Deny Execute on Assembly Doesn't
As we shipped SQL Server 2005, this permission set was supported in TSQL but never enforced. So you could say "deny execute on assembly" but nothing happened. With this fix to revert the support from TSQL, you will not be misled anymore and we wanted to get this fix to you in a service pack of the same product that introduced you this immensely easy way of expressing your logic in assemblies. Going forward, with database upgrades to next release, any lingering assemblies that display this permission will be automatically corrected. And so you don't have to worry about a thing.
True, but this could be problematic for database security. In general, DBAs must not assume that developers understand security as it will be implemented in the database. However, developers may be involved in creating CLR assemblies that will be registered in the database. Assembly-level permissions give (or would have given) the DBA an appropriate level of granularity for enforcing appropriate permissions in the database instance. Would this really be so hard to implement? I don't think that pushing database-level security into the CLR is going to be a good idea. It certainly won't help Enterprise-Level DBAs (who are already cautious about SQL-CLR, frequently for good reasons) to become more eager to implement CLR support in their databases.
Martin Thompson Jul 27, 2014