Permissions (Database Engine)

Applies to: SQL Server Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics Analytics Platform System (PDW)

Every SQL Server securable has associated permissions that can be granted to a principal. Permissions in the Database Engine are managed at the server level assigned to logins and server roles, and at the database level assigned to database users and database roles. The model for Azure SQL Database has the same system for the database permissions, but the server level permissions aren't available. This article contains the complete list of permissions. For a typical implementation of the permissions, see Getting Started with Database Engine Permissions.

The total number of permissions for SQL Server 2022 (16.x) is 292. Azure SQL Database exposes 292 permissions. Most permissions apply to all platforms, but some don't. For example, most server level permissions can't be granted on Azure SQL Database, and a few permissions only make sense on Azure SQL Database. New permissions are being introduced gradually with new releases. SQL Server 2019 (15.x) exposes 248 permissions.SQL Server 2017 (14.x) exposed 238 permissions. SQL Server 2016 (13.x) exposed 230 permissions. SQL Server 2014 (12.x) exposed 219 permissions. SQL Server 2012 (11.x) exposed 214 permissions. SQL Server 2008 R2 (10.50.x) exposed 195 permissions. The sys.fn_builtin_permissions article specifies which permissions are new in recent versions.

Once you understand the permissions required, you can apply server level permissions to logins or server roles, and database level permissions to users or database roles, by using the GRANT, REVOKE, and DENY statements. For example:

GRANT SELECT ON SCHEMA::HumanResources TO role_HumanResourcesDept;
REVOKE SELECT ON SCHEMA::HumanResources TO role_HumanResourcesDept;

For tips on planning a permissions system, see Getting Started with Database Engine Permissions.

Permissions naming conventions

The following describes the general conventions that are followed for naming permissions:

• CONTROL

  Confers ownership-like capabilities on the grantee. The grantee effectively has all defined permissions on the securable. A principal that has been granted CONTROL can also grant permissions on the securable. Because the SQL Server security model is hierarchical, CONTROL at a particular scope implicitly includes CONTROL on all the securables under that scope. For example, CONTROL on a database implies all permissions on the database, all permissions on all assemblies in the database, all permissions on all schemas in the database, and all permissions on objects within all schemas within the database.

• ALTER

  Confers the ability to change the properties, except ownership, of a particular securable. When granted on a scope, ALTER also bestows the ability to alter, create, or drop any securable that is contained within that scope. For example, ALTER permission on a schema includes the ability to create, alter, and drop objects from the schema.

• ALTER ANY <Server Securable>, where Server Securable can be any server securable.

  Confers the ability to create, alter, or drop individual instances of the Server Securable. For example, ALTER ANY LOGIN confers the ability to create, alter, or drop any login in the instance.

• ALTER ANY <Database Securable>, where Database Securable can be any securable at the database level.

  Confers the ability to CREATE, ALTER, or DROP individual instances of the Database Securable. For example, ALTER ANY SCHEMA confers the ability to create, alter, or drop any schema in the database.

• TAKE OWNERSHIP

  Enables the grantee to take ownership of the securable on which it is granted.

• IMPERSONATE <Login>

  Enables the grantee to impersonate the login.

• IMPERSONATE <User>

  Enables the grantee to impersonate the user.

• CREATE <Server Securable>

  Confers to the grantee the ability to create the Server Securable.

• CREATE <Database Securable>

  Confers to the grantee the ability to create the Database Securable.

• CREATE <Schema-contained Securable>

  Confers the ability to create the schema-contained securable. However, ALTER permission on the schema is required to create the securable in a particular schema.

• VIEW DEFINITION

  Enables the grantee to access metadata.

• REFERENCES

  The REFERENCES permission on a table is needed to create a FOREIGN KEY constraint that references that table.

  The REFERENCES permission is needed on an object to create a FUNCTION or VIEW with the WITH SCHEMABINDING clause that references that object.

Chart of SQL Server permissions

The following image shows the permissions and their relationships to each other. Some of the higher level permissions (such as CONTROL SERVER) are listed many times. In this article, the poster is far too small to read. You can download the full-sized Database Engine Permissions Poster in PDF format.

Permissions applicable to specific securables

The following table lists major classes of permissions and the kinds of securables to which they might be applied.

