NOTES: Microsoft SQL Server 2017 and Azure SQL Database

嚜燐icrosoft SQL Server 2017 and Azure SQL Database

Permission Syntax

Most permission statements have the format :

?

AUTHORIZATION must be GRANT, REVOKE or DENY.

?

PERMISSION is listed in the charts below.

?

ON SECURABLE::NAME is the server, server object, database, or database object and its name. (ON SECURABLE::NAME is omitted

for server-wide and database-wide permissions.)

PRINCIPAL is the login, user, or role which receives or loses the permission. Grant permissions to roles whenever possible.

?

Most of the more granular permissions are included in more than one higher level scope permission. So permissions can be inherited

from more than one type of higher scope.

?

Black, green, and purple arrows and boxes point to subordinate permissions that are included in the scope of higher a level permission.

?

Brown arrows and boxes indicate some of the statements that can use the permission.

?

Permissions in black apply to both SQL Server 2016 and Azure SQL Database

?

Permissions in red apply only to SQL Server 2016 and later

?

Permissions marked with ∫ apply only to SQL Server 2017

?

Permissions marked with ? apply to SQL Server 2017 and Azure SQL Database

?

Permissions in blue apply only to Azure SQL Database

?

The newest permissions are underlined

Database Level Permissions

Top Level Database Permissions

db_owner role

CONTROL SERVER

Top Level Server Permissions

loginmanager

role

loginmanager role

Server-Level Principal Logins

ALTER ANY EVENT NOTIFICATION

DROP DATABASE

IMPERSONATE ON USER::

ALTER ANY USER

STATEMENTS:

STATEMENTS:

ALTER ANY DATABASE AUDIT

CREATE DATABASE AUDIT SPECIFICATION

ALTER USER

ALTER ANY DATABASE DDL TRIGGER

CREATE/ALTER/DROP database triggers

DROP USER

CONNECT REPLICATION ON DATABASE::

CONNECT ON DATABASE::

CONNECT ANY DATABASE

ALTER ANY DATABASE EVENT SESSION

STATEMENTS:

ALTER ANY EXTERNAL DATA SOURCE

db_accessadmin role

REFERENCES ON ASSEMBLY::

ALTER ON DATABASE::

TAKE OWNERSHIP ON ASSEMBLY::

ALTER ANY ASSEMBLY

ALTER ANY MESSAGE TYPE 每 See Service Broker Permissions Chart

?

that authenticates at the database, grants CONNECT ON DATABASE

CONTROL ON DATABASE::

SQL Database can be a push replication subscriber which

ALTER ANY DATABASE EVENT NOTIFICATION

CREATE DDL EVENT NOTIFICATION

requires no special permissions.

CREATE DATABASE DDL EVENT NOTIFICATION

CREATE TRACE EVENT NOTIFICATION

on a login, but does not grant the server level permission to view

Event notifications on trace events

broker. See the service broker chart for more into.

ALTER ANY ROUTE 每 See Service Broker Permissions Chart

ALTER ANY SCHEMA 每 See Database Permissions 每 Schema Objects Chart

Database Role Permissions

ALTER ANY SECURITY POLICY

External Library Permissions

CONTROL ON DATABASE::

CONTROL SERVER

ALTER ANY SYMMETRIC KEY 每 See Symmetric Key Permissions Chart

CONTROL ON ROLE::

CONTROL SERVER

CONTROL ON DATABASE::

CONTROL SERVER

CREATE DEFAULT

VIEW ANY DEFINITION

CREATE FUNCTION

OPENROWSET(BULK#.

