When would sys.database_permissions contain a row with state = 'R'?

Question

The MSDN documentation for sys.database_permissions says that the state column can be either 'G', 'D', 'R', or 'W'. The 'R' value has a description of 'REVOKE', which makes it sound like a row with this value would correspond to a revoked permission. However, as best I can tell from the docs for REVOKE, revoking a permission completely removes it, so I would expect that to just remove the row from sys.database_permissions. That's what happened when when I tested granting and then revoking a permission; after GRANT the permission shows up in that view, and after REVOKE it disappears.

My question: under what circumstances would this view ever contain rows with state set to 'R'? I'm asking this because I'm not sure whether I need to handle 'R' rows when examining this view in code.

I can think of a few potential scenarios where this might occur, but haven't found any confirmation:

• 'R' rows might appear if you granted some blanket permission and then revoked a more granular permission which was implied by the blanket permission (the granular permission would show up as 'R'). So far I haven't found any such permissions.
• 'R' rows might appear very briefly while SQL is processing a REVOKE command and then the entire row disappears. I haven't observed this, but presumably there's only a very small window of time when it would appear.

Answer 1

As answered by Jack Richins on Twitter (thanks to @Remus Rusanu for forwarding):

I believe it occurs wi column level permissions that contradict table or view perms.

I tested this and he is correct.