Permission	Applies to
ALTER	All classes of objects except TYPE.
CONTROL	All classes of objects: AGGREGATE, APPLICATION ROLE, ASSEMBLY, ASYMMETRIC KEY, AVAILABILITY GROUP, CERTIFICATE, CONTRACT, CREDENTIALS, DATABASE, DATABASE SCOPED CREDENTIAL, DEFAULT, ENDPOINT, FULLTEXT CATALOG, FULLTEXT STOPLIST, FUNCTION, LOGIN, MESSAGE TYPE, PROCEDURE, QUEUE, REMOTE SERVICE BINDING, ROLE, ROUTE, RULE, SCHEMA, SEARCH PROPERTY LIST, SERVER, SERVER ROLE, SERVICE, SYMMETRIC KEY, SYNONYM, TABLE, TYPE, USER, VIEW, and XML SCHEMA COLLECTION
DELETE	All classes of objects except DATABASE SCOPED CONFIGURATION, SERVER, and TYPE.
EXECUTE	CLR types, external scripts, procedures (Transact-SQL and CLR), scalar and aggregate functions (Transact-SQL and CLR), and synonyms
IMPERSONATE	Logins and users
INSERT	Synonyms, tables and columns, views and columns. Permission can be granted at the database, schema, or object level.
RECEIVE	Service Broker queues
REFERENCES	AGGREGATE, ASSEMBLY, ASYMMETRIC KEY, CERTIFICATE, CONTRACT, CREDENTIAL (applies to SQL Server 2022 (16.x) and later), DATABASE, DATABASE SCOPED CREDENTIAL, FULLTEXT CATALOG, FULLTEXT STOPLIST, FUNCTION, MESSAGE TYPE, PROCEDURE, QUEUE, RULE, SCHEMA, SEARCH PROPERTY LIST, SEQUENCE OBJECT, SYMMETRIC KEY, TABLE, TYPE, VIEW, and XML SCHEMA COLLECTION
SELECT	Synonyms, tables and columns, views and columns. Permission can be granted at the database, schema, or object level.
TAKE OWNERSHIP	All classes of objects except DATABASE SCOPED CONFIGURATION, LOGIN, SERVER, and USER.
UPDATE	Synonyms, tables and columns, views and columns. Permission can be granted at the database, schema, or object level.
VIEW CHANGE TRACKING	Schemas and tables
VIEW DEFINITION	All classes of objects except DATABASE SCOPED CONFIGURATION, and SERVER.

Caution

The default permissions that are granted to system objects at the time of setup are carefully evaluated against possible threats and need not be altered as part of hardening the SQL Server installation. Any changes to the permissions on the system objects could limit or break the functionality and could potentially leave your SQL Server installation in an unsupported state.

SQL Server permissions

The following table provides a complete list of SQL Server permissions. Azure SQL Database permissions are only available for base securables that are supported. Server level permissions can't be granted in Azure SQL Database, however in some cases database permissions are available instead.

