Microsoft SQL Server 2017 and Azure SQL Database
Permission Syntax
Most permission statements have the format :
AUTHORIZATION must be GRANT, REVOKE or DENY.
•
PERMISSION is listed in the charts below.
•
ON SECURABLE::NAME is the server, server object, database, or database object and its name. (ON SECURABLE::NAME is omitted
Database Level Permissions
How to Read this Chart •
Most of the more granular permissions are included in more than one higher level scope permission. So permissions can be inherited
Top Level Database Permissions
from more than one type of higher scope. •
Black, green, and purple arrows and boxes point to subordinate permissions that are included in the scope of higher a level permission.
•
Brown arrows and boxes indicate some of the statements that can use the permission.
•
Permissions in black apply to both SQL Server 2016 and Azure SQL Database
•
Permissions in red apply only to SQL Server 2016
•
Permissions marked with ǂ apply to SQL Server 2017 and Azure SQL Database
•
Permissions in blue apply only to Azure SQL Database
•
The newest permissions are underlined
db_owner role
CONTROL SERVER
dbmanager role STATEMENTS: CREATE DATABASE ALTER DATABASE DROP DATABASE
IMPERSONATE ON USER::
ALTER ANY USER
ALTER ANY SERVER AUDIT
STATEMENTS:
ALTER ANY DATABASE AUDIT
CREATE DATABASE AUDIT SPECIFICATION
ALTER ANY DATABASE DDL TRIGGER
CREATE/ALTER/DROP database triggers
ALTER ANY DATABASE EVENT SESSION
CREATE LOGIN
ALTER ANY DATABASE SCOPED CONFIGURATION ǂ
ALTER LOGIN
ALTER ANY DATASPACE
DROP LOGIN
ALTER ANY EXTERNAL DATA SOURCE
CONNECT REPLICATION ON DATABASE:: CONNECT ON DATABASE::
CONNECT ANY DATABASE
ALTER ANY DATABASE
db_accessadmin role
When contained databases are enabled, creating a database user
•
•
that authenticates at the database, grants CONNECT ON DATABASE
ALTER ANY REMOTE SERVICE BINDING – See Service Broker Permissions Chart
on a login, but does not grant the server level permission to view
ALTER ANY ROUTE – See Service Broker Permissions Chart
information about logins.
CREATE USER
STATEMENTS: STATEMENTS: CREATE/ALTER/DROP server triggers CREATE/ALTER/DROP server triggers OPENROWSET(BULK…. OPENROWSET(BULK …
CREATE QUEUE
requires no special permissions.
Event Notification Permissions (SQL Server only) CONTROL SERVER
CONTROL ON DATABASE::
CONTROL SERVER
VIEW ANY DEFINITION
CREATE RULE
ALTER ANY DATABASE
VIEW DEFINITION ON DATABASE::
VIEW DEFINITION ON ROLE::
ALTER ON DATABASE::
TAKE OWNERSHIP ON ROLE::
CREATE TABLE
CREATE/ALTER/DROP CREDENTIAL
CREATE TYPE
ALTER ANY ROLE
db_securityadmin role
ALTER ANY EVENT SESSION setupadmin role
Server scoped event notifications
ALTER ANY DATABASE SCOPED CONFIGURATION
ALTER DATABASE SCOPED CONFIGURATION
Server scoped DDL event notifications
ALTER ANY MASK
ALTER ANY LOGIN – See Connect and Authentication
BACKUP DATABASE BACKUP LOG
securityadmin role
ALTER ANY SERVER AUDIT ALTER ANY SERVER ROLE – See Server Role Permissions
CONTROL ON DATABASE::
CONTROL ON SERVICE::
BACKUP DATABASE
db_backupoperator role
BACKUP LOG CHECKPOINT
VIEW ANY DEFINITION
Application Role Permissions
VIEW DEFINITION ON DATABASE::
EXECUTE STATEMENTS:
DBCC DBCC FREE…CACHE FREE…CACHE and and SQLPERF SQLPERF
REFERENCES
Applies to subordinate objects in the database. See
SELECT SELECT on on server-level server-level DMV’s DMV’s
SELECT
Database Permissions – Schema Objects chart.
