The database owner, members of sysadmin, and members of securityadmin can assign database permissions. The available permissions include the following:
GRANT. Gives permission to perform the related task. With roles, all members of the role inherit the permission.
REVOKE. Removes prior GRANT permission but does not explicitly prevent a user or role from performing a task. A user or role could still inherit GRANT permission from another role.
DENY. Explicitly denies permission to perform a task and prevents the user or role from inheriting the permission. DENY takes precedence over all other grant permissions.