OPENROWSET(BULK #

bulkadmin role

VIEW ANY DEFINITION

CREATE AGGREGATE

VIEW DEFINITION ON DATABASE::

VIEW DEFINITION ON ROLE::

ALTER ON DATABASE::

TAKE OWNERSHIP ON ROLE::

ALTER ANY DATABASE

VIEW DEFINITION ON DATABASE::

VIEW DEFINITION ON EXTERNAL LIBRARY::

ALTER ON DATABASE::

TAKE OWNERSHIP ON EXTERNAL LIBRARY::

CREATE PROCEDURE

ALTER ANY AVAILABILITY GROUP 每 See Availability Group Permissions

ALTER ANY DATABASE

CREATE QUEUE

CREATE AVAILABILTY GROUP

ALTER ANY EXTERNAL LIBRARY

KILL

ALTER ANY CREDENTIAL

CREATE SYNONYM

CREATE/ALTER/DROP CREDENTIAL

CREATE TABLE

ALTER ANY DATABASE 每 See Database Permission Charts

dbcreator role

STATEMENTS:

ALTER EXTERNAL LIBRARY

STATEMENTS:

Server scoped event notifications

ALTER ANY DATABASE SCOPED CONFIGURATION

ALTER DATABASE SCOPED CONFIGURATION

CREATE DDL EVENT NOTIFICATION

Server scoped DDL event notifications

ALTER ANY MASK

CREATE TRACE EVENT NOTIFICATION

Event notifications on trace events

ALTER ANY EVENT SESSION

setupadmin role

ALTER ANY LOGIN 每 See Connect and Authentication

Extended event sessions

BACKUP DATABASE

sp_addlinkedserver

BACKUP LOG

securityadmin role

ALTER ANY SERVER AUDIT

ALTER ANY SERVER ROLE 每 See Server Role Permissions

CHECKPOINT

DBCC

DBCC FREE#CACHE

FREE#CACHE and

and SQLPERF

SQLPERF

REFERENCES

Applies to subordinate objects in the database. See

SELECT

SELECT on

on server-level

server-level DMV*s

DMV*s

SELECT

Database Permissions 每 Schema Objects chart.

ALTER SETTINGS

sp_configure,

sp_configure, RECONFIGURE

RECONFIGURE

UPDATE

ALTER TRACE

sp_trace_create

sp_create_trace

AUTHENTICATE SERVER

Allows

Allows server-level

server-level delegation

delegation

VIEW DEFINITION

ALTER AUTHORIZATION

CONNECT SQL 每 See Connect and Authentication

EXECUTE ANY EXTERNAL SCRIPT

CONNECT ANY DATABASE

KILL DATABASE CONNECTION

SHUTDOWN

SHUTDOWN*

UNSAFE ASSEMBLY

EXTERNAL ACCESS ASSEMBLY

VIEW DEFINITION ON DATABASE::

SUBSCRIBE QUERY NOTIFICATIONS

Notes:

UNMASK

?

public role

ALTER ON DATABASE::

ALTER ON SERVICE::

STATEMENTS:

VIEW DEFINITION ON APPLICATION ROLE::

ALTER SERVICE

DROP SERVICE

ALTER ANY DATABASE

ALTER AUTHORIZATION exists at many levels in the permission model but is

CREATE SERVICE

ALTER ON DATABASE::

ALTER ANY APPLICATION ROLE

ALTER ON APPLICATION ROLE::

CONTROL SERVER

STATEMENTS:

In both SQL Server and SQL Database the public database role does not initially have access to any user objects.

CONTROL ON REMOTE SERVICE BINDING::

CONTROL ON DATABASE::

ALTER APPLICATION ROLE

DROP APPLICATION ROLE

In SQL Server 2016, the public database role has the VIEW ANY COLUMN MASTER KEY DEFINITION and VIEW ANY

CREATE APPLICATION ROLE

COLUMN ENCRYPTION KEY DEFINITION permissions by default. They can be revoked.

VIEW DATABASE STATE

ALTER ANY DATABASE

CREATE SERVICE

The public database role has many grants to system objects, which is necessary to manage internal actions.

?

CONTROL ON APPLICATION ROLE::

ALTER AUTHORIZATION for any object might also require IMPERSONATE or

never inherited from ALTER AUTHORIZATION at a higher level.