Base securable	Granular permissions on base securable	Permission type code	Securable that contains base securable	Permission on container securable that implies granular permission on base securable
APPLICATION ROLE	ALTER	AL	DATABASE	ALTER ANY APPLICATION ROLE
APPLICATION ROLE	CONTROL	CL	DATABASE	CONTROL
APPLICATION ROLE	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
ASSEMBLY	ALTER	AL	DATABASE	ALTER ANY ASSEMBLY
ASSEMBLY	CONTROL	CL	DATABASE	CONTROL
ASSEMBLY	REFERENCES	RF	DATABASE	REFERENCES
ASSEMBLY	TAKE OWNERSHIP	TO	DATABASE	CONTROL
ASSEMBLY	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
ASYMMETRIC KEY	ALTER	AL	DATABASE	ALTER ANY ASYMMETRIC KEY
ASYMMETRIC KEY	CONTROL	CL	DATABASE	CONTROL
ASYMMETRIC KEY	REFERENCES	RF	DATABASE	REFERENCES
ASYMMETRIC KEY	TAKE OWNERSHIP	TO	DATABASE	CONTROL
ASYMMETRIC KEY	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
AVAILABILITY GROUP	ALTER	AL	SERVER	ALTER ANY AVAILABILITY GROUP
AVAILABILITY GROUP	CONTROL	CL	SERVER	CONTROL SERVER
AVAILABILITY GROUP	TAKE OWNERSHIP	TO	SERVER	CONTROL SERVER
AVAILABILITY GROUP	VIEW DEFINITION	VW	SERVER	VIEW ANY DEFINITION
CERTIFICATE	ALTER	AL	DATABASE	ALTER ANY CERTIFICATE
CERTIFICATE	CONTROL	CL	DATABASE	CONTROL
CERTIFICATE	REFERENCES	RF	DATABASE	REFERENCES
CERTIFICATE	TAKE OWNERSHIP	TO	DATABASE	CONTROL
CERTIFICATE	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
CONTRACT	ALTER	AL	DATABASE	ALTER ANY CONTRACT
CONTRACT	CONTROL	CL	DATABASE	CONTROL
CONTRACT	REFERENCES	RF	DATABASE	REFERENCES
CONTRACT	TAKE OWNERSHIP	TO	DATABASE	CONTROL
CONTRACT	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
CREDENTIAL	CONTROL	CL	SERVER	CONTROL SERVER
CREDENTIAL	REFERENCES	RF	SERVER	ALTER ANY CREDENTIAL
DATABASE	ADMINISTER DATABASE BULK OPERATIONS	DABO	SERVER	CONTROL SERVER
DATABASE	ALTER	AL	SERVER	ALTER ANY DATABASE
DATABASE	ALTER ANY APPLICATION ROLE	ALAR	SERVER	CONTROL SERVER
DATABASE	ALTER ANY ASSEMBLY	ALAS	SERVER	CONTROL SERVER
DATABASE	ALTER ANY ASYMMETRIC KEY	ALAK	SERVER	CONTROL SERVER
DATABASE	ALTER ANY CERTIFICATE	ALCF	SERVER	CONTROL SERVER
DATABASE	ALTER ANY COLUMN ENCRYPTION KEY	ALCK Applies to SQL Server (SQL Server 2016 (13.x) through current), Azure SQL Database.	SERVER	CONTROL SERVER
DATABASE	ALTER ANY COLUMN MASTER KEY	ALCM Applies to SQL Server (SQL Server 2016 (13.x) through current), Azure SQL Database.	SERVER	CONTROL SERVER
DATABASE	ALTER ANY CONTRACT	ALSC	SERVER	CONTROL SERVER
DATABASE	ALTER ANY DATABASE AUDIT	ALDA	SERVER	ALTER ANY SERVER AUDIT
DATABASE	ALTER ANY DATABASE DDL TRIGGER	ALTG	SERVER	CONTROL SERVER
DATABASE	ALTER ANY DATABASE EVENT NOTIFICATION	ALED	SERVER	ALTER ANY EVENT NOTIFICATION
DATABASE	ALTER ANY DATABASE EVENT SESSION	AADS	SERVER	ALTER ANY EVENT SESSION
DATABASE	ALTER ANY DATABASE EVENT SESSION ADD EVENT	LDAE	SERVER	ALTER ANY EVENT SESSION ADD EVENT
DATABASE	ALTER ANY DATABASE EVENT SESSION ADD TARGET	LDAT	SERVER	ALTER ANY EVENT SESSION ADD TARGET
DATABASE	ALTER ANY DATABASE EVENT SESSION DISABLE	DDES	SERVER	ALTER ANY EVENT SESSION DISABLE
DATABASE	ALTER ANY DATABASE EVENT SESSION DROP EVENT	LDDE	SERVER	ALTER ANY EVENT SESSION DROP EVENT
DATABASE	ALTER ANY DATABASE EVENT SESSION DROP TARGET	LDDT	SERVER	ALTER ANY EVENT SESSION DROP TARGET
DATABASE	ALTER ANY DATABASE EVENT SESSION ENABLE	EDES	SERVER	ALTER ANY EVENT SESSION ENABLE
DATABASE	ALTER ANY DATABASE EVENT SESSION OPTION	LDSO	SERVER	ALTER ANY EVENT SESSION OPTION
DATABASE	ALTER ANY DATABASE SCOPED CONFIGURATION	ALDC Applies to SQL Server (SQL Server 2016 (13.x) through current), Azure SQL Database.	SERVER	CONTROL SERVER
DATABASE	ALTER ANY DATASPACE	ALDS	SERVER	CONTROL SERVER
DATABASE	ALTER ANY EXTERNAL DATA SOURCE	AEDS	SERVER	CONTROL SERVER
DATABASE	ALTER ANY EXTERNAL FILE FORMAT	AEFF	SERVER	CONTROL SERVER
DATABASE	ALTER ANY EXTERNAL JOB	AESJ	SERVER	CONTROL SERVER
DATABASE	ALTER ANY EXTERNAL LANGUAGE	ALLA	SERVER	CONTROL SERVER
DATABASE	ALTER ANY EXTERNAL LIBRARY	ALEL	SERVER	CONTROL SERVER
DATABASE	ALTER ANY EXTERNAL STREAM	AEST	SERVER	CONTROL SERVER
DATABASE	ALTER ANY FULLTEXT CATALOG	ALFT	SERVER	CONTROL SERVER
