group MACHINE\Red.
  red is a member of the default database roles db_datawriter.

• round maps to a local Windows group named MACHINE\Round.
  round is a member of the default database roles db_denydatawriter.

Both local Windows groups contain a local Windows user MACHINE\tomato.

From my .NET application, I'm now trying to INSERT data into some database table while logged in as MACHINE\tomato (and by connecting to the database using Windows Authentication). This doesn't work, supposedly due to the membership of the SQL user round in the db_denydatawriter role.

So, how can my Windows login be mapped to two SQL Server users at the same time?

--                      MACHINE\Red ---------- red ------- db_datawriter
--                    /
--     MACHINE\tomato
--                    \
--                      MACHINE\Round ------- round ------ db_denydatawriter

And how come that when I retrieve the current login via

SELECT CURRENT_USER   -- I could also use SYSTEM_USER or ORIGINAL_LOGIN()
                      -- with exactly the same result, it seems

I get back MYMACHINE\tomato, and not red or round?

Answer 1

Everything works exactly as it should. I will start from the bottom. When you are accessing a folder that gives permissions to group "Domain\Programmers", you are still uniquely identifiable as "Domain\User". So while it takes all your roles, mapped users etc into account, for anything that it needs to audit - you'll still be it instead of just someone-from-"Domain\Programmers". SQL Server is just reporting exactly who you are.

As for mapped logins, since you can be mapped to multiple Windows groups, SQL Server takes each and every one into account. It has to, otherwise 2 sql roles mapped to "Domain\Programmers" and "Domain\SysAdmin", each having access to different databases. You would expect to have access to all databases from the combination of the two Windows groups. Following from that, the entire access matrix is built up from all the

• windows user specific permissions
• direct windows-user-role specific permissions (per role)
• windows group specific permissions
• windows-group-role specific permissions (per role)

In line with the "deny trumps allow" mechanism common to both Windows and SQL Server, a single deny will block all access, otherwise a single allow from any branch will allow access.