Permissions of Fixed Server Roles (Database Engine)

The following table describes the permissions that are granted to the fixed server roles.

Fixed server role	Server-level permission
bulkadmin	Granted: ADMINISTER BULK OPERATIONS
dbcreator	Granted: CREATE ANY DATABASE
diskadmin	Granted: ALTER RESOURCES
processadmin	Granted: ALTER ANY CONNECTION, ALTER SERVER STATE
securityadmin	Granted: ALTER ANY LOGIN Security Note The ability to grant access to the Database Engine and to configure user permissions allows the security admin to assign most server permissions. The securityadmin role should be treated as equivalent to the sysadmin role.
serveradmin	Granted: ALTER ANY ENDPOINT, ALTER RESOURCES, ALTER SERVER STATE, ALTER SETTINGS, SHUTDOWN, VIEW SERVER STATE
setupadmin	Granted: ALTER ANY LINKED SERVER
sysadmin	Granted with GRANT option: CONTROL SERVER

Remarks

The public server role is not a fixed server role, because the permissions can be changed. The public server role is granted VIEW ANY DATABASE permission and the CONNECT permission on the default endpoints (TSQL Local Machine, TSQL Named Pipes, TSQL Default TCP, TSQL Default VIA).

Members of the securityadmin fixed server role can grant both server-level and database-level permissions.

Fixed server roles are not equivalent to their server-level permission. For example, the sysadmin fixed server role has the CONTROL SERVER permission. But granting the CONTROL SERVER permission does not make a login a member of the sysadmin fixed server role. The IS_SRVROLEMEMBER (Transact-SQL) function will correctly report that the login is not a member of the sysadmin fixed server role. Members of the sysadmin fixed server role are identified as the dbo user in all databases, but logins with the CONTROL SERVER permission, are not.

See Also

Reference

Concepts