DATABASE	ALTER ANY MASK	AAMK Applies to SQL Server (SQL Server 2016 (13.x) through current), Azure SQL Database.	SERVER	CONTROL SERVER
DATABASE	ALTER ANY MESSAGE TYPE	ALMT	SERVER	CONTROL SERVER
DATABASE	ALTER ANY REMOTE SERVICE BINDING	ALSB	SERVER	CONTROL SERVER
DATABASE	ALTER ANY ROLE	ALRL	SERVER	CONTROL SERVER
DATABASE	ALTER ANY ROUTE	ALRT	SERVER	CONTROL SERVER
DATABASE	ALTER ANY SCHEMA	ALSM	SERVER	CONTROL SERVER
DATABASE	ALTER ANY SECURITY POLICY	ALSP Applies to SQL Server (SQL Server 2016 (13.x) through current), Azure SQL Database.	SERVER	CONTROL SERVER
DATABASE	ALTER ANY SENSITIVITY CLASSIFICATION	AASC Applies to SQL Server (SQL Server 2019 (15.x) through current), Azure SQL Database.	SERVER	CONTROL SERVER
DATABASE	ALTER ANY SERVICE	ALSV	SERVER	CONTROL SERVER
DATABASE	ALTER ANY SYMMETRIC KEY	ALSK	SERVER	CONTROL SERVER
DATABASE	ALTER ANY USER	ALUS	SERVER	CONTROL SERVER
DATABASE	ALTER LEDGER	ALR	SERVER	CONTROL
DATABASE	ALTER LEDGER CONFIGURATION	ALC	SERVER	CONTROL SERVER
DATABASE	AUTHENTICATE	AUTH	SERVER	AUTHENTICATE SERVER
DATABASE	BACKUP DATABASE	BADB	SERVER	CONTROL SERVER
DATABASE	BACKUP LOG	BALO	SERVER	CONTROL SERVER
DATABASE	CHECKPOINT	CP	SERVER	CONTROL SERVER
DATABASE	CONNECT	CO	SERVER	CONTROL SERVER
DATABASE	CONNECT REPLICATION	CORP	SERVER	CONTROL SERVER
DATABASE	CONTROL	CL	SERVER	CONTROL SERVER
DATABASE	CREATE AGGREGATE	CRAG	SERVER	CONTROL SERVER
DATABASE	CREATE ANY DATABASE EVENT SESSION	CRDS	SERVER	CREATE ANY EVENT SESSION
DATABASE	CREATE ASSEMBLY	CRAS	SERVER	CONTROL SERVER
DATABASE	CREATE ASYMMETRIC KEY	CRAK	SERVER	CONTROL SERVER
DATABASE	CREATE CERTIFICATE	CRCF	SERVER	CONTROL SERVER
DATABASE	CREATE CONTRACT	CRSC	SERVER	CONTROL SERVER
DATABASE	CREATE DATABASE	CRDB	SERVER	CREATE ANY DATABASE
DATABASE	CREATE DATABASE DDL EVENT NOTIFICATION	CRED	SERVER	CREATE DDL EVENT NOTIFICATION
DATABASE	CREATE DEFAULT	CRDF	SERVER	CONTROL SERVER
DATABASE	CREATE EXTERNAL LANGUAGE	CRLA	SERVER	CONTROL SERVER
DATABASE	CREATE EXTERNAL LIBRARY	CREL	SERVER	CONTROL SERVER
DATABASE	CREATE FULLTEXT CATALOG	CRFT	SERVER	CONTROL SERVER
DATABASE	CREATE FUNCTION	CRFN	SERVER	CONTROL SERVER
DATABASE	CREATE MESSAGE TYPE	CRMT	SERVER	CONTROL SERVER
DATABASE	CREATE PROCEDURE	CRPR	SERVER	CONTROL SERVER
DATABASE	CREATE QUEUE	CRQU	SERVER	CONTROL SERVER
DATABASE	CREATE REMOTE SERVICE BINDING	CRSB	SERVER	CONTROL SERVER
DATABASE	CREATE ROLE	CRRL	SERVER	CONTROL SERVER
DATABASE	CREATE ROUTE	CRRT	SERVER	CONTROL SERVER
DATABASE	CREATE RULE	CRRU	SERVER	CONTROL SERVER
DATABASE	CREATE SCHEMA	CRSM	SERVER	CONTROL SERVER
DATABASE	CREATE SERVICE	CRSV	SERVER	CONTROL SERVER
DATABASE	CREATE SYMMETRIC KEY	CRSK	SERVER	CONTROL SERVER
DATABASE	CREATE SYNONYM	CRSN	SERVER	CONTROL SERVER
DATABASE	CREATE TABLE	CRTB	SERVER	CONTROL SERVER
DATABASE	CREATE TYPE	CRTY	SERVER	CONTROL SERVER
DATABASE	CREATE USER	CUSR	SERVER	CONTROL SERVER
DATABASE	CREATE VIEW	CRVW	SERVER	CONTROL SERVER
DATABASE	CREATE XML SCHEMA COLLECTION	CRXS	SERVER	CONTROL SERVER
DATABASE	DELETE	DL	SERVER	CONTROL SERVER
DATABASE	DROP ANY DATABASE EVENT SESSION	DRDS	SERVER	DROP ANY EVENT SESSION
DATABASE	ENABLE LEDGER	EL	SERVER	CONTROL
DATABASE	EXECUTE	EX	SERVER	CONTROL SERVER
DATABASE	EXECUTE ANY EXTERNAL ENDPOINT	EAEE	SERVER	CONTROL SERVER
DATABASE	EXECUTE ANY EXTERNAL SCRIPT	EAES Applies to SQL Server (SQL Server 2016 (13.x) through current).	SERVER	CONTROL SERVER
DATABASE	INSERT	IN	SERVER	CONTROL SERVER
DATABASE	KILL DATABASE CONNECTION	KIDC Only applies to Azure SQL Database. Use ALTER ANY CONNECTION in SQL Server.	SERVER	ALTER ANY CONNECTION
DATABASE	REFERENCES	RF	SERVER	CONTROL SERVER
DATABASE	SELECT	SL	SERVER	CONTROL SERVER
DATABASE	SHOWPLAN	SPLN	SERVER	ALTER TRACE
DATABASE	SUBSCRIBE QUERY NOTIFICATIONS	SUQN	SERVER	CONTROL SERVER
DATABASE	TAKE OWNERSHIP	TO	SERVER	CONTROL SERVER
DATABASE	UNMASK	UMSK Applies to SQL Server (SQL Server 2016 (13.x) through current), Azure SQL Database.	SERVER	CONTROL SERVER
DATABASE	UPDATE	UP	SERVER	CONTROL SERVER
DATABASE	VIEW ANY COLUMN ENCRYPTION KEY DEFINITION	VWCK Applies to SQL Server (SQL Server 2016 (13.x) through current), Azure SQL Database.	SERVER	VIEW SERVER STATE