VIEW ANY COLUMN ENCRYPTION KEY DEFINITION

VIEW SERVER STATE

VIEW ANY DEFINITION

VIEW DEFINITION ON DATABASE::

* NOTE: The SHUTDOWN statement requires the SQL Server SHUTDOWN permission. Starting, stopping, and pausing the Database

Engine from SSCM, SSMS, or Windows requires Windows permissions, not SQL Server permissions.

public role

Database Permissions 每 Schema Objects

Server Permissions

Connect and Authentication 每 Server Permissions

Database Permissions

CONTROL ON SERVER

Schema Permissions

CONTROL ON SCHEMA ::

CONTROL ON DATABASE::

db_ddladmin role

Symmetric Key Permissions

Object Permissions

Type Permissions

XML Schema Collection Permissions

CONTROL SERVER

CONTROL ON DATABASE::

ALTER ANY DATABASE

db_datareader role

db_denydatareader role

STATEMENTS:

DROP REMOTE SERVICE BINDING

CONTROL ON OBJECT|TYPE|XML SCHEMA COLLECTION ::

CREATE REMOTE SERVICE BINDING

VIEW DEFINITION ON LOGIN::

IMPERSONATE ON LOGIN::

STATEMENTS:

ALTER ON LOGIN::

EXECUTE AS

db_datawriter role

db_denydatawriter role

STATEMENTS:

VIEW ANY DEFINITION

ALTER LOGIN, sp_addlinkedsrvlogin

DROP LOGIN

SELECT ON SCHEMA::

SELECT ON OBJECT::

INSERT ON DATABASE::

INSERT ON SCHEMA::

INSERT ON OBJECT::< table |view name>

UPDATE ON DATABASE::

UPDATE ON SCHEMA::

UPDATE ON OBJECT::< table |view name>

DELETE ON SCHEMA::

DELETE ON OBJECT::< table |view name>

Note: OPEN SYMMETRIC KEY requires

EXECUTE ON DATABASE::

EXECUTE ON SCHEMA::

EXECUTE ON OBJECT|TYPE|XML SCHEMA COLLECTION::

VIEW DEFINITION permission on the

REFERENCES ON DATABASE::

REFERENCES ON SCHEMA::

REFERENCES ON OBJECT|TYPE|XML SCHEMA COLLECTION:

key (implied by any permission on the

VIEW DEFINITION ON DATABASE::

VIEW DEFINITION ON SCHEMA::

VIEW DEFINITION ON OBJECT|TYPE|XML SCHEMA COLLECTION::

key), and requires permission on the

TAKE OWNERSHIP ON DATABASE::

TAKE OWNERSHIP ON SCHEMA::

TAKE OWNERSHIP ON OBJECT|TYPE|XML SCHEMA COLLECTION::

key encryption hierarchy.

ALTER ON SCHEMA::

?

To map a login to a credential, see ALTER ANY CREDENTIAL.

?

When contained databases are enabled, users can access SQL Server without a login. See database user

CONNECT SQL

o

CONNECT for the database (if specified)

CONTROL SERVER

VIEW ANY DEFINITION

QUEUE

CREATE RULE

RULE

ALTER ANY DATABASE

SYNONYM

CREATE TABLE

(All permissions do not apply to all objects. For example

UPDATE only applies to tables and views.)

REFERENCES ON DATABASE::

REFERENCES ON CONTRACT::

TAKE OWNERSHIP ON CONTRACT::

ALTER ANY DATABASE

ALTER ON DATABASE::

ALTER ON CONTRACT::

DROP CONTRACT

CONTROL ON DATABASE::

CREATE CONTRACT

CONTROL ON ASYMMETRIC KEY::

VIEW DEFINITION ON DATABASE::

VIEW DEFINITION ON ASYMMETRIC KEY::

REFERENCES ON DATABASE::

REFERENCES ON ASYMMETRIC KEY::

ALTER ON DATABASE::

TAKE OWNERSHIP ON ASYMMETRIC KEY::

CONTROL SERVER

VIEW ANY DEFINITION

CONTROL ON DATABASE::

CONTROL ON ROUTE::

VIEW DEFINITION ON DATABASE::

VIEW DEFINITION ON ROUTE::

ALTER ON ASYMMETRIC KEY::

Note: ADD SIGNATURE requires

STATEMENTS:

CONTROL permission on the key, and

ALTER ASYMMETRIC KEY

requires ALTER permission on the

DROP ASYMMETRIC KEY

object.

