SQL Server 7 has taken great strides in improving its security model. Groups have been done away with and replaced by roles. The practical difference lies in the fact that a user can be a member of more than one role, which is how NT Security also works. Similarly, SQL Server now supports the DENY keyword, which denies access to an object for a particular user or role, no matter what other grants have been created that might allow the user to access the object. However, the new features can be easily misused. Too many roles or users spanning more than two–or at most three–roles will quickly create a maze that is hard to decipher.