DATABASE	VIEW ANY COLUMN MASTER KEY DEFINITION	VWCM Applies to SQL Server (SQL Server 2016 (13.x) through current), Azure SQL Database.	SERVER	VIEW SERVER STATE
DATABASE	VIEW ANY SENSITIVITY CLASSIFICATION	VASC	SERVER	CONTROL SERVER
DATABASE	VIEW CRYPTOGRAPHICALLY SECURED DEFINITION	VCD	SERVER	VIEW ANY CRYPTOGRAPHICALLY SECURED DEFINITION
DATABASE	VIEW DATABASE PERFORMANCE STATE	VDP	SERVER	VIEW SERVER PERFORMANCE STATE
DATABASE	VIEW DATABASE SECURITY AUDIT	VDSA	SERVER	CONTROL SERVER
DATABASE	VIEW DATABASE SECURITY STATE	VDS	SERVER	VIEW SERVER SECURITY STATE
DATABASE	VIEW DATABASE STATE	VWDS	SERVER	VIEW SERVER STATE
DATABASE	VIEW DEFINITION	VW	SERVER	VIEW ANY DEFINITION
DATABASE	VIEW LEDGER CONTENT	VLC	SERVER	CONTROL
DATABASE	VIEW SECURITY DEFINITION	VWS	SERVER	VIEW ANY SECURITY DEFINITION
DATABASE	VIEW PERFORMANCE DEFINITION	VWP	SERVER	VIEW ANY PERFORMANCE DEFINITION
DATABASE SCOPED CREDENTIAL	ALTER	AL	DATABASE	CONTROL
DATABASE SCOPED CREDENTIAL	CONTROL	CL	DATABASE	CONTROL
DATABASE SCOPED CREDENTIAL	REFERENCES	RF	DATABASE	REFERENCES
DATABASE SCOPED CREDENTIAL	TAKE OWNERSHIP	TO	DATABASE	CONTROL
DATABASE SCOPED CREDENTIAL	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
ENDPOINT	ALTER	AL	SERVER	ALTER ANY ENDPOINT
ENDPOINT	CONNECT	CO	SERVER	CONTROL SERVER
ENDPOINT	CONTROL	CL	SERVER	CONTROL SERVER
ENDPOINT	TAKE OWNERSHIP	TO	SERVER	CONTROL SERVER
ENDPOINT	VIEW DEFINITION	VW	SERVER	VIEW ANY DEFINITION
FULLTEXT CATALOG	ALTER	AL	DATABASE	ALTER ANY FULLTEXT CATALOG
FULLTEXT CATALOG	CONTROL	CL	DATABASE	CONTROL
FULLTEXT CATALOG	REFERENCES	RF	DATABASE	REFERENCES
FULLTEXT CATALOG	TAKE OWNERSHIP	TO	DATABASE	CONTROL
FULLTEXT CATALOG	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
FULLTEXT STOPLIST	ALTER	AL	DATABASE	ALTER ANY FULLTEXT CATALOG
FULLTEXT STOPLIST	CONTROL	CL	DATABASE	CONTROL
FULLTEXT STOPLIST	REFERENCES	RF	DATABASE	REFERENCES
FULLTEXT STOPLIST	TAKE OWNERSHIP	TO	DATABASE	CONTROL
FULLTEXT STOPLIST	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
LOGIN	ALTER	AL	SERVER	ALTER ANY LOGIN
LOGIN	CONTROL	CL	SERVER	CONTROL SERVER
LOGIN	IMPERSONATE	IM	SERVER	CONTROL SERVER
LOGIN	VIEW DEFINITION	VW	SERVER	VIEW ANY DEFINITION
MESSAGE TYPE	ALTER	AL	DATABASE	ALTER ANY MESSAGE TYPE
MESSAGE TYPE	CONTROL	CL	DATABASE	CONTROL
MESSAGE TYPE	REFERENCES	RF	DATABASE	REFERENCES
MESSAGE TYPE	TAKE OWNERSHIP	TO	DATABASE	CONTROL
MESSAGE TYPE	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
OBJECT	ALTER	AL	SCHEMA	ALTER
OBJECT	CONTROL	CL	SCHEMA	CONTROL
OBJECT	DELETE	DL	SCHEMA	DELETE
OBJECT	EXECUTE	EX	SCHEMA	EXECUTE
OBJECT	INSERT	IN	SCHEMA	INSERT
OBJECT	RECEIVE	RC	SCHEMA	CONTROL
OBJECT	REFERENCES	RF	SCHEMA	REFERENCES
OBJECT	SELECT	SL	SCHEMA	SELECT
OBJECT	TAKE OWNERSHIP	TO	SCHEMA	CONTROL
OBJECT	UNMASK	UMSK	SCHEMA	UNMASK
OBJECT	UPDATE	UP	SCHEMA	UPDATE
OBJECT	VIEW CHANGE TRACKING	VWCT	SCHEMA	VIEW CHANGE TRACKING
OBJECT	VIEW DEFINITION	VW	SCHEMA	VIEW DEFINITION
REMOTE SERVICE BINDING	ALTER	AL	DATABASE	ALTER ANY REMOTE SERVICE BINDING
REMOTE SERVICE BINDING	CONTROL	CL	DATABASE	CONTROL
REMOTE SERVICE BINDING	TAKE OWNERSHIP	TO	DATABASE	CONTROL
REMOTE SERVICE BINDING	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
ROLE	ALTER	AL	DATABASE	ALTER ANY ROLE
ROLE	CONTROL	CL	DATABASE	CONTROL
ROLE	TAKE OWNERSHIP	TO	DATABASE	CONTROL
ROLE	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
ROUTE	ALTER	AL	DATABASE	ALTER ANY ROUTE
ROUTE	CONTROL	CL	DATABASE	CONTROL
ROUTE	TAKE OWNERSHIP	TO	DATABASE	CONTROL
ROUTE	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
SCHEMA	ALTER	AL	DATABASE	ALTER ANY SCHEMA
SCHEMA	CONTROL	CL	DATABASE	CONTROL
SCHEMA	CREATE SEQUENCE	CRSO	DATABASE	CONTROL
SCHEMA	DELETE	DL	DATABASE	DELETE
SCHEMA	EXECUTE	EX	DATABASE	EXECUTE
SCHEMA	INSERT	IN	DATABASE	INSERT
SCHEMA	REFERENCES	RF	DATABASE	REFERENCES
SCHEMA	SELECT	SL	DATABASE	SELECT
SCHEMA	TAKE OWNERSHIP	TO	DATABASE	CONTROL
SCHEMA	UNMASK	UMSK	DATABASE	UNMASK
SCHEMA	UPDATE	UP	DATABASE	UPDATE
SCHEMA	VIEW CHANGE TRACKING	VWCT	DATABASE	VIEW CHANGE TRACKING
SCHEMA	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
SEARCH PROPERTY LIST	ALTER	AL	SERVER	ALTER ANY FULLTEXT CATALOG
SEARCH PROPERTY LIST	CONTROL	CL	SERVER	CONTROL
SEARCH PROPERTY LIST	REFERENCES	RF	SERVER	REFERENCES
