Merge pull request #34487 from rwestMSFT/rw-0620-deny

v-shils · web-flow · commit d09870eac047 · 2025-06-20T11:18:08.000-07:00
Refresh DENY article
diff --git a/docs/t-sql/statements/deny-system-object-permissions-transact-sql.md b/docs/t-sql/statements/deny-system-object-permissions-transact-sql.md
@@ -1,9 +1,10 @@
 ---
 title: "DENY System Object Permissions (Transact-SQL)"
-description: DENY System Object Permissions (Transact-SQL)
+description: Denies permissions on system objects such as stored procedures, extended stored procedures, functions, and views.
 author: VanMSFT
 ms.author: vanto
-ms.date: "06/10/2016"
+ms.reviewer: randolphwest
+ms.date: 06/20/2025
 ms.service: sql
 ms.subservice: t-sql
 ms.topic: reference
@@ -18,68 +19,77 @@ dev_langs:
   - "TSQL"
 monikerRange: "=azuresqldb-current || >=sql-server-2016 || >=sql-server-linux-2017 || =azuresqldb-mi-current || =fabric"
 ---
-# DENY System Object Permissions (Transact-SQL)
+# DENY system object permissions (Transact-SQL)
+
 [!INCLUDE [SQL Server Azure SQL Database Azure SQL Managed Instance FabricSQLDB](../../includes/applies-to-version/sql-asdb-asdbmi-fabricsqldb.md)]
 
-  Denies permissions on system objects such as stored procedures, extended stored procedures, functions, and views.  
-  
- :::image type="icon" source="../../includes/media/topic-link-icon.svg" border="false"::: [Transact-SQL syntax conventions](../../t-sql/language-elements/transact-sql-syntax-conventions-transact-sql.md)  
-  
-## Syntax  
-  
+Denies permissions on system objects such as stored procedures, extended stored procedures, functions, and views.
+
+:::image type="icon" source="../../includes/media/topic-link-icon.svg" border="false"::: [Transact-SQL syntax conventions](../../t-sql/language-elements/transact-sql-syntax-conventions-transact-sql.md)
+
+## Syntax
+
 ```syntaxsql
-DENY { SELECT | EXECUTE } ON [ sys.]system_object TO principal   
-```  
-  
+DENY { SELECT | EXECUTE } ON [ sys. ] system_object TO principal
+```
+
 ## Arguments
- [ **sys.**]  
- The **sys** qualifier is required only when you are referring to catalog views and dynamic management views.  
-  
- *system_object*  
- Specifies the object on which permission is being denied.  
-  
- *principal*  
- Specifies the principal from which the permission is being revoked.  
-  
-## Remarks  
- This statement can be used to deny permissions on certain stored procedures, extended stored procedures, table-valued functions, scalar functions, views, catalog views, compatibility views, INFORMATION_SCHEMA views, dynamic management views, and system tables that are installed by [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. Each of these system objects exists as a unique record in the resource database (**mssqlsystemresource**). The resource database is read-only. A link to the object is exposed as a record in the **sys** schema of every database.  
-  
- Default name resolution resolves unqualified procedure names to the resource database. Therefore, the **sys** qualifier is only required when you are specifying catalog views and dynamic management views.  
-  
+
+#### [ sys. ]
+
+The `sys` qualifier is required only when you're referring to catalog views and dynamic management views.
+
+#### *system_object*
+
+Specifies the object on which permission is being denied.
+
+#### *principal*
+
+Specifies the principal from which the permission is being revoked.
+
+## Remarks
+
+This statement can be used to deny permissions on certain stored procedures, extended stored procedures, table-valued functions, scalar functions, views, catalog views, compatibility views, `INFORMATION_SCHEMA` views, dynamic management views, and system tables that are installed by [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)]. Each of these system objects exists as a unique record in the resource database (`mssqlsystemresource`). The resource database is read-only. A link to the object is exposed as a record in the `sys` schema of every database.