ALTER SETTINGS
sp_configure, sp_configure, RECONFIGURE RECONFIGURE
UPDATE
ALTER TRACE
sp_trace_create sp_create_trace
AUTHENTICATE SERVER
Allows Allows server-level server-level delegation delegation
SEND ON SERVICE::
STATEMENTS:
TAKE OWNERSHIP
ALTER AUTHORIZATION
CONNECT SQL – See Connect and Authentication
EXECUTE ANY EXTERNAL SCRIPT
CONNECT ANY DATABASE
KILL DATABASE CONNECTION
IMPERSONATE ANY LOGIN
•
SELECT ALL USER SECURABLES SHUTDOWN*
UNSAFE ASSEMBLY
Notes:
UNMASK
•
VIEW ANY COLUMN MASTER KEY DEFINITION
EXTERNAL ACCESS ASSEMBLY
public role
ALTER ON DATABASE:: ALTER ON SERVICE::
VIEW DEFINITION ON APPLICATION ROLE::
ALTER SERVICE DROP SERVICE CREATE SERVICE
ALTER ANY DATABASE
ALTER AUTHORIZATION exists at many levels in the permission model but is
CREATE SERVICE
ALTER ON DATABASE:: ALTER ANY APPLICATION ROLE
ALTER ON APPLICATION ROLE:: CONTROL SERVER
STATEMENTS:
In both SQL Server and SQL Database the public database role does not initially have access to any user objects.
CONTROL ON DATABASE::
CONTROL ON REMOTE SERVICE BINDING::
ALTER APPLICATION ROLE DROP APPLICATION ROLE
In SQL Server 2016, the public database role has the VIEW ANY COLUMN MASTER KEY DEFINITION and VIEW ANY
CREATE APPLICATION ROLE
COLUMN ENCRYPTION KEY DEFINITION permissions by default. They can be revoked.
VIEW DATABASE STATE
ALTER ANY DATABASE
ALTER AUTHORIZATION for any object might also require IMPERSONATE or
The public database role has many grants to system objects, which is necessary to manage internal actions. •
VIEW ANY COLUMN ENCRYPTION KEY DEFINITION VIEW SERVER STATE
VIEW DEFINITION ON DATABASE::
never inherited from ALTER AUTHORIZATION at a higher level.
SUBSCRIBE QUERY NOTIFICATIONS
CONTROL ON APPLICATION ROLE::
STATEMENTS: VIEW ANY DEFINITION
membership in a role or ALTER permission on a role.
SHOWPLAN
ALTER TRACE
VIEW ANY DEFINITION
•
CONTROL ON DATABASE::
ALTER ANY SERVICE
Notes:
VIEW DEFINITION
VIEW ANY DEFINITION
VIEW ANY DEFINITION
VIEW DEFINITION ON DATABASE::
* NOTE: The SHUTDOWN statement requires the SQL Server SHUTDOWN permission. Starting, stopping, and pausing the Database Engine from SSCM, SSMS, or Windows requires Windows permissions, not SQL Server permissions. public role
Database Permissions – Schema Objects Server Permissions
Database Permissions
Schema Permissions
Connect and Authentication – Server Permissions CONTROL ON SERVER
CONTROL ON DATABASE::
CONTROL ON SCHEMA ::
db_ddladmin role
Symmetric Key Permissions
Object Permissions Type Permissions XML Schema Collection Permissions
ALTER ANY DATABASE
db_datareader role db_denydatareader role
CONTROL ON DATABASE::
CONTROL ON SYMMETRIC KEY::
ALTER ANY LOGIN
VIEW DEFINITION ON LOGIN:: IMPERSONATE ON LOGIN::
STATEMENTS:
ALTER ON LOGIN::
EXECUTE AS
db_datawriter role db_denydatawriter role
STATEMENTS:
securityadmin role
VIEW ANY DEFINITION
ALTER LOGIN, sp_addlinkedsrvlogin DROP LOGIN
STATEMENTS: DROP REMOTE SERVICE BINDING
CONTROL ON OBJECT|TYPE|XML SCHEMA COLLECTION ::
CREATE REMOTE SERVICE BINDING
CREATE LOGIN
SELECT ON SCHEMA::
SELECT ON OBJECT::
INSERT ON DATABASE::
INSERT ON SCHEMA::
INSERT ON OBJECT::< table |view name>
UPDATE ON DATABASE::
UPDATE ON SCHEMA::
UPDATE ON OBJECT::< table |view name>
DELETE ON DATABASE::
DELETE ON SCHEMA::
DELETE ON OBJECT::< table |view name>
Note: OPEN SYMMETRIC KEY requires
EXECUTE ON DATABASE::
EXECUTE ON SCHEMA::
EXECUTE ON OBJECT|TYPE|XML SCHEMA COLLECTION::
VIEW DEFINITION permission on the
REFERENCES ON DATABASE::
REFERENCES ON SCHEMA::
REFERENCES ON OBJECT|TYPE|XML SCHEMA COLLECTION:
key (implied by any permission on the
VIEW DEFINITION ON DATABASE::
VIEW DEFINITION ON SCHEMA::
VIEW DEFINITION ON OBJECT|TYPE|XML SCHEMA COLLECTION::
key), and requires permission on the
TAKE OWNERSHIP ON DATABASE::
TAKE OWNERSHIP ON SCHEMA::
TAKE OWNERSHIP ON OBJECT|TYPE|XML SCHEMA COLLECTION::
key encryption hierarchy.