SEARCH PROPERTY LIST	TAKE OWNERSHIP	TO	SERVER	CONTROL
SEARCH PROPERTY LIST	VIEW DEFINITION	VW	SERVER	VIEW DEFINITION
SERVER	ADMINISTER BULK OPERATIONS	ADBO	Not applicable	Not applicable
SERVER	ALTER ANY AVAILABILITY GROUP	ALAG	Not applicable	Not applicable
SERVER	ALTER ANY CONNECTION	ALCO	Not applicable	Not applicable
SERVER	ALTER ANY CREDENTIAL	ALCD	Not applicable	Not applicable
SERVER	ALTER ANY DATABASE	ALDB	Not applicable	Not applicable
SERVER	ALTER ANY ENDPOINT	ALHE	Not applicable	Not applicable
SERVER	ALTER ANY EVENT NOTIFICATION	ALES	Not applicable	Not applicable
SERVER	ALTER ANY EVENT SESSION	AAES	Not applicable	Not applicable
SERVER	ALTER ANY EVENT SESSION ADD EVENT	LSAE	Not applicable	Not applicable
SERVER	ALTER ANY EVENT SESSION ADD TARGET	LSAT	Not applicable	Not applicable
SERVER	ALTER ANY EVENT SESSION DISABLE	DES	Not applicable	Not applicable
SERVER	ALTER ANY EVENT SESSION DROP EVENT	LSDE	Not applicable	Not applicable
SERVER	ALTER ANY EVENT SESSION DROP TARGET	LSDT	Not applicable	Not applicable
SERVER	ALTER ANY EVENT SESSION ENABLE	EES	Not applicable	Not applicable
SERVER	ALTER ANY EVENT SESSION OPTION	LESO	Not applicable	Not applicable
SERVER	ALTER ANY LINKED SERVER	ALLS	Not applicable	Not applicable
SERVER	ALTER ANY LOGIN	ALLG	Not applicable	Not applicable
SERVER	ALTER ANY SERVER AUDIT	ALAA	Not applicable	Not applicable
SERVER	ALTER ANY SERVER ROLE	ALSR	Not applicable	Not applicable
SERVER	ALTER RESOURCES	ALRS	Not applicable	Not applicable
SERVER	ALTER SERVER STATE	ALSS	Not applicable	Not applicable
SERVER	ALTER SETTINGS	ALST	Not applicable	Not applicable
SERVER	ALTER TRACE	ALTR	Not applicable	Not applicable
SERVER	AUTHENTICATE SERVER	AUTH	Not applicable	Not applicable
SERVER	CONNECT ANY DATABASE	CADB	Not applicable	Not applicable
SERVER	CONNECT SQL	COSQ	Not applicable	Not applicable
SERVER	CONTROL SERVER	CL	Not applicable	Not applicable
SERVER	CREATE ANY DATABASE	CRDB	Not applicable	Not applicable
SERVER	CREATE AVAILABILITY GROUP	CRAC	Not applicable	Not applicable
SERVER	CREATE DDL EVENT NOTIFICATION	CRDE	Not applicable	Not applicable
SERVER	CREATE ENDPOINT	CRHE	Not applicable	Not applicable
SERVER	CREATE SERVER ROLE	CRSR	Not applicable	Not applicable
SERVER	CREATE TRACE EVENT NOTIFICATION	CRTE	Not applicable	Not applicable
SERVER	EXTERNAL ACCESS ASSEMBLY	XA	Not applicable	Not applicable
SERVER	IMPERSONATE ANY LOGIN	IAL	Not applicable	Not applicable
SERVER	SELECT ALL USER SECURABLES	SUS	Not applicable	Not applicable
SERVER	SHUTDOWN	SHDN	Not applicable	Not applicable
SERVER	UNSAFE ASSEMBLY	XU	Not applicable	Not applicable
SERVER	VIEW ANY DATABASE	VWDB	Not applicable	Not applicable
SERVER	VIEW ANY DEFINITION	VWAD	Not applicable	Not applicable
SERVER	VIEW SERVER STATE	VWSS	Not applicable	Not applicable
SERVER ROLE	ALTER	AL	SERVER	ALTER ANY SERVER ROLE
SERVER ROLE	CONTROL	CL	SERVER	CONTROL SERVER
SERVER ROLE	TAKE OWNERSHIP	TO	SERVER	CONTROL SERVER
SERVER ROLE	VIEW DEFINITION	VW	SERVER	VIEW ANY DEFINITION
SERVICE	ALTER	AL	DATABASE	ALTER ANY SERVICE
SERVICE	CONTROL	CL	DATABASE	CONTROL
SERVICE	SEND	SN	DATABASE	CONTROL
SERVICE	TAKE OWNERSHIP	TO	DATABASE	CONTROL
SERVICE	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
SYMMETRIC KEY	ALTER	AL	DATABASE	ALTER ANY SYMMETRIC KEY
SYMMETRIC KEY	CONTROL	CL	DATABASE	CONTROL
SYMMETRIC KEY	REFERENCES	RF	DATABASE	REFERENCES
SYMMETRIC KEY	TAKE OWNERSHIP	TO	DATABASE	CONTROL
SYMMETRIC KEY	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
TYPE	CONTROL	CL	SCHEMA	CONTROL
TYPE	EXECUTE	EX	SCHEMA	EXECUTE
TYPE	REFERENCES	RF	SCHEMA	REFERENCES
TYPE	TAKE OWNERSHIP	TO	SCHEMA	CONTROL
TYPE	VIEW DEFINITION	VW	SCHEMA	VIEW DEFINITION
USER	ALTER	AL	DATABASE	ALTER ANY USER
USER	CONTROL	CL	DATABASE	CONTROL
USER	IMPERSONATE	IM	DATABASE	CONTROL
USER	VIEW DEFINITION	VW	DATABASE	VIEW DEFINITION
XML SCHEMA COLLECTION	ALTER	AL	SCHEMA	ALTER
XML SCHEMA COLLECTION	CONTROL	CL	SCHEMA	CONTROL
XML SCHEMA COLLECTION	EXECUTE	EX	SCHEMA	EXECUTE
XML SCHEMA COLLECTION	REFERENCES	RF	SCHEMA	REFERENCES
XML SCHEMA COLLECTION	TAKE OWNERSHIP	TO	SCHEMA	CONTROL
XML SCHEMA COLLECTION	VIEW DEFINITION	VW	SCHEMA	VIEW DEFINITION

