sys.server_permissions (Transact-SQL)
Applies to: SQL Server Azure SQL Managed Instance Analytics Platform System (PDW)
Returns one row for each server-level permission.
Column name | Data type | Description |
---|---|---|
class | tinyint | Identifies class of thing on which permission exists. 100 = Server 101 = Server-principal 105 = Endpoint 108 = Availability Group |
class_desc | nvarchar(60) | Description of class on which permission exists. One of the following values: SERVER SERVER_PRINCIPAL ENDPOINT AVAILABILITY GROUP |
major_id | int | ID of the securable on which permission exists, interpreted according to class. For most, this is just the kind of ID that applies to what the class represents. Interpretation for non-standard is as follows: 100 = Always 0 |
minor_id | int | Secondary ID of thing on which permission exists, interpreted according to class. |
grantee_principal_id | int | Server-principal-ID to which the permissions are granted. |
grantor_principal_id | int | Server-principal-ID of the grantor of these permissions. |
type | char(4) | Server permission type. For a list of permission types, see the next table. |
permission_name | nvarchar(128) | Permission name. |
state | char(1) | Permission state: D = Deny R = Revoke G = Grant W = Grant With Grant option |
state_desc | nvarchar(60) | Description of permission state: DENY REVOKE GRANT GRANT_WITH_GRANT_OPTION |
Permission type | Permission name | Applies to securable |
---|---|---|
AAES | ALTER ANY EVENT SESSION | SERVER |
ADBO | ADMINISTER BULK OPERATIONS | SERVER |
AL | ALTER | ENDPOINT, LOGIN |
ALAA | ALTER ANY SERVER AUDIT | SERVER |
ALAG | ALTER ANY AVAILABILITY GROUP | SERVER |
ALCD | ALTER ANY CREDENTIAL | SERVER |
ALCO | ALTER ANY CONNECTION | SERVER |
ALDB | ALTER ANY DATABASE | SERVER |
ALES | ALTER ANY EVENT NOTIFICATION | SERVER |
ALHE | ALTER ANY ENDPOINT | SERVER |
ALLG | ALTER ANY LOGIN | SERVER |
ALLS | ALTER ANY LINKED SERVER | SERVER |
ALRS | ALTER RESOURCES | SERVER |
ALSR | ALTER ANY SERVER ROLE | SERVER |
ALSS | ALTER SERVER STATE | SERVER |
ALST | ALTER SETTINGS | SERVER |
ALTR | ALTER TRACE | SERVER |
AUTH | AUTHENTICATE SERVER | SERVER |
CADB | CONNECT ANY DATABASE | SERVER |
CL | CONTROL | ENDPOINT, LOGIN |
CL | CONTROL SERVER | SERVER |
CO | CONNECT | ENDPOINT |
COSQ | CONNECT SQL | SERVER |
CRAC | CREATE AVAILABILITY GROUP | SERVER |
CRDB | CREATE ANY DATABASE | SERVER |
CRDE | CREATE DDL EVENT NOTIFICATION | SERVER |
CRHE | CREATE ENDPOINT | SERVER |
CRSR | CREATE SERVER ROLE | SERVER |
CRTE | CREATE TRACE EVENT NOTIFICATION | SERVER |
IAL | IMPERSONATE ANY LOGIN | SERVER |
IM | IMPERSONATE | LOGIN |
SHDN | SHUTDOWN | SERVER |
SUS | SELECT ALL USER SECURABLES | SERVER |
TO | TAKE OWNERSHIP | ENDPOINT |
VW | VIEW DEFINITION | ENDPOINT, LOGIN |
VWAD | VIEW ANY DEFINITION | SERVER |
VWDB | VIEW ANY DATABASE | SERVER |
VWSS | VIEW SERVER STATE | SERVER |
XA | EXTERNAL ACCESS | SERVER |
XU | UNSAFE ASSEMBLY | SERVER |
Permissions
Any user can see their own permissions. To see permissions for other logins, requires VIEW DEFINITION, ALTER ANY LOGIN, or any permission on a login. To see user-defined server roles, requires ALTER ANY SERVER ROLE, or membership in the role.
The visibility of the metadata in catalog views is limited to securables that a user either owns, or on which the user was granted some permission. For more information, see Metadata Visibility Configuration.
Examples
The following query lists the permissions explicitly granted or denied to server principals.
Important
The permissions of fixed server roles do not appear in sys.server_permissions. Therefore, server principals may have additional permissions not listed here.
SELECT pr.principal_id, pr.name, pr.type_desc,
pe.state_desc, pe.permission_name
FROM sys.server_principals AS pr
JOIN sys.server_permissions AS pe
ON pe.grantee_principal_id = pr.principal_id;
See Also
Security Catalog Views (Transact-SQL)
Securables
Catalog Views (Transact-SQL)
Permissions (Database Engine)
Permissions Hierarchy (Database Engine)