ALTER ON SCHEMA::
CREATE SCHEMA
Notes: •
The CREATE LOGIN statement creates a login and grants CONNECT SQL to that login.
•
Enabling a login (ALTER LOGIN ENABLE) is not the same as granting CONNECT SQL permission.
CREATE AGGREGATE
•
To map a login to a credential, see ALTER ANY CREDENTIAL.
CREATE DEFAULT
•
When contained databases are enabled, users can access SQL Server without a login. See database user
CREATE FUNCTION
permissions.
CREATE PROCEDURE
To connect using a login you must have :
CREATE QUEUE
An enabled login
CREATE RULE
o
CONNECT SQL
CREATE SYNONYM
o
CONNECT for the database (if specified)
CREATE TABLE
CONTROL SERVER
PROCEDURE
VIEW ANY DEFINITION
QUEUE RULE ALTER ANY DATABASE
SYNONYM
STATEMENTS:
VIEW ANY DEFINITION
ALTER SYMMETRIC KEY
VIEW DEFINITION ON DATABASE::
VIEW DEFINITION ON CONTRACT::
REFERENCES ON DATABASE::
REFERENCES ON CONTRACT:: TAKE OWNERSHIP ON CONTRACT::
DROP SYMMETRIC KEY CREATE SYMMETRIC KEY
CREATE SYMMETRIC KEY
ALTER ANY DATABASE
ALTER ON DATABASE:: ALTER ON CONTRACT:: STATEMENTS: DROP CONTRACT
CONTROL ON DATABASE::
CREATE CONTRACT
CONTROL ON ASYMMETRIC KEY::
VIEW DEFINITION ON DATABASE::
VIEW DEFINITION ON ASYMMETRIC KEY::
REFERENCES ON DATABASE::
REFERENCES ON ASYMMETRIC KEY::
ALTER ON DATABASE::
TAKE OWNERSHIP ON ASYMMETRIC KEY::
CONTROL SERVER
VIEW ANY DEFINITION
TABLE
CONTROL ON DATABASE::
CONTROL ON ROUTE::
VIEW DEFINITION ON DATABASE::
ALTER ANY ASYMMETRIC KEY
(All permissions do not apply to all objects. For example
ALTER ON ASYMMETRIC KEY::
Note: ADD SIGNATURE requires
STATEMENTS:
CONTROL permission on the key, and
ALTER ASYMMETRIC KEY
requires ALTER permission on the
DROP ASYMMETRIC KEY
object.
CREATE ASYMMETRIC KEY
ALTER ANY DATABASE
ALTER ON DATABASE:: ALTER ANY ROUTE
ALTER ON ROUTE:: STATEMENTS:
CREATE ASYMMETRIC KEY
ALTER ROUTE
Notes: •
DROP ROUTE
To create a schema object (such as a table) you must have CREATE permission for that object type
•
•
To drop an object (such as a table) you must have ALTER permission on the schema or CONTROL
CREATE ROUTE
permission on the object.
plus ALTER ON SCHEMA:: for the schema of the object. Might require REFERENCES ON
DROP ENDPOINT
VIEW DEFINITION ON ROUTE:: TAKE OWNERSHIP ON ROUTE::
VIEW
CREATE VIEW
ALTER ENDPOINT
CONTROL SERVER
CONTROL ON CONTRACT::
ALTER ON SYMMETRIC KEY::
FUNCTION
VIEW DEFINITION ON ENDPOINT::
•
To create an index requires ALTER OBJECT:: permission on the table or view.