New granular permissions added to SQL Server 2022

The following permissions are added to SQL Server 2022:

• 10 new permissions have been added to allow access to system metadata.

• 18 new permissions have been added for extended events.

• 9 new permissions have been added with regard to security-related objects.

• 4 permissions have been added for Ledger.

• 3 additional database permissions.

For more information, see New granular permissions for SQL Server 2022 and Azure SQL to improve adherence with PoLP.

Access to system metadata permissions

Server level:

• VIEW ANY SECURITY DEFINITION
• VIEW ANY PERFORMANCE DEFINITION
• VIEW SERVER SECURITY STATE
• VIEW SERVER PERFORMANCE STATE
• VIEW ANY CRYPTOGRAPHICALLY SECURED DEFINITION

Database level:

• VIEW DATABASE SECURITY STATE
• VIEW DATABASE PERFORMANCE STATE
• VIEW SECURITY DEFINITION
• VIEW PERFORMANCE DEFINITION
• VIEW CRYPTOGRAPHICALLY SECURED DEFINITION

Extended events permissions

Server level:

• CREATE ANY EVENT SESSION
• DROP ANY EVENT SESSION
• ALTER ANY EVENT SESSION OPTION
• ALTER ANY EVENT SESSION ADD EVENT
• ALTER ANY EVENT SESSION DROP EVENT
• ALTER ANY EVENT SESSION ENABLE
• ALTER ANY EVENT SESSION DISABLE
• ALTER ANY EVENT SESSION ADD TARGET
• ALTER ANY EVENT SESSION DROP TARGET

All of these permissions are under the same parent-permission: ALTER ANY EVENT SESSION

Database level:

• CREATE ANY DATABASE EVENT SESSION
• DROP ANY DATABASE EVENT SESSION
• ALTER ANY DATABASE EVENT SESSION OPTION
• ALTER ANY DATABASE EVENT SESSION ADD EVENT
• ALTER ANY DATABASE EVENT SESSION DROP EVENT
• ALTER ANY DATABASE EVENT SESSION ENABLE
• ALTER ANY DATABASE EVENT SESSION DISABLE
• ALTER ANY DATABASE EVENT SESSION ADD TARGET
• ALTER ANY DATABASE EVENT SESSION DROP TARGET

All these permissions are under the same parent-permission: ALTER ANY DATABASE EVENT SESSION