CREATE ASYMMETRIC KEY

ALTER ANY DATABASE

ALTER ON DATABASE::

ALTER ANY ROUTE

ALTER ON ROUTE::

STATEMENTS:

CREATE ASYMMETRIC KEY

ALTER ROUTE

Notes:

?

To create a schema object (such as a table) you must have CREATE permission for that object type

?

?

DROP ROUTE

To drop an object (such as a table) you must have ALTER permission on the schema or CONTROL

CREATE ROUTE

permission on the object.

plus ALTER ON SCHEMA:: for the schema of the object. Might require REFERENCES ON

ALTER ENDPOINT

CONTROL SERVER

CREATE SYMMETRIC KEY

VIEW DEFINITION ON CONTRACT::

STATEMENTS:

ALTER ANY ASYMMETRIC KEY

VIEW DEFINITION ON ENDPOINT::

?

To create an index requires ALTER OBJECT:: permission on the table or view.

To alter an object (such as a table) you must have ALTER permission on the object (or schema), or

?

To create or alter a trigger on a table or view requires ALTER OBJECT:: on the table or view.

CONTROL permission on the object.

?

To create statistics requires ALTER OBJECT:: on the table or view.

CONTROL SERVER

VIEW ANY DEFINITION

CONTROL ON SERVER ROLE::

CONTROL ON SEARCH PROPERTY LIST::

CONTROL SERVER

CONTROL ON DATABASE::

CREATE ROUTE

Certificate Permissions

OBJECT:: for any referenced CLR type or XML schema collection.

Full-text Permissions

Server Role Permissions

DROP SYMMETRIC KEY

VIEW DEFINITION ON DATABASE::

TAKE OWNERSHIP ON ROUTE::

VIEW

CREATE VIEW

TAKE OWNERSHIP ON ENDPOINT::

CREATE ENDPOINT

VIEW ANY DEFINITION

ALTER SYMMETRIC KEY

TABLE

CREATE TYPE

CONNECT ON ENDPOINT::

CREATE ENDPOINT

CONTROL ON CONTRACT::

CREATE CONTRACT

PROCEDURE

CREATE QUEUE

CREATE XML SCHEMA COLLECTION

DROP ENDPOINT

STATEMENTS:

CREATE SYMMETRIC KEY

CONTROL ON DATABASE::

ALTER ON SYMMETRIC KEY::

FUNCTION

CREATE PROCEDURE

CONTROL ON ENDPOINT::

STATEMENTS:

CONTROL SERVER

DEFAULT

CREATE FUNCTION

CREATE SYNONYM

ALTER ON ENDPOINT::

TAKE OWNERSHIP ON SYMMETRIC KEY::

AGGREGATE

CREATE DEFAULT

To connect using a login you must have :

o

ALTER ON DATABASE::

Asymmetric Key Permissions

ALTER ON OBJECT|TYPE|XML SCHEMA COLLECTION::

OBJECT permissions apply to the following database objects:

CREATE AGGREGATE

permissions.

An enabled login

REFERENCES ON SYMMETRIC KEY::

ALTER ANY CONTRACT

CREATE SEQUENCE

CREATE SCHEMA

Notes:

Enabling a login (ALTER LOGIN ENABLE) is not the same as granting CONNECT SQL permission.

REFERENCES ON DATABASE::

CREATE REMOTE SERVICE BINDING

ALTER ON DATABASE::

ALTER ANY SCHEMA

?

