NOTES: • The CONTROL SERVER permission has all permissions on the instance of SQL Server or SQL Database.

Microsoft SQL Server 2017 and Azure SQL Database

• The CONTROL DATABASE permission has all permissions on the database.
Permission Syntax • Permissions do not imply role memberships and role memberships do not grant permissions. (E.g. CONTROL SERVER does not imply
Most permission statements have the format :
membership in the sysadmin fixed server role. Membership in the db_owner role does not grant the CONTROL DATABASE permission.)

Database Engine Permissions

AUTHORIZATION PERMISSION ON SECURABLE::NAME TO PRINCIPAL
However, it is sometimes possible to impersonate between roles and equivalent permissions.
• AUTHORIZATION must be GRANT, REVOKE or DENY.
• PERMISSION is listed in the charts below. • Granting any permission on a securable allows VIEW DEFINITION on that securable. It is an implied permissions and it cannot be revoked,
• ON SECURABLE::NAME is the server, server object, database, or database object and its name. (ON SECURABLE::NAME is omitted but it can be explicitly denied by using the DENY VIEW DEFINITION statement.
for server-wide and database-wide permissions.)
• SQL Database permissions refer to version 12.
• PRINCIPAL is the login, user, or role which receives or loses the permission. Grant permissions to roles whenever possible.
• Object owners can delete them but they do not have full permissions on them.
Sample grant statement: GRANT UPDATE ON OBJECT::Production.Parts TO PartsTeam
Denying a permission at any level, overrides a related grant. • A DENY on a table is overridden by a GRANT on a column. However, a subsequent DENY on the table will remove the column GRANT.
To remove a previously granted permission, use REVOKE, not DENY.

How to Read this Chart

• Most of the more granular permissions are included in more than one higher level scope permission. So permissions can be inherited
Database Level Permissions
from more than one type of higher scope. Top Level Database Permissions db_owner role db_owner has all permissions in the database. Connect and Authentication – Database Permissions Assembly Permissions
• Black, green, and purple arrows and boxes point to subordinate permissions that are included in the scope of higher a level permission.
• Brown arrows and boxes indicate some of the statements that can use the permission. CONTROL SERVER STATEMENTS: DROP DATABASE CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON USER::<name> CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON ASSEMBLY::<name>
CONTROL DATABASE
• Permissions in black apply to both SQL Server 2016 and Azure SQL Database
• Permissions in red apply only to SQL Server 2016 and later
CREATE DATABASE ** STATEMENTS: CREATE DATABASE, RESTORE DATABASE ** NOTE: CREATE DATABASE is a database level permission that can only be VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON ASSEMBLY::<name>
• Permissions marked with § apply only to SQL Server 2017 CREATE ANY DATABASE
• Permissions marked with ǂ apply to SQL Server 2017 and Azure SQL Database ALTER ANY DATABASE ALTER ON DATABASE::<name> granted in the master database. For SQL Database use the dbmanager role. REFERENCES ON DATABASE::<name> REFERENCES ON ASSEMBLY::<name>
VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON USER::<name> ALTER ANY DATABASE
• Permissions in blue apply only to Azure SQL Database ALTER ANY APPLICATION ROLE – See Application Roles Permissions Chart ALTER ON DATABASE::<name> TAKE OWNERSHIP ON ASSEMBLY::<name>
• The newest permissions are underlined STATEMENTS:
ALTER ANY ASSEMBLY – See Assembly Permissions Chart
Note: ALTER ANY ASSEMBLY ALTER ON ASSEMBLY::<name>
ALTER ANY ASYMMETRIC KEY – See Asymmetric Key Permissions Chart ALTER ANY DATABASE ALTER ON DATABASE::<name> IMPERSONATE ON USER::<name> EXECUTE AS CREATE and ALTER ASSEMBLY
statements sometimes require server STATEMENTS:
ALTER ANY CERTIFICATE – See Certificate Permissions Chart

