Security Implications of Using User-Defined Functions

You can grant or deny the permissions to use user-defined functions depending on the type of function:

• For scalar user-defined functions, you can grant or deny permissions on EXECUTE and REFERENCES.

• For inline user-defined functions, you can grant or deny permissions on SELECT, UPDATE, INSERT, DELETE, or REFERENCES.

• For multistatement table-values user-defined functions, you can grant or deny permissions to SELECT and REFERENCES.

As in stored procedures and views, if every object referenced in a user-defined function belongs to the same owner as the user-defined function, and a user tries to use the function, permissions will be checked only on the function, not on every object referenced in the function.