GO</pre><BR><BR>At this point, the key can be opened by my app user even though I haven't given it permission. If I DENY the [public] group, I can't open the key even after I later GRANT it directly ...