Azure SQL Database Permissions ALTER ANY COLUMN ENCRYPTION KEY

ALTER ANY COLUMN MASTER KEY
ALTER ANY USER ALTER ON USER::<name>
level EXTERNAL ACCESS ASSEMBLY
and UNSAFE ASSEMBLY permissions,
and can require membership in the
ALTER ASSEMBLY
DROP ASSEMBLY

Outside the Database

CREATE ASSEMBLY CREATE ASSEMBLY
Notes: sysadmin fixed server role.
ALTER ANY CONTRACT – See Service Broker Permissions Chart STATEMENTS: STATEMENTS:
• Server-Level Principal Logins are the Server admin and Azure Active Directory ALTER ANY SERVER AUDIT ALTER ANY DATABASE AUDIT CREATE DATABASE AUDIT SPECIFICATION ALTER USER
Admin accounts.
• Server-level permissions cannot be granted on SQL Database. Use the ALTER ANY DATABASE DDL TRIGGER DROP USER
Event Notification Permissions (SQL Server only)
Top Level Server Permissions loginmanager and dbmanager roles in the master database instead. ALTER ANY EVENT NOTIFICATION ALTER ANY DATABASE EVENT NOTIFICATION – See Event Notifications Permissions Chart
CREATE/ALTER/DROP database triggers

CONNECT ANY DATABASE CONNECT REPLICATION ON DATABASE::<name>

CONTROL SERVER CONTROL ON DATABASE::<name>
ALTER ANY DATABASE EVENT SESSION CONNECT ON DATABASE::<name> CREATE USER
STATEMENTS:
loginmanager role ALTER ANY DATABASE SCOPED CONFIGURATION ǂ
Server-Level Principal Logins loginmanager role CREATE LOGIN ALTER ON DATABASE::<name>
ALTER ANY DATASPACE PARTITION & PLAN GUIDE statements
ALTER LOGIN
ALTER ANY EXTERNAL DATA SOURCE
dbmanager role DROP LOGIN NOTES: ALTER ANY EVENT NOTIFICATION ALTER ANY DATABASE EVENT NOTIFICATION Database scoped event notifications
ALTER ANY EXTERNAL FILE FORMAT
• When contained databases are enabled, creating a database user • SQL Database can be a push replication subscriber which
STATEMENTS: ALTER ANY EXTERNAL LIBRARY - See EXTERNAL LIBRARY PERMISSIONS § db_accessadmin role CREATE DDL EVENT NOTIFICATION CREATE DATABASE DDL EVENT NOTIFICATION Database scoped DDL event notifications
USER DATABASE that authenticates at the database, grants CONNECT ON DATABASE requires no special permissions.
If you create
CREATE DATABASE
a database db_owner role to that user, and it can access SQL Server without a login. CREATE TRACE EVENT NOTIFICATION Event notifications on trace events
ALTER DATABASE ALTER ANY FULLTEXT CATALOG – See Full-text Permissions Chart
• Granting ALTER ANY USER allows a principal to create a user based
DROP DATABASE CONTROL ON DATABASE::<name> ALTER ANY MESSAGE TYPE – See Service Broker Permissions Chart
on a login, but does not grant the server level permission to view
ALTER ANY REMOTE SERVICE BINDING – See Service Broker Permissions Chart Note: EVENT NOTIFICATION permissions also affect service
information about logins.
ALTER ANY ROLE – See Database Role Permissions Chart broker. See the service broker chart for more into.
db_ddladmin role
ALTER ANY ROUTE – See Service Broker Permissions Chart

