Server-Level Roles

SQL Server provides server-level roles to help you manage the permissions on a server. These roles are security principals that group other principals. Server-level roles are server-wide in their permissions scope. (Roles are like groups in the Windows operating system.)

Fixed server roles are provided for convenience and backward compatibility. Assign more specific permissions whenever possible.

SQL Server provides nine fixed server roles. The permissions that are granted to the fixed server roles cannot be changed. Beginning with SQL Server 2012, you can create user-defined server roles and add server-level permissions to the user-defined server roles.

You can add server-level principals (SQL Server logins, Windows accounts, and Windows groups) into server-level roles. Each member of a fixed server role can add other logins to that same role. Members of user-defined server roles cannot add other server principals to the role.

Fixed Server-Level Roles

The following table shows the fixed server-level roles and their capabilities.

Fixed server-level role	Description
sysadmin	Members of the sysadmin fixed server role can perform any activity in the server.
serveradmin	Members of the serveradmin fixed server role can change server-wide configuration options and shut down the server.
securityadmin	Members of the securityadmin fixed server role manage logins and their properties. They can GRANT, DENY, and REVOKE server-level permissions. They can also GRANT, DENY, and REVOKE database-level permissions if they have access to a database. Additionally, they can reset passwords for SQL Server logins. Security Note The ability to grant access to the Database Engine and to configure user permissions allows the security admin to assign most server permissions. The securityadmin role should be treated as equivalent to the sysadmin role.
processadmin	Members of the processadmin fixed server role can end processes that are running in an instance of SQL Server.
setupadmin	Members of the setupadmin fixed server role can add and remove linked servers by using Transact-SQL statements. (sysadmin membership is needed when using Management Studio.)
bulkadmin	Members of the bulkadmin fixed server role can run the BULK INSERT statement.
diskadmin	The diskadmin fixed server role is used for managing disk files.
dbcreator	Members of the dbcreator fixed server role can create, alter, drop, and restore any database.
public	Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object. Only assign public permissions on any object when you want the object to be available to all users. You cannot change membership in public. Note public is implemented differently than other roles. However, permissions can be granted, denied, or revoked from public.

Server-Level Permissions

Only server-level permissions can be added to user-defined server roles. To list the server-level permissions, execute the following statement.The server-level permissions are:

SELECT * FROM sys.fn_builtin_permissions('SERVER') ORDER BY permission_name;

For more information about permissions, see Permissions (Database Engine) and sys.fn_builtin_permissions (Transact-SQL).

Working with Server-Level Roles

The following table explains the commands, views, and functions that you can use to work with server-level roles.

Feature	Type	Description
sp_helpsrvrole (Transact-SQL)	Metadata	Returns a list of server-level roles.
sp_helpsrvrolemember (Transact-SQL)	Metadata	Returns information about the members of a server-level role.
sp_srvrolepermission (Transact-SQL)	Metadata	Displays the permissions of a server-level role.
IS_SRVROLEMEMBER (Transact-SQL)	Metadata	Indicates whether a SQL Server login is a member of the specified server-level role.
sys.server_role_members (Transact-SQL)	Metadata	Returns one row for each member of each server-level role.
sp_addsrvrolemember (Transact-SQL)	Command	Adds a login as a member of a server-level role. Deprecated. Use ALTER SERVER ROLE instead.
sp_dropsrvrolemember (Transact-SQL)	Command	Removes a SQL Server login or a Windows user or group from a server-level role. Deprecated. Use ALTER SERVER ROLE instead.
CREATE SERVER ROLE (Transact-SQL)	Command	Creates a user-defined server role.
ALTER SERVER ROLE (Transact-SQL)	Command	Changes the membership of a server role or changes name of a user-defined server role.
DROP SERVER ROLE (Transact-SQL)	Command	Removes a user-defined server role.
IS_SRVROLEMEMBER (Transact-SQL)	Function	Determines membership of server role.

See Also

Reference

Database-Level Roles

Security Catalog Views (Transact-SQL)

Security Functions (Transact-SQL)

GRANT Server Principal Permissions (Transact-SQL)

REVOKE Server Principal Permissions (Transact-SQL)

DENY Server Principal Permissions (Transact-SQL)

Concepts

Securing SQL Server

Create a Server Role