In the first part of this chapter, you learned about the permissions on database objects, including objects with data, namely tables, views, and table-valued, user-defined functions. Sometimes you need to give permissions to end users in a more granular way. For example, you might need to give permissions to a specific user to read and update only a subset of columns in the table, and to see only a subset of rows in a table.

You can use programmable objects, such as stored procedures, to achieve these granular permission needs. You can use declarative permissions with the DCL statements GRANT, REVOKE, and DENY on the column level already available in previous versions of SQL Server. However, SQL Server 2016 also offers declarative ...