Server Level Permissions for SQL Server

ALTER ANY SCHEMA – See Database Permissions – Schema Objects Chart
ALTER ANY SECURITY POLICY
Database Role Permissions External Library Permissions
ALTER ANY SERVICE – See Service Broker Permissions Chart
CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON ROLE::<name> CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON EXTERNAL LIBRARY::<name>
ALTER ANY SYMMETRIC KEY – See Symmetric Key Permissions Chart
Top Level Server Permissions ALTER ANY USER – See Connect and Authentication – Database Permissions Chart
sysadmin role
VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON EXTERNAL LIBRARY::<name>
STATEMENTS:
STATEMENTS: CREATE AGGREGATE
CONTROL SERVER CREATE/ALTER/DROP server triggers CREATE DEFAULT
CREATE/ALTER/DROP server triggers VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON ROLE::<name>
CREATE FUNCTION ALTER ANY DATABASE ALTER ON DATABASE::<name> TAKE OWNERSHIP ON EXTERNAL LIBRARY::<name>
ADMINISTER BULK OPERATIONS bulkadmin role OPENROWSET(BULK….
OPENROWSET(BULK … CREATE PROCEDURE
ALTER ANY EXTERNAL LIBRARY ALTER ON LIBRARY::<name>
ALTER ANY AVAILABILITY GROUP – See Availability Group Permissions CREATE QUEUE ALTER ANY DATABASE ALTER ON DATABASE::<name> TAKE OWNERSHIP ON ROLE::<name>
CREATE AVAILABILTY GROUP STATEMENTS:
CREATE RULE
ALTER ANY CONNECTION ALTER EXTERNAL LIBRARY
KILL CREATE SYNONYM
ALTER ANY ROLE ALTER ON ROLE::<name> DROP EXTERNAL LIBRARY
ALTER ANY CREDENTIAL CREATE/ALTER/DROP CREDENTIAL CREATE TABLE db_securityadmin role
processadmin role CREATE EXTERNAL LIBRARY CREATE EXTERNAL LIBRARY
ALTER ANY DATABASE – See Database Permission Charts dbcreator role
CREATE TYPE STATEMENTS:
CREATE ANY DATABASE – See Top Level Database Permissions CREATE VIEW ALTER ROLE <name> ADD MEMBER
ALTER ANY ENDPOINT – See Connect and Authentication
CREATE ENDPOINT – See Connect and Authentication
CREATE XML SCHEMA COLLECTION
ADMINISTER DATABASE BULK OPERATIONS STATEMENTS:
DROP ROLE Service Broker Permissions (SQL Server only)
CREATE ROLE CREATE ROLE
NOTES: Only members of the db_owner
ALTER ANY EVENT NOTIFICATION Server scoped event notifications ALTER ANY DATABASE SCOPED CONFIGURATION ALTER DATABASE SCOPED CONFIGURATION
fixed database role can add or remove CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON SERVICE::<name>
CREATE DDL EVENT NOTIFICATION Server scoped DDL event notifications ALTER ANY MASK
members from fixed database roles.
CREATE TRACE EVENT NOTIFICATION Event notifications on trace events AUTHENTICATE SERVER AUTHENTICATE Combined with TRUSTWORTHY allows delegation of authentication
ALTER ANY EVENT SESSION Extended event sessions BACKUP DATABASE BACKUP DATABASE
ALTER ANY LINKED SERVER setupadmin role sp_addlinkedserver BACKUP LOG db_backupoperator role BACKUP LOG
ALTER ANY LOGIN – See Connect and Authentication securityadmin role CHECKPOINT CHECKPOINT VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON SERVICE::<name>

ALTER ANY SERVER AUDIT CREATE/ALTER/DROP SERVER AUDIT CONNECT REPLICATION – See Connect and Authentication – Database Permissions Chart
Application Role Permissions SEND ON SERVICE::<name>
and SERVER AUDIT SPECIFICATION TAKE OWNERSHIP ON SERVICE::<name>
ALTER ANY SERVER ROLE – See Server Role Permissions DELETE
CREATE SERVER ROLE – See Server Role Permissions EXECUTE CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON APPLICATION ROLE::<name> ALTER ANY DATABASE ALTER ON DATABASE::<name>

ALTER RESOURCES (NA. Use diskadmin role instead.) INSERT STATEMENTS:

