The key owner or a user with the sso_role must grant select permission on a key before another user can specify the key in the create table, alter table, and select into statements. The key owner can be the system security officer, the key custodian or, for non-default keys, any user with create encryption key permission. Key owners should grant select permission on keys as needed.
The following example allows users with db_admin_role to use the encryption key named “safe_key” when specifying encryption on create table, alter table, and select into statements:
grant select on safe_key to db_admin_role
Users who process encrypted columns through insert, update, delete,
and select do not need select permission
on the encryption key.
