Skip to content

Latest commit

 

History

History
156 lines (120 loc) · 18.6 KB

server-level-roles.md

File metadata and controls

156 lines (120 loc) · 18.6 KB
title description author ms.author ms.reviewer ms.date ms.service ms.subservice ms.topic f1_keywords helpviewer_keywords monikerRange
Server-Level Roles
SQL Server provides server-level roles. These security principals group other principals to manage the server-wide permissions.
VanMSFT
vanto
randolphwest
02/07/2025
sql
security
conceptual
sql13.Security.NT_AUTHORITY.SYSTEM
sql13.Security.BUILTIN.administrators
roles [SQL Server], server-level
principals [SQL Server], server-level
CONTROL SERVER permission
fixed server roles [SQL Server]
credentials [SQL Server], roles
sysadmin fixed server role
server-level roles [SQL Server]
authentication [SQL Server], roles
>=aps-pdw-2016 || >=sql-server-2016 || >=sql-server-linux-2017 || =azuresqldb-mi-current

Server-level roles

[!INCLUDE SQL Server Azure SQL Managed Instance Parallel Data Warehouse]

[!INCLUDE ssNoVersion] provides server-level roles to help you manage the permissions on a server. These roles are security principals that group other principals. Server-level roles are server-wide in their permissions scope. (Roles are like groups in the Windows operating system.)

[!INCLUDE sssql19-md] and previous versions provided nine fixed server roles. The permissions that are granted to the fixed server roles (except public) can't be changed. Beginning with [!INCLUDE ssSQL11], you can create user-defined server roles and add server-level permissions to the user-defined server roles. [!INCLUDE sssql22-md] comes with 10 extra server roles that are designed specifically with the Principle of Least Privilege in mind, which have the prefix ##MS_ and the suffix ## to distinguish them from other regular user-created principals and custom server roles. Those new roles contain privileges that apply on server scope but also can inherit down to individual databases (except for the ##MS_LoginManager## server role.)

Like SQL Server on-premises, server permissions are organized hierarchically. The permissions that are held by these server-level roles can propagate to database permissions. For the permissions to be effectively useful at the database level, a login needs to either be a member of the server-level role ##MS_DatabaseConnector## (starting with [!INCLUDE sssql22-md]), which grants the CONNECT permission to all databases, or have a user account in individual databases. This also applies to the master database.

Consider the following example: The server-level role ##MS_ServerStateReader## holds the permission VIEW SERVER STATE. A login that is a member of this role has a user account in the master and WideWorldImporters databases. This user also has the VIEW DATABASE STATE permission in those two databases by inheritance.

You can add server-level principals ([!INCLUDE ssNoVersion] logins, Windows accounts, and Windows groups) into server-level roles. Each member of a fixed server role can add other logins to that same role. Members of user-defined server roles can't add other server principals to the role.

Fixed server-level roles

Note

These server-level roles introduced before [!INCLUDE sssql22-md], and aren't available in Azure SQL Database or Azure Synapse Analytics. There are special Azure SQL Database server roles for permission management that are equivalent to the server-level roles introduced in [!INCLUDE sssql22-md]. For more information about SQL Database, see Controlling and granting database access..

The following table shows the fixed server-level roles and their capabilities.

Fixed server-level role Description
sysadmin Members of the sysadmin fixed server role can perform any activity in the server. Important: permissions can't be denied to members of this role.
serveradmin Members of the serveradmin fixed server role can change server-wide configuration options and shut down the server.
securityadmin Members of the securityadmin fixed server role manage logins and their properties. They can GRANT, DENY, and REVOKE server-level permissions. securityadmin can also GRANT, DENY, and REVOKE database-level permissions if they have access to a database. Additionally, securityadmin can reset passwords for [!INCLUDE ssNoVersion] logins.

IMPORTANT: The ability to grant access to the [!INCLUDE ssDE] and to configure user permissions allows the security admin to assign most server permissions. The securityadmin role should be treated as equivalent to the sysadmin role. As an alternative, starting with [!INCLUDE sssql22-md], consider using the new fixed server role ##MS_LoginManager##.
processadmin Members of the processadmin fixed server role can end processes that are running in an instance of [!INCLUDE ssNoVersion].
setupadmin Members of the setupadmin fixed server role can add and remove linked servers by using [!INCLUDE tsql] statements. (sysadmin membership is needed when using [!INCLUDE ssManStudio].)
bulkadmin Members of the bulkadmin fixed server role can run the BULK INSERT statement.