ALTER SERVER STATE DBCC
DBCC FREE…CACHE
FREE…CACHE and
and SQLPERF
SQLPERF REFERENCES Applies to subordinate objects in the database. See ALTER ANY SERVICE ALTER ON SERVICE::<name>
serveradmin role
VIEW SERVER STATE SELECT
SELECT on
on server-level
server-level DMV’s
DMV’s SELECT Database Permissions – Schema Objects chart. STATEMENTS:
ALTER SETTINGS UPDATE VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON APPLICATION ROLE::<name> ALTER SERVICE
sp_configure,
sp_configure, RECONFIGURE
RECONFIGURE Notes:
ALTER TRACE sp_trace_create
sp_create_trace VIEW ANY DEFINITION VIEW DEFINITION STATEMENTS: DROP SERVICE
• ALTER AUTHORIZATION for any object might also require IMPERSONATE or
AUTHENTICATE SERVER Allows
Allows server-level
server-level delegation
delegation TAKE OWNERSHIP ALTER AUTHORIZATION CREATE SERVICE CREATE SERVICE
membership in a role or ALTER permission on a role.
CONNECT SQL – See Connect and Authentication EXECUTE ANY EXTERNAL SCRIPT ALTER ANY DATABASE ALTER ON DATABASE::<name>
• ALTER AUTHORIZATION exists at many levels in the permission model but is
CONNECT ANY DATABASE KILL DATABASE CONNECTION
never inherited from ALTER AUTHORIZATION at a higher level.
IMPERSONATE ANY LOGIN SHOWPLAN ALTER ANY APPLICATION ROLE ALTER ON APPLICATION ROLE::<name>
ALTER TRACE
SELECT ALL USER SECURABLES SUBSCRIBE QUERY NOTIFICATIONS Notes: CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON REMOTE SERVICE BINDING::<name>
STATEMENTS:
SHUTDOWN UNMASK • In both SQL Server and SQL Database the public database role does not initially have access to any user objects.
SHUTDOWN* ALTER APPLICATION ROLE
public role The public database role has many grants to system objects, which is necessary to manage internal actions.
UNSAFE ASSEMBLY VIEW ANY COLUMN MASTER KEY DEFINITION DROP APPLICATION ROLE
EXTERNAL ACCESS ASSEMBLY VIEW ANY COLUMN ENCRYPTION KEY DEFINITION • In SQL Server 2016, the public database role has the VIEW ANY COLUMN MASTER KEY DEFINITION and VIEW ANY
CREATE APPLICATION ROLE
VIEW ANY DEFINITION VIEW SERVER STATE VIEW DATABASE STATE COLUMN ENCRYPTION KEY DEFINITION permissions by default. They can be revoked. VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON REMOTE SERVICE BINDING::<name>
VIEW ANY DATABASE – See Database Permissions – Schema TAKE OWNERSHIP ON REMOTE SERVICE BINDING::<name>

* NOTE: The SHUTDOWN statement requires the SQL Server SHUTDOWN permission. Starting, stopping, and pausing the Database
Database Permissions – Schema Objects db_ddladmin role ALTER ANY DATABASE ALTER ON DATABASE::<name>
Engine from SSCM, SSMS, or Windows requires Windows permissions, not SQL Server permissions.
Symmetric Key Permissions
public role
Object Permissions ALTER ANY REMOTE SERVICE BINDING ALTER ON REMOTE SERVICE BINDING::<name>
Server Permissions Database Permissions Schema Permissions Type Permissions CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON SYMMETRIC KEY::<name>
STATEMENTS:
XML Schema Collection Permissions
Connect and Authentication – Server Permissions ALTER REMOTE SERVICE BINDING

CONTROL ON SERVER CONTROL ON DATABASE::<name> CONTROL ON SCHEMA ::<name> CONTROL ON OBJECT|TYPE|XML SCHEMA COLLECTION ::<name> DROP REMOTE SERVICE BINDING
CONTROL SERVER CONTROL ON LOGIN::<name> CREATE REMOTE SERVICE BINDING CREATE REMOTE SERVICE BINDING

VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON SYMMETRIC KEY::<name>
db_datareader role
db_denydatareader role VIEW CHANGE TRACKING ON SCHEMA::<name> VIEW CHANGE TRACKING ON OBJECT::<name> REFERENCES ON DATABASE::<name> REFERENCES ON SYMMETRIC KEY::<name>