VIEW DEFINITION ON SYMMETRIC KEY::

ALTER ANY SYMMETRIC KEY

RECEIVE ON OBJECT::

CONNECT SQL

The CREATE LOGIN statement creates a login and grants CONNECT SQL to that login.

VIEW DEFINITION ON DATABASE::

SELECT ON OBJECT::

ALTER ANY DATABASE

?

ALTER ANY DATABASE

DELETE ON DATABASE::

VIEW ANY DATABASE

CREATE LOGIN

VIEW CHANGE TRACKING ON OBJECT::

SELECT ON DATABASE::

ALTER ON REMOTE SERVICE BINDING::

ALTER REMOTE SERVICE BINDING

VIEW ANY DEFINITION

VIEW CHANGE TRACKING ON SCHEMA::

ALTER ON DATABASE::

ALTER ANY REMOTE SERVICE BINDING

CONTROL ON SYMMETRIC KEY::

CONTROL ON LOGIN::

o

VIEW DEFINITION ON REMOTE SERVICE BINDING::

TAKE OWNERSHIP ON REMOTE SERVICE BINDING::

VIEW ANY DATABASE 每 See Database Permissions 每 Schema

securityadmin role

VIEW DEFINITION ON SERVICE::

SEND ON SERVICE::

CONTROL ON DATABASE::

VIEW ANY DEFINITION

membership in a role or ALTER permission on a role.

?

VIEW ANY COLUMN MASTER KEY DEFINITION

VIEW ANY DEFINITION

?

SHOWPLAN

SELECT ALL USER SECURABLES

VIEW DEFINITION ON DATABASE::

ALTER ANY SERVICE

Notes:

STATEMENTS:

TAKE OWNERSHIP

ALTER TRACE

CONTROL ON SERVICE::

TAKE OWNERSHIP ON SERVICE::

CONTROL SERVER

STATEMENTS:

IMPERSONATE ANY LOGIN

VIEW ANY DEFINITION

Application Role Permissions

EXECUTE

VIEW ANY DEFINITION

CONTROL ON DATABASE::

BACKUP LOG

INSERT

VIEW SERVER STATE

CONTROL SERVER

members from fixed database roles.

DELETE

CREATE SERVER ROLE 每 See Server Role Permissions

ALTER SERVER STATE

NOTES: Only members of the db_owner

CREATE ROLE

fixed database role can add or remove

CONNECT REPLICATION 每 See Connect and Authentication 每 Database Permissions Chart

ALTER RESOURCES (NA. Use diskadmin role instead.)

CREATE ROLE

BACKUP DATABASE

db_backupoperator role

CHECKPOINT

CREATE/ALTER/DROP SERVER AUDIT

and SERVER AUDIT SPECIFICATION

Service Broker Permissions (SQL Server only)

DROP ROLE

Combined with TRUSTWORTHY allows delegation of authentication

AUTHENTICATE

AUTHENTICATE SERVER

DROP EXTERNAL LIBRARY

CREATE EXTERNAL LIBRARY

CREATE EXTERNAL LIBRARY

ALTER ROLE ADD MEMBER

CREATE XML SCHEMA COLLECTION

ADMINISTER DATABASE BULK OPERATIONS

CREATE ENDPOINT 每 See Connect and Authentication

ALTER ON ROLE::

STATEMENTS:

CREATE VIEW

ALTER ANY ENDPOINT 每 See Connect and Authentication

ALTER ANY EVENT NOTIFICATION

ALTER ANY ROLE

db_securityadmin role

CREATE TYPE

CREATE ANY DATABASE 每 See Top Level Database Permissions

ALTER ANY ENDPOINT

ALTER ON LIBRARY::

CREATE RULE

ALTER ANY CONNECTION

VIEW ANY DEFINITION

CONTROL ON EXTERNAL LIBRARY::

ALTER ANY USER 每 See Connect and Authentication 每 Database Permissions Chart

STATEMENTS:

STATEMENTS:

CREATE/ALTER/DROP server triggers

CREATE/ALTER/DROP server triggers

?