The bulkadmin role or ADMINISTER BULK OPERATIONS permissions isn't supported for SQL Server on Linux. Only the sysadmin can perform bulk inserts for SQL Server on Linux.
diskadmin The diskadmin fixed server role is used for managing disk files.
dbcreator Members of the dbcreator fixed server role can create, alter, drop, and restore any database.
public Every [!INCLUDE ssNoVersion] login belongs to the public server role. When a server principal isn't granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object. Only assign public permissions on any object when you want the object to be available to all users. You can't change membership in public.

Note: public is implemented differently than other roles, and permissions can be granted, denied, or revoked from the public fixed server roles.

Important

Most of the permissions provided by the following server roles aren't applicable to Azure Synapse Analytics - processadmin, serveradmin, setupadmin, and diskadmin.

Fixed server-level roles introduced in SQL Server 2022

The following table shows fixed server-level roles introduced in [!INCLUDE sssql22-md], and their capabilities.

Note

These server-level permissions aren't available for Azure SQL Managed Instance or Azure Synapse Analytics. ##MS_PerformanceDefinitionReader##, ##MS_ServerPerformanceStateReader##, and ##MS_ServerSecurityStateReader## is introduced in [!INCLUDE sssql22-md], and aren't available in Azure SQL Database.

Fixed server-level role Description
##MS_DatabaseConnector## Members of the ##MS_DatabaseConnector## fixed server role can connect to any database without requiring a User-account in the database to connect to.

To deny the CONNECT permission to a specific database, users can create a matching user account for this login in the database and then DENY the CONNECT permission to the database-user. This DENY permission overrules the GRANT CONNECT permission coming from this role.
##MS_LoginManager## Members of the ##MS_LoginManager## fixed server role can create, delete, and modify logins. Contrary to the old fixed server role securityadmin, this role doesn't allow members to GRANT privileges. It's a more limited role that helps to comply with the Principle of least Privilege.
##MS_DatabaseManager## Members of the ##MS_DatabaseManager## fixed server role can create and delete databases. A member of the ##MS_DatabaseManager## role that creates a database, becomes the owner of that database, which allows that user to connect to that database as the dbo user. The dbo user has all database permissions in the database. Members of the ##MS_DatabaseManager## role don't necessarily have permission to access databases that they don't own. This server role has the same privileges as the dbcreator role in SQL Server, but we recommend using this new role over the former, since this role exists also in Azure SQL Database and thus helps using the same scripts across different environments.
##MS_ServerStateManager## Members of the ##MS_ServerStateManager## fixed server role have the same permissions as the ##MS_ServerStateReader## role. Also, it holds the ALTER SERVER STATE permission, which allows access to several management operations, such as: DBCC FREEPROCCACHE, DBCC FREESYSTEMCACHE ('ALL'), DBCC SQLPERF()
##MS_ServerStateReader## Members of the ##MS_ServerStateReader## fixed server role can read all dynamic management views (DMVs) and functions that are covered by VIEW SERVER STATE, and respectively has VIEW DATABASE STATE permission on any database on which the member of this role has a user account.
##MS_ServerPerformanceStateReader## Members of the ##MS_ServerPerformanceStateReader## fixed server role can read all dynamic management views (DMVs) and functions that are covered by VIEW SERVER PERFORMANCE STATE, and respectively has VIEW DATABASE PERFORMANCE STATE permission on any database on which the member of this role has a user account. Subset of what the ##MS_ServerStateReader## server role has access to, which helps to comply with the Principle of least Privilege.
##MS_ServerSecurityStateReader## Members of the ##MS_ServerSecurityStateReader## fixed server role can read all dynamic management views (DMVs) and functions that are covered by VIEW SERVER SECURITY STATE, and respectively has VIEW DATABASE SECURITY STATE permission on any database on which the member of this role has a user account. Small subset of what the ##MS_ServerStateReader## server role has access to, which helps to comply with the Principle of least Privilege.
##MS_DefinitionReader## Members of the ##MS_DefinitionReader## fixed server role can read all catalog views that are covered by VIEW ANY DEFINITION, and respectively has VIEW DEFINITION permission on any database on which the member of this role has a user account.
##MS_PerformanceDefinitionReader## Members of the ##MS_PerformanceDefinitionReader## fixed server role can read all catalog views that are covered by VIEW ANY PERFORMANCE DEFINITION, and respectively has VIEW PERFORMANCE DEFINITION permission on any database on which the member of this role has a user account. Subset of what the ##MS_DefinitionReader## server role has access to.
##MS_SecurityDefinitionReader## Members of the ##MS_SecurityDefinitionReader## fixed server role can read all catalog views that are covered by VIEW ANY SECURITY DEFINITION, and respectively has VIEW SECURITY DEFINITION permission on any database on which the member of this role has a user account. Small subset of what the ##MS_DefinitionReader## server role has access to, which helps to comply with the Principle of least Privilege.