SELECT ON DATABASE::<name> SELECT ON SCHEMA::<name> SELECT ON OBJECT::<table |view name> ALTER ANY DATABASE ALTER ON DATABASE::<name> TAKE OWNERSHIP ON SYMMETRIC KEY::<name> CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON CONTRACT::<name>
VIEW ANY DEFINITION VIEW DEFINITION ON LOGIN::<name> INSERT ON DATABASE::<name> INSERT ON SCHEMA::<name> INSERT ON OBJECT::< table |view name>
db_datawriter role
IMPERSONATE ON LOGIN::<name> STATEMENTS: UPDATE ON DATABASE::<name> UPDATE ON SCHEMA::<name> UPDATE ON OBJECT::< table |view name>
db_denydatawriter role
ALTER ANY LOGIN ALTER ON LOGIN::<name> EXECUTE AS DELETE ON DATABASE::<name> DELETE ON SCHEMA::<name> DELETE ON OBJECT::< table |view name> ALTER ANY SYMMETRIC KEY ALTER ON SYMMETRIC KEY::<name>
Note: OPEN SYMMETRIC KEY requires
EXECUTE ON DATABASE::<name> EXECUTE ON SCHEMA::<name> EXECUTE ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name> VIEW DEFINITION permission on the VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON CONTRACT::<name>
STATEMENTS:
REFERENCES ON DATABASE::<name> REFERENCES ON SCHEMA::<name> REFERENCES ON OBJECT|TYPE|XML SCHEMA COLLECTION:<name> key (implied by any permission on the REFERENCES ON DATABASE::<name> REFERENCES ON CONTRACT::<name>
securityadmin role STATEMENTS: ALTER SYMMETRIC KEY
VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON SCHEMA::<name> VIEW DEFINITION ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name> key), and requires permission on the TAKE OWNERSHIP ON CONTRACT::<name>
ALTER LOGIN, sp_addlinkedsrvlogin DROP SYMMETRIC KEY
TAKE OWNERSHIP ON DATABASE::<name> TAKE OWNERSHIP ON SCHEMA::<name> TAKE OWNERSHIP ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name> key encryption hierarchy. ALTER ANY DATABASE ALTER ON DATABASE::<name>
DROP LOGIN CREATE SYMMETRIC KEY CREATE SYMMETRIC KEY
VIEW ANY DATABASE RECEIVE ON OBJECT::<queue name>
CREATE LOGIN
SELECT ON OBJECT::<queue name> ALTER ANY CONTRACT ALTER ON CONTRACT::<name>
ALTER ANY DATABASE ALTER ON DATABASE::<name>
STATEMENTS:
CONNECT SQL ALTER ANY SCHEMA ALTER ON SCHEMA::<name> ALTER ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name> Asymmetric Key Permissions DROP CONTRACT
Notes: CREATE SCHEMA CREATE SEQUENCE CREATE CONTRACT CREATE CONTRACT
• The CREATE LOGIN statement creates a login and grants CONNECT SQL to that login. CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON ASYMMETRIC KEY::<name>
OBJECT permissions apply to the following database objects:
• Enabling a login (ALTER LOGIN <name> ENABLE) is not the same as granting CONNECT SQL permission. CREATE AGGREGATE
AGGREGATE