Database scoped DDL event notifications

Note: EVENT NOTIFICATION permissions also affect service

information about logins.

sysadmin role

ALTER ANY LOGIN

Database scoped event notifications

Granting ALTER ANY USER allows a principal to create a user based

ALTER ANY ROLE 每 See Database Role Permissions Chart

Top Level Server Permissions

VIEW ANY DEFINITION

DROP ASSEMBLY

CREATE ASSEMBLY

CREATE ASSEMBLY

ALTER ANY EVENT NOTIFICATION

When contained databases are enabled, creating a database user

?

?

ALTER ANY SERVICE 每 See Service Broker Permissions Chart

CONTROL SERVER

ALTER ON ASSEMBLY::

STATEMENTS:

ALTER ASSEMBLY

CONTROL SERVER

CREATE USER

to that user, and it can access SQL Server without a login.

ALTER ANY FULLTEXT CATALOG 每 See Full-text Permissions Chart

Server Level Permissions for SQL Server

serveradmin role

VIEW DEFINITION ON ASSEMBLY::

REFERENCES ON DATABASE::

Event Notification Permissions (SQL Server only)

NOTES:

ALTER ANY EXTERNAL LIBRARY - See EXTERNAL LIBRARY PERMISSIONS ∫

db_owner role

VIEW DEFINITION ON DATABASE::

Note:

CREATE and ALTER ASSEMBLY

statements sometimes require server

level EXTERNAL ACCESS ASSEMBLY

and UNSAFE ASSEMBLY permissions,

and can require membership in the

sysadmin fixed server role.

EXECUTE AS

CONTROL ON ASSEMBLY::

CONTROL ON DATABASE::

PARTITION & PLAN GUIDE statements

ALTER ANY EXTERNAL FILE FORMAT

db_ddladmin role

ALTER ANY LINKED SERVER

A DENY on a table is overridden by a GRANT on a column. However, a subsequent DENY on the table will remove the column GRANT.

ALTER ON DATABASE::

ALTER ANY DATASPACE

ALTER ANY REMOTE SERVICE BINDING 每 See Service Broker Permissions Chart

processadmin role

?

ALTER ANY DATABASE SCOPED CONFIGURATION ?

CREATE LOGIN

CONTROL ON DATABASE::

ADMINISTER BULK OPERATIONS

Object owners can delete them but they do not have full permissions on them.

ALTER ANY DATABASE

ALTER ON USER::

ALTER ANY CONTRACT 每 See Service Broker Permissions Chart

ALTER ANY DATABASE EVENT NOTIFICATION 每 See Event Notifications Permissions Chart

USER DATABASE

If you create

a database

ALTER ON DATABASE::

ALTER ANY DATABASE

ALTER ANY COLUMN MASTER KEY

DROP LOGIN

ALTER DATABASE

VIEW DEFINITION ON USER::

STATEMENTS:

ALTER ANY COLUMN ENCRYPTION KEY

ALTER ANY SERVER AUDIT

?

CONTROL SERVER

ALTER ANY CERTIFICATE 每 See Certificate Permissions Chart

ALTER LOGIN

dbmanager role

CREATE DATABASE

VIEW DEFINITION ON DATABASE::

VIEW ANY DEFINITION

ALTER ANY ASYMMETRIC KEY 每 See Asymmetric Key Permissions Chart

STATEMENTS:

CONTROL ON USER::

ALTER ANY ASSEMBLY 每 See Assembly Permissions Chart

Notes:

? Server-Level Principal Logins are the Server admin and Azure Active Directory

Admin accounts.

? Server-level permissions cannot be granted on SQL Database. Use the

loginmanager and dbmanager roles in the master database instead.

SQL Database permissions refer to version 12.

