Professional Documents
Culture Documents
Microsoft SQL Server 2017 and Azure SQL Database Permissions Infographic PDF
Microsoft SQL Server 2017 and Azure SQL Database Permissions Infographic PDF
ALTER ANY SERVER AUDIT CREATE/ALTER/DROP SERVER AUDIT CONNECT REPLICATION – See Connect and Authentication – Database Permissions Chart
Application Role Permissions SEND ON SERVICE::<name>
and SERVER AUDIT SPECIFICATION TAKE OWNERSHIP ON SERVICE::<name>
ALTER ANY SERVER ROLE – See Server Role Permissions DELETE
CREATE SERVER ROLE – See Server Role Permissions EXECUTE CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON APPLICATION ROLE::<name> ALTER ANY DATABASE ALTER ON DATABASE::<name>
* NOTE: The SHUTDOWN statement requires the SQL Server SHUTDOWN permission. Starting, stopping, and pausing the Database
Database Permissions – Schema Objects db_ddladmin role ALTER ANY DATABASE ALTER ON DATABASE::<name>
Engine from SSCM, SSMS, or Windows requires Windows permissions, not SQL Server permissions.
Symmetric Key Permissions
public role
Object Permissions ALTER ANY REMOTE SERVICE BINDING ALTER ON REMOTE SERVICE BINDING::<name>
Server Permissions Database Permissions Schema Permissions Type Permissions CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON SYMMETRIC KEY::<name>
STATEMENTS:
XML Schema Collection Permissions
Connect and Authentication – Server Permissions ALTER REMOTE SERVICE BINDING
CONTROL ON SERVER CONTROL ON DATABASE::<name> CONTROL ON SCHEMA ::<name> CONTROL ON OBJECT|TYPE|XML SCHEMA COLLECTION ::<name> DROP REMOTE SERVICE BINDING
CONTROL SERVER CONTROL ON LOGIN::<name> CREATE REMOTE SERVICE BINDING CREATE REMOTE SERVICE BINDING
VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON SYMMETRIC KEY::<name>
db_datareader role
db_denydatareader role VIEW CHANGE TRACKING ON SCHEMA::<name> VIEW CHANGE TRACKING ON OBJECT::<name> REFERENCES ON DATABASE::<name> REFERENCES ON SYMMETRIC KEY::<name>
SELECT ON DATABASE::<name> SELECT ON SCHEMA::<name> SELECT ON OBJECT::<table |view name> ALTER ANY DATABASE ALTER ON DATABASE::<name> TAKE OWNERSHIP ON SYMMETRIC KEY::<name> CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON CONTRACT::<name>
VIEW ANY DEFINITION VIEW DEFINITION ON LOGIN::<name> INSERT ON DATABASE::<name> INSERT ON SCHEMA::<name> INSERT ON OBJECT::< table |view name>
db_datawriter role
IMPERSONATE ON LOGIN::<name> STATEMENTS: UPDATE ON DATABASE::<name> UPDATE ON SCHEMA::<name> UPDATE ON OBJECT::< table |view name>
db_denydatawriter role
ALTER ANY LOGIN ALTER ON LOGIN::<name> EXECUTE AS DELETE ON DATABASE::<name> DELETE ON SCHEMA::<name> DELETE ON OBJECT::< table |view name> ALTER ANY SYMMETRIC KEY ALTER ON SYMMETRIC KEY::<name>
Note: OPEN SYMMETRIC KEY requires
EXECUTE ON DATABASE::<name> EXECUTE ON SCHEMA::<name> EXECUTE ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name> VIEW DEFINITION permission on the VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON CONTRACT::<name>
STATEMENTS:
REFERENCES ON DATABASE::<name> REFERENCES ON SCHEMA::<name> REFERENCES ON OBJECT|TYPE|XML SCHEMA COLLECTION:<name> key (implied by any permission on the REFERENCES ON DATABASE::<name> REFERENCES ON CONTRACT::<name>
securityadmin role STATEMENTS: ALTER SYMMETRIC KEY
VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON SCHEMA::<name> VIEW DEFINITION ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name> key), and requires permission on the TAKE OWNERSHIP ON CONTRACT::<name>
ALTER LOGIN, sp_addlinkedsrvlogin DROP SYMMETRIC KEY