• To map a login to a credential, see ALTER ANY CREDENTIAL. CREATE DEFAULT
DEFAULT
• When contained databases are enabled, users can access SQL Server without a login. See database user CREATE FUNCTION
FUNCTION
permissions. CREATE PROCEDURE
CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON ROUTE::<name>
PROCEDURE VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON ASYMMETRIC KEY::<name>
• To connect using a login you must have : CREATE QUEUE
QUEUE
o An enabled login CREATE RULE REFERENCES ON DATABASE::<name> REFERENCES ON ASYMMETRIC KEY::<name>
RULE
o CONNECT SQL CREATE SYNONYM
SYNONYM ALTER ANY DATABASE ALTER ON DATABASE::<name> TAKE OWNERSHIP ON ASYMMETRIC KEY::<name>
o CONNECT for the database (if specified) CREATE TABLE
VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON ROUTE::<name>
TABLE
CREATE TYPE
TAKE OWNERSHIP ON ROUTE::<name>
CONTROL ON ENDPOINT::<name> VIEW
CREATE VIEW ALTER ANY ASYMMETRIC KEY ALTER ON ASYMMETRIC KEY::<name>
(All permissions do not apply to all objects. For example
CREATE XML SCHEMA COLLECTION
ALTER ANY DATABASE ALTER ON DATABASE::<name>
UPDATE only applies to tables and views.) Note: ADD SIGNATURE requires STATEMENTS:
VIEW ANY DEFINITION CONTROL permission on the key, and ALTER ASYMMETRIC KEY
CONNECT ON ENDPOINT::<name> ALTER ANY ROUTE ALTER ON ROUTE::<name>
requires ALTER permission on the DROP ASYMMETRIC KEY
TAKE OWNERSHIP ON ENDPOINT::<name>
STATEMENTS:
object. CREATE ASYMMETRIC KEY CREATE ASYMMETRIC KEY
VIEW DEFINITION ON ENDPOINT::<name>
ALTER ROUTE
ALTER ANY ENDPOINT ALTER ON ENDPOINT::<name> Notes: DROP ROUTE
• To create a schema object (such as a table) you must have CREATE permission for that object type • To drop an object (such as a table) you must have ALTER permission on the schema or CONTROL CREATE ROUTE CREATE ROUTE
STATEMENTS:
plus ALTER ON SCHEMA::<name> for the schema of the object. Might require REFERENCES ON permission on the object.
ALTER ENDPOINT
OBJECT::<name> for any referenced CLR type or XML schema collection. • To create an index requires ALTER OBJECT::<name> permission on the table or view.
Certificate Permissions
DROP ENDPOINT
• To alter an object (such as a table) you must have ALTER permission on the object (or schema), or • To create or alter a trigger on a table or view requires ALTER OBJECT::<name> on the table or view.
CREATE ENDPOINT CREATE ENDPOINT CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON CERTIFICATE::<name>
CONTROL permission on the object. • To create statistics requires ALTER OBJECT::<name> on the table or view. CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON MESSAGE TYPE::<name>