VIEW ANY DEFINITION

ALTER ANY APPLICATION ROLE 每 See Application Roles Permissions Chart

Azure SQL Database Permissions

Outside the Database

?

granted in the master database. For SQL Database use the dbmanager role.

ALTER ON DATABASE::

ALTER ANY DATABASE

Granting any permission on a securable allows VIEW DEFINITION on that securable. It is an implied permissions and it cannot be revoked,

** NOTE: CREATE DATABASE is a database level permission that can only be

STATEMENTS: CREATE DATABASE, RESTORE DATABASE

CREATE DATABASE **

CREATE ANY DATABASE

Permissions do not imply role memberships and role memberships do not grant permissions. (E.g. CONTROL SERVER does not imply

Assembly Permissions

CONTROL ON DATABASE::

CONTROL SERVER

STATEMENTS: DROP DATABASE

CONTROL DATABASE

?

but it can be explicitly denied by using the DENY VIEW DEFINITION statement.

Connect and Authentication 每 Database Permissions

db_owner has all permissions in the database.

The CONTROL DATABASE permission has all permissions on the database.

?

Denying a permission at any level, overrides a related grant.

How to Read this Chart

?

However, it is sometimes possible to impersonate between roles and equivalent permissions.

Sample grant statement: GRANT UPDATE ON OBJECT::Production.Parts TO PartsTeam

To remove a previously granted permission, use REVOKE, not DENY.

The CONTROL SERVER permission has all permissions on the instance of SQL Server or SQL Database.

membership in the sysadmin fixed server role. Membership in the db_owner role does not grant the CONTROL DATABASE permission.)

Database Engine Permissions

AUTHORIZATION PERMISSION ON SECURABLE::NAME TO PRINCIPAL

?

NOTES: ?

ALTER ANY DATABASE

CONTROL ON FULLTEXT STOPLIST::

CONTROL ON DATABASE::

CONTROL ON CERTIFICATE::

VIEW DEFINITION ON DATABASE::

VIEW DEFINITION ON CERTIFICATE::

REFERENCES ON DATABASE::

REFERENCES ON CERTIFICATE::

ALTER ON DATABASE::

TAKE OWNERSHIP ON CERTIFICATE::

CONTROL SERVER

VIEW ANY DEFINITION

CONTROL ON DATABASE::

CONTROL ON MESSAGE TYPE::

VIEW DEFINITION ON DATABASE::

REFERENCES ON DATABASE::

VIEW DEFINITION ON MESSAGE TYPE::

REFERENCES ON MESSAGE TYPE::

TAKE OWNERSHIP ON MESSAGE TYPE::

ALTER ANY DATABASE

ALTER ON DATABASE::

CONTROL ON FULLTEXT CATALOG::

ALTER ANY CERTIFICATE

VIEW ANY DEFINITION

VIEW DEFINITION ON SERVER ROLE::

TAKE OWNERSHIP ON SERVER ROLE::

ALTER ANY SERVER ROLE

ALTER ON SERVER ROLE::

VIEW DEFINITION ON SEARCH PROPERTY LIST::

VIEW ANY DEFINITION

VIEW DEFINITION ON DATABASE::

VIEW DEFINITION ON FULLTEXT STOPLIST::

VIEW DEFINITION ON FULLTEXT CATALOG::

STATEMENTS:

REFERENCES ON DATABASE::

DROP SERVER ROLE

ALTER MESSAGE TYPE

DROP MESSAGE TYPE

CREATE CERTIFICATE

REFERENCES ON FULLTEXT STOPLIST::

TAKE OWNERSHIP ON FULLTEXT CATALOG::

NOTES: To add a member to a fixed server role, you must be a member of

TAKE OWNERSHIP ON FULLTEXT STOPLIST::

TAKE OWNERSHIP ON SEARCH PROPERTY LIST::

Database Scoped Credential Permissions ?

that fixed server role, or be a member of the sysadmin fixed server role.