Permissions of fixed server roles

Each fixed server role has certain permissions assigned to it.

Permissions of new fixed server roles in SQL Server 2022

The following table shows the permissions assigned to the server-level roles. It also shows the database-level permissions that are inherited as long as the user can connect to individual databases.

Fixed server-level role Server-level permissions Database-level permissions
##MS_DatabaseConnector## - CONNECT ANY DATABASE - CONNECT
##MS_LoginManager## - CREATE LOGIN
- ALTER ANY LOGIN		 N/A
##MS_DatabaseManager## - CREATE ANY DATABASE
- ALTER ANY DATABASE		 - ALTER
##MS_ServerStateManager## - ALTER SERVER STATE
- VIEW SERVER STATE
- VIEW SERVER PERFORMANCE STATE
- VIEW SERVER SECURITY STATE		 - VIEW DATABASE STATE
- VIEW DATABASE PERFORMANCE STATE
- VIEW DATABASE SECURITY STATE
##MS_ServerStateReader## - VIEW SERVER STATE
- VIEW SERVER PERFORMANCE STATE
- VIEW SERVER SECURITY STATE		 - VIEW DATABASE STATE
- VIEW DATABASE PERFORMANCE STATE
- VIEW DATABASE SECURITY STATE
##MS_ServerPerformanceStateReader## - VIEW SERVER PERFORMANCE STATE - VIEW DATABASE PERFORMANCE STATE
##MS_ServerSecurityStateReader## - VIEW SERVER SECURITY STATE - VIEW DATABASE SECURITY STATE
##MS_DefinitionReader## - VIEW ANY DATABASE
- VIEW ANY DEFINITION
- VIEW ANY PERFORMANCE DEFINITION
- VIEW ANY SECURITY DEFINITION		 - VIEW DEFINITION
- VIEW PERFORMANCE DEFINITION
- VIEW SECURITY DEFINITION
##MS_PerformanceDefinitionReader## - VIEW ANY PERFORMANCE DEFINITION - VIEW PERFORMANCE DEFINITION
##MS_SecurityDefinitionReader## - VIEW ANY SECURITY DEFINITION - VIEW SECURITY DEFINITION

Permissions of server roles for SQL Server 2019 and earlier

The following graphic shows the permissions assigned to the legacy server roles ([!INCLUDE sssql19-md] and earlier versions).

:::image type="content" source="media/server-level-roles/permissions-of-server-roles.png" alt-text="Diagram showing fixed server role permissions." lightbox="media/server-level-roles/permissions-of-server-roles.png":::

The CONTROL SERVER permission is similar but not identical to the sysadmin fixed server role. Principals with the CONTROL SERVER permission can be denied specific permissions. From a security perspective, consider principals with CONTROL SERVER as identical to sysadmin-members, because of several possible ways to elevate permissions from CONTROL SERVER to full sysadmin. Several DBCC commands and many system procedures require membership in the sysadmin fixed server role.

Server-level permissions

Only server-level permissions can be added to user-defined server roles. To list the server-level permissions, execute the following statement. The server-level permissions are:

SELECT *
FROM sys.fn_builtin_permissions('SERVER')
ORDER BY permission_name;

For more information about permissions, see Permissions (Database Engine) and sys.fn_builtin_permissions.

Work with server-level roles

The following table explains the commands, views, and functions that you can use to work with server-level roles.

Feature Type Description
sp_helpsrvrole Metadata Returns a list of server-level roles.
sp_helpsrvrolemember Metadata Returns information about the members of a server-level role.
sp_srvrolepermission Metadata Displays the permissions of a server-level role.
IS_SRVROLEMEMBER Metadata Indicates whether a [!INCLUDE ssNoVersion] login is a member of the specified server-level role.
sys.server_role_members Metadata Returns one row for each member of each server-level role.
CREATE SERVER ROLE Command Creates a user-defined server role.
ALTER SERVER ROLE Command Changes the membership of a server role or changes name of a user-defined server role.
DROP SERVER ROLE Command Removes a user-defined server role.
sp_addsrvrolemember Command Adds a login as a member of a server-level role. Deprecated. Use ALTER SERVER ROLE instead.
sp_dropsrvrolemember Command Removes a [!INCLUDE ssNoVersion] login or a Windows user or group from a server-level role. Deprecated. Use ALTER SERVER ROLE instead.

Roles specific to SQL Server enabled by Azure Arc

[!INCLUDE arc-enabled-roles]

For permissions, review Permissions.

Related content