Server Role Permissions Full-text Permissions

VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON CERTIFICATE::<name> VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON MESSAGE TYPE::<name>
REFERENCES ON DATABASE::<name> REFERENCES ON MESSAGE TYPE::<name>
REFERENCES ON DATABASE::<name> REFERENCES ON CERTIFICATE::<name>
CONTROL SERVER CONTROL ON SERVER ROLE::<name> CONTROL ON SEARCH PROPERTY LIST::<name> TAKE OWNERSHIP ON MESSAGE TYPE::<name>
CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON FULLTEXT STOPLIST::<name> ALTER ANY DATABASE ALTER ON DATABASE::<name> TAKE OWNERSHIP ON CERTIFICATE::<name> ALTER ANY DATABASE ALTER ON DATABASE::<name>
CONTROL ON FULLTEXT CATALOG::<name>
ALTER ANY MESSAGE TYPE ALTER ON MESSAGE TYPE::<name>
ALTER ANY CERTIFICATE ALTER ON CERTIFICATE::<name>
STATEMENTS:
VIEW ANY DEFINITION VIEW DEFINITION ON SERVER ROLE::<name>
VIEW DEFINITION ON SEARCH PROPERTY LIST::<name> STATEMENTS: ALTER MESSAGE TYPE
TAKE OWNERSHIP ON SERVER ROLE::<name>
VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON FULLTEXT STOPLIST::<name> Note: ADD SIGNATURE requires ALTER CERTIFICATE DROP MESSAGE TYPE
ALTER ANY SERVER ROLE ALTER ON SERVER ROLE::<name> CONTROL permission on the certificate,
VIEW DEFINITION ON FULLTEXT CATALOG::<name> DROP CERTIFICATE CREATE MESSAGE TYPE CREATE MESSAGE TYPE
and requires ALTER permission on the
object. CREATE CERTIFICATE CREATE CERTIFICATE CREATE QUEUE
STATEMENTS: REFERENCES ON SEARCH PROPERTY LIST::<name>
ALTER SERVER ROLE <name> ADD MEMBER REFERENCES ON DATABASE::<name> REFERENCES ON FULLTEXT STOPLIST::<name> Notes:
DROP SERVER ROLE REFERENCES ON FULLTEXT CATALOG::<name> • The user executing the CREATE CONTRACT statement must have REFERENCES permission on
CREATE SERVER ROLE CREATE SERVER ROLE all message types specified.
• The user executing the CREATE SERVICE statement must have REFERENCES permission on
NOTES: To add a member to a fixed server role, you must be a member of TAKE OWNERSHIP ON FULLTEXT CATALOG::<name> TAKE OWNERSHIP ON FULLTEXT STOPLIST::<name> TAKE OWNERSHIP ON SEARCH PROPERTY LIST::<name> Database Scoped Credential Permissions ǂ the queue and all contracts specified.
• To execute the CREATE or ALTER REMOTE SERVICE BINDING the user must have
that fixed server role, or be a member of the sysadmin fixed server role. impersonate permission for the principal specified in the statement.
ALTER ANY DATABASE ALTER ON DATABASE::<name> • When the CREATE or ALTER MESSAGE TYPE statement specifies a schema collection, the user
CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON DATABASE SCOPED CREDENTIAL::<name> ǂ
executing the statement must have REFERENCES permission on the schema collection
specified.
ALTER ON SEARCH PROPERTY LIST::<name> • See the ALTER ANY EVENT NOTIFICATION chart for more permissions related to Service
Availability Group Permissions Broker.
ALTER ANY FULLTEXT CATALOG ALTER ON FULLTEXT STOPLIST::<name> • See the SCHEMA OBJECTS chart for QUEUE permissions.
ALTER ON FULLTEXT CATALOG::<name> • The ALTER CONTRACT permission exists but at this time there is no ALTER CONTRACT
CONTROL SERVER CONTROL ON AVAILABILITY GROUP::<name> statement.
VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON DATABASE SCOPED CREDENTIAL ::<name> ǂ
STATEMENTS:
CREATE FULLTEXT CATALOG REFERENCES ON DATABASE::<name> REFERENCES ON DATABASE SCOPED CREDENTIAL ::<name> ǂ
ALTER FULLTEXT CATALOG
CREATE FULLTEXT CATALOG
STATEMENTS: TAKE OWNERSHIP ON DATABASE SCOPED CREDENTIAL ::<name> ǂ
Questions and comments to
ALTER FULLTEXT STOPLIST https://aka.ms/sql-permissions
VIEW ANY DEFINITION STATEMENTS:
VIEW DEFINITION ON AVAILABILITY GROUP::<name> CREATE FULLTEXT STOPLIST
ALTER SEARCH PROPERTY LIST ALTER ON DATABASE SCOPED CREDENTIAL ::<name> ǂ
TAKE OWNERSHIP ON AVAILABILITY GROUP::<name>
ALTER ANY AVAILABILITY GROUP CREATE SEARCH PROPERTY LIST
ALTER ON AVAILABILITY GROUP::<name>
STATEMENTS:
STATEMENTS:
STATEMENTS: ALTER DATABASE SCOPED CREDENTIAL ǂ
DROP FULLTEXT CATALOG
ALTER AVAILABILITY GROUP DROP FULLTEXT STOPLIST
Notes: DROP DATABASE SCOPED CREDENTIAL ǂ February 28, 2018
• Creating a full-text index requires ALTER permission on the table and REFERENCES permission on the full-text catalog. CREATE DATABASE SCOPED CREDENTIAL ǂ
DROP AVAILABILITY GROUP DROP FULLTEXT SEARCH PROPERTYLIST
CREATE AVAILABILITY GROUP
• Dropping a full-text index requires ALTER permission on the table. © 2018 Microsoft Corporation. All rights reserved.
CREATE AVAILABILITY GROUP