ALTER ANY DATABASE

CONTROL SERVER

ALTER ON DATABASE::

CONTROL SERVER

ALTER ANY FULLTEXT CATALOG

ALTER ON FULLTEXT CATALOG::

CONTROL ON AVAILABILITY GROUP::

VIEW ANY DEFINITION

STATEMENTS:

ALTER FULLTEXT CATALOG

STATEMENTS:

ALTER FULLTEXT STOPLIST

CREATE FULLTEXT STOPLIST

VIEW DEFINITION ON AVAILABILITY GROUP::

TAKE OWNERSHIP ON AVAILABILITY GROUP::

ALTER ON AVAILABILITY GROUP::

STATEMENTS:

DROP FULLTEXT CATALOG

ALTER AVAILABILITY GROUP

DROP FULLTEXT STOPLIST

DROP AVAILABILITY GROUP

DROP FULLTEXT SEARCH PROPERTYLIST

CREATE AVAILABILITY GROUP

VIEW DEFINITION ON DATABASE::

VIEW DEFINITION ON DATABASE SCOPED CREDENTIAL :: ?

REFERENCES ON DATABASE::

REFERENCES ON DATABASE SCOPED CREDENTIAL :: ?

TAKE OWNERSHIP ON DATABASE SCOPED CREDENTIAL :: ?

STATEMENTS:

ALTER SEARCH PROPERTY LIST

CREATE SEARCH PROPERTY LIST

CREATE MESSAGE TYPE

CREATE MESSAGE TYPE

CREATE QUEUE

Notes:

? The user executing the CREATE CONTRACT statement must have REFERENCES permission on

all message types specified.

? The user executing the CREATE SERVICE statement must have REFERENCES permission on

the queue and all contracts specified.

? To execute the CREATE or ALTER REMOTE SERVICE BINDING the user must have

impersonate permission for the principal specified in the statement.

? When the CREATE or ALTER MESSAGE TYPE statement specifies a schema collection, the user

executing the statement must have REFERENCES permission on the schema collection

specified.

? See the ALTER ANY EVENT NOTIFICATION chart for more permissions related to Service

Broker.

? See the SCHEMA OBJECTS chart for QUEUE permissions.

? The ALTER CONTRACT permission exists but at this time there is no ALTER CONTRACT

statement.

Questions and comments to



ALTER ON DATABASE SCOPED CREDENTIAL :: ?

STATEMENTS:

STATEMENTS:

CREATE AVAILABILITY GROUP

CONTROL ON DATABASE SCOPED CREDENTIAL:: ?

ALTER ON FULLTEXT STOPLIST::

CREATE FULLTEXT CATALOG

ALTER ANY AVAILABILITY GROUP

CONTROL ON DATABASE::

ALTER ON SEARCH PROPERTY LIST::

CREATE FULLTEXT CATALOG

VIEW ANY DEFINITION

STATEMENTS:

ALTER CERTIFICATE

REFERENCES ON FULLTEXT CATALOG::

CREATE SERVER ROLE

Availability Group Permissions

ALTER ON MESSAGE TYPE::

STATEMENTS:

DROP CERTIFICATE

CREATE CERTIFICATE

ALTER ANY MESSAGE TYPE

REFERENCES ON SEARCH PROPERTY LIST::

ALTER SERVER ROLE ADD MEMBER

CREATE SERVER ROLE

Note: ADD SIGNATURE requires

CONTROL permission on the certificate,

and requires ALTER permission on the

object.

ALTER ON CERTIFICATE::

ALTER DATABASE SCOPED CREDENTIAL ?

Notes:

?

Creating a full-text index requires ALTER permission on the table and REFERENCES permission on the full-text catalog.

?

Dropping a full-text index requires ALTER permission on the table.

DROP DATABASE SCOPED CREDENTIAL ?

CREATE DATABASE SCOPED CREDENTIAL ?

February 28, 2018

? 2018 Microsoft Corporation. All rights reserved.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.