Tuesday, October 16, 2012

Permissions of SQL Server Fixed Database Roles

Fixed database roles can be mapped to the more detailed permissions that are included in SQL Server. 

Fixed database roles are provided for convenience and backward compatibility. 

All fixed database roles are granted with Server-level permission VIEW ANY DATABASE.

Fixed database role
Database-level permission
db_accessadmin
Granted: ALTER ANY USER, CREATE SCHEMA
Granted with GRANT option: CONNECT
db_backupoperator
Granted: BACKUP DATABASE, BACKUP LOG, CHECKPOINT
db_datareader
Granted: SELECT
db_datawriter
Granted: DELETE, INSERT, UPDATE
db_ddladmin
Granted: ALTER ANY ASSEMBLY, ALTER ANY ASYMMETRIC KEY, ALTER ANY CERTIFICATE, ALTER ANY CONTRACT, ALTER ANY DATABASE DDL TRIGGER, ALTER ANY DATABASE EVENT, NOTIFICATION, ALTER ANY DATASPACE, ALTER ANY FULLTEXT CATALOG, ALTER ANY MESSAGE TYPE, ALTER ANY REMOTE SERVICE BINDING, ALTER ANY ROUTE, ALTER ANY SCHEMA, ALTER ANY SERVICE, ALTER ANY SYMMETRIC KEY, CHECKPOINT, CREATE AGGREGATE, CREATE DEFAULT, CREATE FUNCTION, CREATE PROCEDURE, CREATE QUEUE, CREATE RULE, CREATE SYNONYM, CREATE TABLE, CREATE TYPE, CREATE VIEW, CREATE XML SCHEMA COLLECTION, REFERENCES
db_denydatareader
Denied: SELECT
db_denydatawriter
Denied: DELETE, INSERT, UPDATE
db_owner
Granted with GRANT option: CONTROL
db_securityadmin
Granted: ALTER ANY APPLICATION ROLE, ALTER ANY ROLE, CREATE SCHEMA, VIEW DEFINITION
dbm_monitor
Granted: VIEW most recent status in Database Mirroring Monitor
Important noteImportant
The dbm_monitor fixed database role is created in the msdb database when the first database is registered in Database Mirroring Monitor. The new dbm_monitor role has no members until a system administrator assigns users to the role.

For more info: http://msdn.microsoft.com/en-us/library/ms189612(v=sql.105).aspx