Like Windows groups, SQL Server provides two roles,
server- and database-level roles into which logins and users can be
added. Server-level roles are fixed roles that have a serverwide
permission scope. Each built-in role serves a specific purpose and
have the required permissions associated with them. Although you are
limited to the built-in server-level roles, you can create new
database-level roles in addition to those available to suit more
specific needs.
SQL Server logins, Windows accounts, and Windows groups can be added to server-level roles. Server-level roles are as follows:
sysadmin
– Perform any activity in the server. By default, the
BUILTIN\Administrators group and the local administrator’s group are
members of the sysadmin role.
serveradmin – Change server-wide configuration options and shut down the server.
securityadmin
– Manage logins and their properties. They will be able to reset
passwords for SQL Server logins and GRANT, DENY, and Revoke
database-level and server-level permissions.
processadmin – End processes running in an instance of SQL Server.
setupadmin – Add and remove linked servers.
bulkadmin – Run the BULK INSERT statement.
diskadmin – Manage disk files.
dbcreator – CREATE, ALTER, DROP, and restore any database.
You can find the following objects in the master database that can help when working with server-level roles:
sp_helpsrvrole – Returns a list of server-level roles.
sp_helpsrvrolemember – Returns information about the members of a server-level role.
sp_srvrolepermission – Displays the permissions of a server-level role.
IS_SRVROLEMEMBER – Indicates whether a SQL Server login is a member of the specified server-level role.
sys.server_role_members – Returns one row for each member of each server-level role.
sp_addsrvrole_member – Adds a login as a member of a server-level role.
sp_dropsrvrole_member – Removes a SQL Server login or a Windows user or group from a server-level role.
There
are two types of database-level roles, fixed database roles that are
predefined in the database and flexible database roles that you can
create.
The fixed database-level roles are:
db_owner – Can drop the database as well as permission to perform all configuration and maintenance tasks.
db_security_admin
– Can modify role membership and manage permissions. Please be careful
when adding principals to this role; an unintended privilege escalation
could result.
db_accessadmin – Can add or remove database access for Windows logins, Windows groups, and SQL Server logins.
db_backupoperator – Can back up the database.
db_ddladmin – Can run any Data Definition Language command.
db_datawriter – Can add, delete, or change data in all user tables.
db_datareader – Can read all data from all user tables.
db_denydatawriter – Will deny permission in the database to add, modify, or delete any data in the user tables.
db_denydatareader – Will deny permission in the database to read any data in the user tables.
These objects can be helpful when working with Database-level roles:
sp_helpdbfixedrole – Returns a list of the fixed database roles.
sp_dbfixedrolepermission – Displays the permissions of a fixed database role.
sp_helprole – Returns information about the roles in the current database.
sp_helprolemember – Returns information about the members of a role in the current database.
sys.database_role_members – Returns one row for each member of each database role.
IS_MEMBER
– Indicates whether the current user is a member of the specified
Microsoft Windows group or Microsoft SQL Server database role.
CREATE_ROLE – Creates a new database role in the current database.
ALTER_ROLE – Changes the name of a database role.
DROP_ROLE – Removes a role from the database.
sp_addrole – Creates a new database role in the current database.
sp_droprole – Removes a database role from the current database.
sp_addrolemember
– Adds a database user, database role, Windows login, or Windows group
to a database role in the current database.
sp_droprolemember – Removes a security account from a SQL Server role in the current database.
Figure 1 shows the fixed server roles. Figure 2 shows the predefined database roles.