To alter an object (such as a table) you must have ALTER permission on the object (or schema), or
•
To create or alter a trigger on a table or view requires ALTER OBJECT:: on the table or view.
CONTROL permission on the object.
•
To create statistics requires ALTER OBJECT:: on the table or view.
CONTROL SERVER
VIEW ANY DEFINITION
CONTROL ON SERVER ROLE::
CONTROL ON SEARCH PROPERTY LIST:: CONTROL SERVER
CONTROL ON DATABASE::
CREATE ROUTE
Certificate Permissions
OBJECT:: for any referenced CLR type or XML schema collection.
Full-text Permissions
Server Role Permissions
CONTROL ON DATABASE::
DEFAULT
TAKE OWNERSHIP ON ENDPOINT::
CREATE ENDPOINT
CONTROL SERVER
CREATE REMOTE SERVICE BINDING
AGGREGATE
CONNECT ON ENDPOINT::
CREATE ENDPOINT
TAKE OWNERSHIP ON SYMMETRIC KEY::
CREATE CONTRACT
UPDATE only applies to tables and views.)
STATEMENTS:
ALTER ON DATABASE::
Asymmetric Key Permissions
ALTER ON OBJECT|TYPE|XML SCHEMA COLLECTION::
OBJECT permissions apply to the following database objects:
CREATE XML SCHEMA COLLECTION
ALTER ON ENDPOINT::
REFERENCES ON SYMMETRIC KEY::
ALTER ANY CONTRACT
CREATE SEQUENCE
CREATE TYPE
CONTROL ON ENDPOINT::
ALTER ANY ENDPOINT
REFERENCES ON DATABASE::
ALTER ON DATABASE:: ALTER ANY SCHEMA
VIEW ANY DEFINITION
VIEW DEFINITION ON SYMMETRIC KEY::
ALTER ANY SYMMETRIC KEY
RECEIVE ON OBJECT::
CONNECT SQL
o
ALTER ANY DATABASE
VIEW DEFINITION ON DATABASE::
SELECT ON OBJECT:: ALTER ANY DATABASE
•
VIEW CHANGE TRACKING ON OBJECT::
SELECT ON DATABASE::
VIEW ANY DATABASE
ALTER ON REMOTE SERVICE BINDING::
ALTER REMOTE SERVICE BINDING
VIEW ANY DEFINITION VIEW CHANGE TRACKING ON SCHEMA::
ALTER ON DATABASE:: ALTER ANY REMOTE SERVICE BINDING
CONTROL SERVER
CONTROL ON LOGIN::
VIEW ANY DEFINITION
VIEW DEFINITION ON REMOTE SERVICE BINDING:: TAKE OWNERSHIP ON REMOTE SERVICE BINDING::
VIEW ANY DATABASE – See Database Permissions – Schema
CONTROL SERVER
VIEW DEFINITION ON SERVICE:: TAKE OWNERSHIP ON SERVICE::
CONTROL SERVER
INSERT
SHUTDOWN
CONTROL SERVER
DELETE
CREATE SERVER ROLE – See Server Role Permissions
VIEW SERVER STATE
CREATE ROLE
members from fixed database roles.
CONNECT REPLICATION – See Connect and Authentication – Database Permissions Chart
ALTER RESOURCES (NA. Use diskadmin role instead.) ALTER SERVER STATE
NOTES: Only members of the db_owner
Combined with TRUSTWORTHY allows delegation of authentication
CHECKPOINT CREATE/ALTER/DROP SERVER AUDIT and SERVER AUDIT SPECIFICATION
CREATE ROLE
fixed database role can add or remove
AUTHENTICATE
sp_addlinkedserver
Service Broker Permissions (SQL Server only)
DROP ROLE
STATEMENTS:
Extended event sessions
ALTER ON ROLE::
ALTER ROLE ADD MEMBER
ADMINISTER DATABASE BULK OPERATIONS
AUTHENTICATE SERVER
Event notifications on trace events
CREATE TRACE EVENT NOTIFICATION
STATEMENTS:
ALTER ANY ENDPOINT – See Connect and Authentication CREATE ENDPOINT – See Connect and Authentication
Database scoped DDL event notifications
Note: EVENT NOTIFICATION permissions also affect service
CREATE XML SCHEMA COLLECTION
CREATE ANY DATABASE – See Top Level Database Permissions
CREATE DATABASE DDL EVENT NOTIFICATION
broker. See the service broker chart for more into.
