Figure 4. Verify Sysadmin Members' Ability to Decrypt Data Encrypted by Other Users. Marking the Symmetric Keys Only checkbox and clicking on the Encrypt All Card Numbers by User/Issuer encrypts the 10,000 credit card numbers with a specific certificate (DiscAdminCert owned by DiscAdmin for Discover cards, for this example) and symmetric key (DiscAdminSymKey) for cards from each issuer. Members of the sysadmin role, however, can change the execution context to that of the DiscAdmin user by adding EXECUTE AS USER = 'DiscAdmin'; to the T-SQL decryption batch statement. Terminating the batch with REVERT; restores the execution context to the sysadmin user.