TAKE OWNERSHIP ON DATABASE::<name> TAKE OWNERSHIP ON SCHEMA::<name> TAKE OWNERSHIP ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name> key encryption hierarchy. ALTER ANY DATABASE ALTER ON DATABASE::<name>
DROP LOGIN CREATE SYMMETRIC KEY CREATE SYMMETRIC KEY
VIEW ANY DATABASE RECEIVE ON OBJECT::<queue name>
CREATE LOGIN
SELECT ON OBJECT::<queue name> ALTER ANY CONTRACT ALTER ON CONTRACT::<name>
ALTER ANY DATABASE ALTER ON DATABASE::<name>
STATEMENTS:
CONNECT SQL ALTER ANY SCHEMA ALTER ON SCHEMA::<name> ALTER ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name> Asymmetric Key Permissions DROP CONTRACT
Notes: CREATE SCHEMA CREATE SEQUENCE CREATE CONTRACT CREATE CONTRACT
• The CREATE LOGIN statement creates a login and grants CONNECT SQL to that login. CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON ASYMMETRIC KEY::<name>
OBJECT permissions apply to the following database objects:
• Enabling a login (ALTER LOGIN <name> ENABLE) is not the same as granting CONNECT SQL permission. CREATE AGGREGATE
AGGREGATE
• To map a login to a credential, see ALTER ANY CREDENTIAL. CREATE DEFAULT
DEFAULT
• When contained databases are enabled, users can access SQL Server without a login. See database user CREATE FUNCTION
FUNCTION
permissions. CREATE PROCEDURE
CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON ROUTE::<name>
PROCEDURE VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON ASYMMETRIC KEY::<name>
• To connect using a login you must have : CREATE QUEUE
QUEUE
o An enabled login CREATE RULE REFERENCES ON DATABASE::<name> REFERENCES ON ASYMMETRIC KEY::<name>
RULE
o CONNECT SQL CREATE SYNONYM
SYNONYM ALTER ANY DATABASE ALTER ON DATABASE::<name> TAKE OWNERSHIP ON ASYMMETRIC KEY::<name>
o CONNECT for the database (if specified) CREATE TABLE
VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON ROUTE::<name>
TABLE
CREATE TYPE
TAKE OWNERSHIP ON ROUTE::<name>
CONTROL ON ENDPOINT::<name> VIEW
CREATE VIEW ALTER ANY ASYMMETRIC KEY ALTER ON ASYMMETRIC KEY::<name>
(All permissions do not apply to all objects. For example
CREATE XML SCHEMA COLLECTION
ALTER ANY DATABASE ALTER ON DATABASE::<name>
UPDATE only applies to tables and views.) Note: ADD SIGNATURE requires STATEMENTS:
VIEW ANY DEFINITION CONTROL permission on the key, and ALTER ASYMMETRIC KEY
CONNECT ON ENDPOINT::<name> ALTER ANY ROUTE ALTER ON ROUTE::<name>
requires ALTER permission on the DROP ASYMMETRIC KEY
TAKE OWNERSHIP ON ENDPOINT::<name>
STATEMENTS:
object. CREATE ASYMMETRIC KEY CREATE ASYMMETRIC KEY
VIEW DEFINITION ON ENDPOINT::<name>
ALTER ROUTE
ALTER ANY ENDPOINT ALTER ON ENDPOINT::<name> Notes: DROP ROUTE
• To create a schema object (such as a table) you must have CREATE permission for that object type • To drop an object (such as a table) you must have ALTER permission on the schema or CONTROL CREATE ROUTE CREATE ROUTE
STATEMENTS:
plus ALTER ON SCHEMA::<name> for the schema of the object. Might require REFERENCES ON permission on the object.
ALTER ENDPOINT
OBJECT::<name> for any referenced CLR type or XML schema collection. • To create an index requires ALTER OBJECT::<name> permission on the table or view.
Certificate Permissions
DROP ENDPOINT
• To alter an object (such as a table) you must have ALTER permission on the object (or schema), or • To create or alter a trigger on a table or view requires ALTER OBJECT::<name> on the table or view.
CREATE ENDPOINT CREATE ENDPOINT CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON CERTIFICATE::<name>
CONTROL permission on the object. • To create statistics requires ALTER OBJECT::<name> on the table or view. CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON MESSAGE TYPE::<name>