CREATE VIEW
dbcreator role
Database scoped event notifications
ALTER ANY DATABASE EVENT NOTIFICATION
ALTER ANY EVENT NOTIFICATION
CONTROL ON ROLE::
CREATE DDL EVENT NOTIFICATION
CREATE PROCEDURE
Event notifications on trace events
CONTROL ON DATABASE::
Database Role Permissions
CREATE FUNCTION
KILL
CREATE ASSEMBLY
SQL Database can be a push replication subscriber which
ALTER ANY SYMMETRIC KEY – See Symmetric Key Permissions Chart
CREATE AVAILABILTY GROUP
CREATE TRACE EVENT NOTIFICATION
DROP ASSEMBLY CREATE ASSEMBLY
ALTER ON DATABASE::
ALTER ANY SERVICE – See Service Broker Permissions Chart
CREATE DEFAULT
ALTER ON ASSEMBLY::
ALTER ASSEMBLY Note: CREATE and ALTER ASSEMBLY statements sometimes require server level EXTERNAL ACCESS ASSEMBLY and UNSAFE ASSEMBLY permissions, and can require membership in the sysadmin fixed server role.
CREATE SYNONYM
CREATE DDL EVENT NOTIFICATION
TAKE OWNERSHIP ON ASSEMBLY::
Granting ALTER ANY USER allows a principal to create a user based
ALTER ANY ROLE – See Database Role Permissions Chart
ALTER ANY SECURITY POLICY
ALTER ANY AVAILABILITY GROUP – See Availability Group Permissions
ALTER ANY EVENT NOTIFICATION
ALTER ON DATABASE::
STATEMENTS:
CREATE AGGREGATE
ALTER ANY DATABASE – See Database Permission Charts
REFERENCES ON ASSEMBLY::
ALTER ANY SCHEMA – See Database Permissions – Schema Objects Chart
sysadmin role
ALTER ANY CREDENTIAL
REFERENCES ON DATABASE::
ALTER ANY ASSEMBLY
to that user, and it can access SQL Server without a login. •
ALTER ANY USER – See Connect and Authentication – Database Permissions Chart
ALTER ANY CONNECTION
VIEW DEFINITION ON ASSEMBLY::
NOTES:
ALTER ANY MESSAGE TYPE – See Service Broker Permissions Chart
Top Level Server Permissions
serveradmin role
EXECUTE AS
VIEW DEFINITION ON DATABASE::
PARTITION & PLAN GUIDE statements
ALTER ANY FULLTEXT CATALOG – See Full-text Permissions Chart
Server Level Permissions for SQL Server
ALTER ANY LINKED SERVER
VIEW ANY DEFINITION
DROP USER
ALTER ANY EXTERNAL FILE FORMAT
db_owner role
bulkadmin role
CONTROL ON ASSEMBLY::
CONTROL ON DATABASE::
ALTER USER
ALTER ANY DATABASE EVENT NOTIFICATION – See Event Notifications Permissions Chart
CONTROL ON DATABASE::
ADMINISTER BULK OPERATIONS
A DENY on a table is overridden by a GRANT on a column. However, a subsequent DENY on the table will remove the column GRANT.
STATEMENTS:
ALTER ANY CONTRACT – See Service Broker Permissions Chart
STATEMENTS:
CONTROL SERVER
•
ALTER ON USER::
ALTER ANY COLUMN MASTER KEY
db_ddladmin role
processadmin role
ALTER ON DATABASE::
ALTER ANY DATABASE
ALTER ANY COLUMN ENCRYPTION KEY
USER DATABASE
If you create a database
Object owners can delete them but they do not have full permissions on them.