+
+Default name resolution resolves unqualified procedure names to the resource database. Therefore, the `sys` qualifier is only required when you're specifying catalog views and dynamic management views.
+
 > [!CAUTION]  
->  Denying permissions on system objects will cause applications that depend on them to fail. [!INCLUDE[ssManStudioFull](../../includes/ssmanstudiofull-md.md)] uses catalog views and may not function as expected if you change the default permissions on catalog views.  
-  
- Denying permissions on triggers and on columns of system objects is not supported.  
-  
- Permissions on system objects will be preserved during upgrades of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)].  
-  
- System objects are visible in the [sys.system_objects](../../relational-databases/system-catalog-views/sys-system-objects-transact-sql.md) catalog view. The permissions on system objects are visible in the [sys.database_permissions](../../relational-databases/system-catalog-views/sys-database-permissions-transact-sql.md) catalog view in the **master** database.  
-  
- The following query returns information about permissions of system objects:  
-  
+> Denying permissions on system objects causes applications that depend on them to fail. [!INCLUDE [ssManStudioFull](../../includes/ssmanstudiofull-md.md)] uses catalog views and might not function as expected, if you change the default permissions on catalog views.
+
+Denying permissions on triggers and on columns of system objects isn't supported.
+
+Permissions on system objects are preserved during [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] upgrades.
+
+System objects are visible in the [sys.system_objects](../../relational-databases/system-catalog-views/sys-system-objects-transact-sql.md) catalog view. The permissions on system objects are visible in the [sys.database_permissions](../../relational-databases/system-catalog-views/sys-database-permissions-transact-sql.md) catalog view in the `master` database.
+
+The following query returns information about permissions of system objects:
+
 ```sql
-SELECT * FROM master.sys.database_permissions AS dp   
-    JOIN sys.system_objects AS so  
-    ON dp.major_id = so.object_id  
-    WHERE dp.class = 1 AND so.parent_object_id = 0 ;  
-GO  
-```  
-  
-## Permissions  
- Requires CONTROL SERVER permission.  
-  
-## Examples  
- The following example denies `EXECUTE` permission on `xp_cmdshell` to `public`.  
-  
+SELECT *
+FROM master.sys.database_permissions AS dp
+     INNER JOIN sys.system_objects AS so
+         ON dp.major_id = so.object_id
+WHERE dp.class = 1
+      AND so.parent_object_id = 0;
+GO
+```
+
+## Permissions
+
+Requires `CONTROL SERVER` permission.
+
+## Examples
+
+The following example denies `EXECUTE` permission on `xp_cmdshell` to **public**.
+
 ```sql
-DENY EXECUTE ON sys.xp_cmdshell TO public;  
-GO  
-```  
-  
-## See Also  
- [Transact-SQL syntax conventions](../../t-sql/language-elements/transact-sql-syntax-conventions-transact-sql.md)   
- [sys.database_permissions &#40;Transact-SQL&#41;](../../relational-databases/system-catalog-views/sys-database-permissions-transact-sql.md)   
- [GRANT System Object Permissions &#40;Transact-SQL&#41;](../../t-sql/statements/grant-system-object-permissions-transact-sql.md)   
- [REVOKE System Object Permissions &#40;Transact-SQL&#41;](../../t-sql/statements/revoke-system-object-permissions-transact-sql.md)  
-  
-  
+DENY EXECUTE ON sys.xp_cmdshell TO PUBLIC;
+GO
+```
+
+## Related content
+
+- [Transact-SQL syntax conventions (Transact-SQL)](../language-elements/transact-sql-syntax-conventions-transact-sql.md)
+- [sys.database_permissions](../../relational-databases/system-catalog-views/sys-database-permissions-transact-sql.md)
+- [GRANT system object permissions (Transact-SQL)](grant-system-object-permissions-transact-sql.md)
+- [REVOKE System Object Permissions (Transact-SQL)](revoke-system-object-permissions-transact-sql.md)