Security-related object permissions

• CONTROL (CREDENTIAL)
• CREATE LOGIN
• CREATE USER
• REFERENCES (CREDENTIAL)
• UNMASK (OBJECT)
• UNMASK (SCHEMA)
• VIEW ANY ERROR LOG
• VIEW SERVER SECURITY AUDIT
• VIEW DATABASE SECURITY AUDIT

Ledger permissions

• ALTER LEDGER
• ALTER LEDGER CONFIGURATION
• ENABLE LEDGER
• VIEW LEDGER CONTENT

Other database permissions

• ALTER ANY EXTERNAL JOB
• ALTER ANY EXTERNAL STREAM
• EXECUTE ANY EXTERNAL ENDPOINT

Summary of the permission check algorithm

Checking permissions can be complex. The permission check algorithm includes overlapping group memberships and ownership chaining, both explicit and implicit permission, and can be affected by the permissions on securable classes that contain the securable entity. The general process of the algorithm is to collect all the relevant permissions. If no blocking DENY is found, the algorithm searches for a GRANT that provides sufficient access. The algorithm contains three essential elements, the security context, the permission space, and the required permission.

Note

You cannot grant, deny, or revoke permissions to sa, dbo, the entity owner, information_schema, sys, or yourself.

• Security context

  This is the group of principals that contribute permissions to the access check. These are permissions that are related to the current login or user, unless the security context was changed to another login or user by using the EXECUTE AS statement. The security context includes the following principals:

  • The login

  • The user

  • Role memberships

  • Windows group memberships

  • If module signing is being used, any login or user account for the certificate used to sign the module that the user is currently executing, and the associated role memberships of that principal.

• Permission space

  This is the securable entity and any securable classes that contain the securable. For example, a table (a securable entity) is contained by the schema securable class and by the database securable class. Access can be affected by table-, schema-, database-, and server-level permissions. For more information, see Permissions Hierarchy (Database Engine).

• Required permission

  The kind of permission that is required. For example, INSERT, UPDATE, DELETE, SELECT, EXECUTE, ALTER, CONTROL, and so on.

  Access can require multiple permissions, as in the following examples:

  • A stored procedure can require both EXECUTE permission on the stored procedure and INSERT permission on several tables that are referenced by the stored procedure.

  • A dynamic management view can require both VIEW SERVER STATE and SELECT permission on the view.

General steps of the algorithm

When the algorithm is determining whether to allow access to a securable, the precise steps that it uses can vary, depending on the principals and the securables that are involved. However, the algorithm performs the following general steps:

1. Bypass the permission check if the login is a member of the sysadmin fixed server role or if the user is the dbo user in the current database.

2. Allow access if ownership chaining is applicable and the access check on the object earlier in the chain passed the security check.

3. Aggregate the server-level, database-level, and signed-module identities that are associated with the caller to create the security context.

4. For that security context, collect all the permissions that are granted or denied for the permission space. The permission can be explicitly stated as a GRANT, GRANT WITH GRANT, or DENY; or the permissions can be an implied or covering permission GRANT or DENY. For example, CONTROL permission on a schema implies CONTROL on a table. And CONTROL on a table implies SELECT. Therefore, if CONTROL on the schema was granted, SELECT on the table is granted. If CONTROL was denied on the table, SELECT on the table is denied.

   Note

   A GRANT of a column-level permission overrides a DENY at the object level. You can read more about his here: DENY Object Permissions (Transact-SQL).

5. Identify the required permission.

6. Fail the permission check if the required permission is directly or implicitly denied to any of the identities in the security context for the objects in the permission space.

7. Pass the permission check if the required permission wasn't denied and the required permission contains a GRANT or a GRANT WITH GRANT permission either directly or implicitly to any of the identities in the security context for any object in the permission space.

Special considerations for column level permissions

Column level permissions are granted with the syntax <table_name>(<column _name>). For example:

GRANT SELECT ON OBJECT::Customer(CustomerName) TO UserJoe;

A DENY on the table is overridden by a GRANT on a column. However, a subsequent DENY on the table will remove the column GRANT.

Examples

The examples in this section show how to retrieve permissions information.

A. Return the complete list of grantable permissions

The following statement returns all Database Engine permission by using the fn_builtin_permissions function. For more information, see sys.fn_builtin_permissions (Transact-SQL).

SELECT * FROM fn_builtin_permissions(default);
GO

B. Return the permissions on a particular class of objects

The following example uses fn_builtin_permissions to view all the permissions that are available for a category of securable. The example returns permissions on assemblies.

SELECT * FROM fn_builtin_permissions('assembly');
GO

C. Return the permissions granted to the executing principal on an object

The following example uses fn_my_permissions to return a list of the effective permissions that are held by the calling principal on a specified securable. The example returns permissions on an object named Orders55. For more information, see sys.fn_my_permissions (Transact-SQL).

SELECT * FROM fn_my_permissions('Orders55', 'object');
GO

D. Return the permissions applicable to a specified object

The following example returns permissions applicable to an object called Yttrium. The built-in function OBJECT_ID is used to retrieve the ID of object Yttrium.

SELECT * FROM sys.database_permissions
    WHERE major_id = OBJECT_ID('Yttrium');
GO

Related content

• Permissions Hierarchy (Database Engine)
• sys.database_permissions (Transact-SQL)