ALTER ANY CERTIFICATE – See Certificate Permissions Chart
ALTER ANY EVENT NOTIFICATION
loginmanager role loginmanager role
•
STATEMENTS:
ALTER ANY ASYMMETRIC KEY – See Asymmetric Key Permissions Chart
Notes: • Server-Level Principal Logins are the Server admin and Azure Active Directory Admin accounts. • Server-level permissions cannot be granted on SQL Database. Use the loginmanager and dbmanager roles in the master database instead.
Top Level Server Permissions
SQL Database permissions refer to version 12.
CONTROL SERVER
VIEW DEFINITION ON USER::
ALTER ANY APPLICATION ROLE – See Application Roles Permissions Chart ALTER ANY ASSEMBLY – See Assembly Permissions Chart
Server-Level Principal Logins
VIEW DEFINITION ON DATABASE::
VIEW ANY DEFINITION
Azure SQL Database Permissions Outside the Database
•
granted in the master database. For SQL Database use the dbmanager role.
ALTER ON DATABASE::
ALTER ANY DATABASE
Granting any permission on a securable allows VIEW DEFINITION on that securable. It is an implied permissions and it cannot be revoked,
** NOTE: CREATE DATABASE is a database level permission that can only be
STATEMENTS: CREATE DATABASE, RESTORE DATABASE
CREATE DATABASE **
CREATE ANY DATABASE
CONTROL ON USER::
CONTROL ON DATABASE::
CONTROL SERVER
STATEMENTS: DROP DATABASE
CONTROL DATABASE
Permissions do not imply role memberships and role memberships do not grant permissions. (E.g. CONTROL SERVER does not imply
Assembly Permissions
Connect and Authentication – Database Permissions
db_owner has all permissions in the database.
•
but it can be explicitly denied by using the DENY VIEW DEFINITION statement.
Sample grant statement: GRANT UPDATE ON OBJECT::Production.Parts TO PartsTeam To remove a previously granted permission, use REVOKE, not DENY.
The CONTROL DATABASE permission has all permissions on the database.
•
PRINCIPAL is the login, user, or role which receives or loses the permission. Grant permissions to roles whenever possible.
Denying a permission at any level, overrides a related grant.
•
However, it is sometimes possible to impersonate between roles and equivalent permissions.
for server-wide and database-wide permissions.) •
The CONTROL SERVER permission has all permissions on the instance of SQL Server or SQL Database.
membership in the sysadmin fixed server role. Membership in the db_owner role does not grant the CONTROL DATABASE permission.)
Database Engine Permissions
AUTHORIZATION PERMISSION ON SECURABLE::NAME TO PRINCIPAL •
NOTES: •
ALTER ANY DATABASE
CONTROL ON FULLTEXT STOPLIST::
CONTROL ON DATABASE::
CONTROL ON CERTIFICATE::
VIEW DEFINITION ON DATABASE::
VIEW DEFINITION ON CERTIFICATE::
REFERENCES ON DATABASE::
REFERENCES ON CERTIFICATE::
ALTER ON DATABASE::
TAKE OWNERSHIP ON CERTIFICATE::
CONTROL SERVER
VIEW ANY DEFINITION
CONTROL ON DATABASE::
CONTROL ON MESSAGE TYPE::
VIEW DEFINITION ON DATABASE::
VIEW DEFINITION ON MESSAGE TYPE::
REFERENCES ON DATABASE::
REFERENCES ON MESSAGE TYPE:: TAKE OWNERSHIP ON MESSAGE TYPE::
ALTER ANY DATABASE
ALTER ON DATABASE::
CONTROL ON FULLTEXT CATALOG:: ALTER ANY CERTIFICATE VIEW ANY DEFINITION ALTER ANY SERVER ROLE
ALTER ON SERVER ROLE::
VIEW DEFINITION ON SEARCH PROPERTY LIST:: VIEW ANY DEFINITION
VIEW DEFINITION ON DATABASE::
VIEW DEFINITION ON FULLTEXT STOPLIST::
Note: ADD SIGNATURE requires CONTROL permission on the certificate, and requires ALTER permission on the object.
