You can explicitly deny permissions on some SQL data service objects. When you deny a permission on an object in an SQL data service, you are applying an exception to the effective permission.
To deny permissions use one of the following infacmd commands:
infacmd sql SetStoredProcedurePermissions. Denies Execute or Grant permissions at the stored procedure level.
infacmd sql SetTablePermissions. Denies Select and Grant permissions at the virtual table level.
infacmd sql SetColumnPermissions. Denies Select permission at the column level.
Each command has options to apply permissions (-ap) and deny permissions (-dp). The SetColumnPermissions command does not include the apply permissions option.
You cannot deny permissions from the Administrator tool.
The Data Integration Service verifies permissions before running SQL queries and stored procedures against the virtual database. The Data Integration Service validates the permissions for users or groups starting at the SQL data service level. When permissions apply to a parent object in an SQL data service, the child objects inherit the permission. The Data Integration Service checks for denied permissions at the column level.