Saturday, 20 February 2016

Permissions - Server & Database Roles

When assigning permissions, it is important to always grant the least privileged role - minimum permission to perform the function that is required.

 Server Roles:
More info from MSDN
Fixed server-level role
Description
sysadmin
Members of this role can perform any action on the SQL Server instance. Initial membership of this role happens at installation
serveradmin
Members can perform instance wide administration tasks, including shutting down the instance
securityadmin
Members can manage instance level permissions. Permissions for this role are equivalent to sysadmin - as members of this role can elevate their own permissions to sysadmin
processadmin
Members can view and terminate processes on the database engine
setupadmin
Members can add / remove linked servers to the database instance, and execute some system stored procedures
bulkadmin
Members can run the BULK INSERT statement
diskadmin
Members can administer database file configuration
dbcreator
Ability to create databases (database will be owned by the creator)
public
Every login is automatically a member of the public role; you cannot change membership for public. You can change the permissions for public however. If a user has no permissions granted, they will revert to the permissions assigned to public
Database Roles:
More info from MSDN
Database-level role name
Description
db_owner
Has permissions to do anything within the database
db_securityadmin
Members can administer security of roles (note: can elevate their own permissions to db_owner)
db_accessadmin
Can administer who has access to database for Windows Logins, Windows Groups and SQL Server Logins
db_backupoperator
Members have ability to backup the database. Cannot restore the database - this is reserved for dbcreator / sysadmin fixed server roles
db_ddladmin
Can perform any Data Definition Language (DDL) operations (those that create / modify structure of database), e.g. CREATE, ALTER, DROP, TRUNCATE
db_datawriter
Allows users to add / delete / update data on all user tables
db_datareader
Allows users to read data from all user tables
db_denydatawriter
Members cannot add / delete / update any data in any user tables
db_denydatareader
Members cannot read data from any user tables
:
-
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Updating massive amount of rows whilst avoiding blocking

The following SQL is a good means to split an update on a massive table into smaller chunks, whilst reducing blocking. The method is to upda...