Revoke is the opposite of a Grant (at least in as much as Grant adds an access rule and Revoke Removes an access Rule) While somewhat counter-intuative Deny also adds an access rule (which of course can be removed with a Revoke).
If I grant the sales group access I can later revoke it.
However I could also deny you access, and even through you're in the sales group you'll not have access.
2
Taylor Gerring
On
REVOKE removes access that has been GRANTed. DENY explicitly rejects, taking precedence over GRANTs.
To the last point, if someone is part of the db_denydatawriter role, but you GRANT INSERT to them, the DENY will override that GRANT and they will be unable to INSERT.
6
Andomar
On
Each object has a list of rules DENYing and GRANTing access.
REVOKE is an operation that removes a rule from the list of access rules.
0
sebkun
On
Granting Permission means that a user can access the object
Denying permission overrides a granted permission
Revoking a permission removes the permission that has been assigned, regardless of whether it was a denied permission or a granted permission
Revoke is the opposite of a Grant (at least in as much as Grant adds an access rule and Revoke Removes an access Rule) While somewhat counter-intuative Deny also adds an access rule (which of course can be removed with a Revoke).
If I grant the sales group access I can later revoke it.
However I could also deny you access, and even through you're in the sales group you'll not have access.