VIEW DEFINITION ON FULLTEXT CATALOG::
STATEMENTS: REFERENCES ON DATABASE::
DROP SERVER ROLE
STATEMENTS:
ALTER MESSAGE TYPE
ALTER CERTIFICATE
DROP MESSAGE TYPE
DROP CERTIFICATE CREATE CERTIFICATE
CREATE CERTIFICATE
REFERENCES ON FULLTEXT STOPLIST:: REFERENCES ON FULLTEXT CATALOG::
CREATE SERVER ROLE TAKE OWNERSHIP ON FULLTEXT CATALOG::
NOTES: To add a member to a fixed server role, you must be a member of
TAKE OWNERSHIP ON FULLTEXT STOPLIST::
TAKE OWNERSHIP ON SEARCH PROPERTY LIST::
Database Scoped Credential Permissions ǂ
that fixed server role, or be a member of the sysadmin fixed server role. ALTER ANY DATABASE
CONTROL SERVER
ALTER ON DATABASE::
CONTROL SERVER
ALTER ANY FULLTEXT CATALOG ALTER ON FULLTEXT CATALOG::
CONTROL ON AVAILABILITY GROUP::
VIEW ANY DEFINITION
STATEMENTS: ALTER FULLTEXT CATALOG CREATE FULLTEXT CATALOG
STATEMENTS: ALTER FULLTEXT STOPLIST CREATE FULLTEXT STOPLIST
VIEW DEFINITION ON AVAILABILITY GROUP:: TAKE OWNERSHIP ON AVAILABILITY GROUP::
ALTER ANY AVAILABILITY GROUP
ALTER ON AVAILABILITY GROUP:: STATEMENTS:
DROP FULLTEXT CATALOG
ALTER AVAILABILITY GROUP
DROP FULLTEXT STOPLIST
DROP AVAILABILITY GROUP CREATE AVAILABILITY GROUP
CREATE MESSAGE TYPE
CREATE MESSAGE TYPE
CREATE QUEUE
VIEW DEFINITION ON DATABASE::
VIEW DEFINITION ON DATABASE SCOPED CREDENTIAL :: ǂ
REFERENCES ON DATABASE::
REFERENCES ON DATABASE SCOPED CREDENTIAL :: ǂ TAKE OWNERSHIP ON DATABASE SCOPED CREDENTIAL :: ǂ
STATEMENTS: ALTER SEARCH PROPERTY LIST
Notes: • The user executing the CREATE CONTRACT statement must have REFERENCES permission on all message types specified. • The user executing the CREATE SERVICE statement must have REFERENCES permission on the queue and all contracts specified. • To execute the CREATE or ALTER REMOTE SERVICE BINDING the user must have impersonate permission for the principal specified in the statement. • When the CREATE or ALTER MESSAGE TYPE statement specifies a schema collection, the user executing the statement must have REFERENCES permission on the schema collection specified. • See the ALTER ANY EVENT NOTIFICATION chart for more permissions related to Service Broker. • See the SCHEMA OBJECTS chart for QUEUE permissions. • The ALTER CONTRACT permission exists but at this time there is no ALTER CONTRACT statement.
Questions and comments to [email protected]
ALTER ON DATABASE SCOPED CREDENTIAL :: ǂ
CREATE SEARCH PROPERTY LIST STATEMENTS:
STATEMENTS:
CREATE AVAILABILITY GROUP
CONTROL ON DATABASE SCOPED CREDENTIAL:: ǂ
ALTER ON FULLTEXT STOPLIST::
CREATE FULLTEXT CATALOG
VIEW ANY DEFINITION
CONTROL ON DATABASE::
ALTER ON SEARCH PROPERTY LIST::
Availability Group Permissions
ALTER ON MESSAGE TYPE::
REFERENCES ON SEARCH PROPERTY LIST::
ALTER SERVER ROLE ADD MEMBER CREATE SERVER ROLE
ALTER ANY MESSAGE TYPE
STATEMENTS:
VIEW DEFINITION ON SERVER ROLE:: TAKE OWNERSHIP ON SERVER ROLE::
ALTER ON CERTIFICATE::
DROP FULLTEXT SEARCH PROPERTYLIST
ALTER DATABASE SCOPED CREDENTIAL ǂ Notes: •
Creating a full-text index requires ALTER permission on the table and REFERENCES permission on the full-text catalog.
•
Dropping a full-text index requires ALTER permission on the table.
DROP DATABASE SCOPED CREDENTIAL ǂ CREATE DATABASE SCOPED CREDENTIAL ǂ
May 4, 2017 © 2017 Microsoft Corporation. All rights reserved.
