SQL Server
United States - English
Home
2012
2008 R2
2008
2005
2000
Library
Forums
5 out of 9 rated this helpful - Rate this topic

Permissions of Fixed Database Roles

SQL Server 2005

Fixed database roles can be mapped to the more detailed permissions that are included in SQL Server 2005. The following table describes the mapping of the fixed database roles to permissions.

Fixed database role Database-level permission Server-level permission

db_accessadmin

Granted: ALTER ANY USER, CREATE SCHEMA

Granted: VIEW ANY DATABASE

db_accessadmin

Granted with GRANT option: CONNECT

db_backupoperator

Granted: BACKUP DATABASE, BACKUP LOG, CHECKPOINT

Granted: VIEW ANY DATABASE

db_datareader

Granted: SELECT

Granted: VIEW ANY DATABASE

db_datawriter

Granted: DELETE, INSERT, UPDATE

Granted: VIEW ANY DATABASE

db_ddladmin

Granted: ALTER ANY ASSEMBLY, ALTER ANY ASYMMETRIC KEY, ALTER ANY CERTIFICATE, ALTER ANY CONTRACT, ALTER ANY DATABASE DDL TRIGGER, ALTER ANY DATABASE EVENT, NOTIFICATION, ALTER ANY DATASPACE, ALTER ANY FULLTEXT CATALOG, ALTER ANY MESSAGE TYPE, ALTER ANY REMOTE SERVICE BINDING, ALTER ANY ROUTE, ALTER ANY SCHEMA, ALTER ANY SERVICE, ALTER ANY SYMMETRIC KEY, CHECKPOINT, CREATE AGGREGATE, CREATE DEFAULT, CREATE FUNCTION, CREATE PROCEDURE, CREATE QUEUE, CREATE RULE, CREATE SYNONYM, CREATE TABLE, CREATE TYPE, CREATE VIEW, CREATE XML SCHEMA COLLECTION, REFERENCES

Granted: VIEW ANY DATABASE

db_denydatareader

Denied: SELECT

Granted: VIEW ANY DATABASE

db_denydatawriter

Denied: DELETE, INSERT, UPDATE

db_owner

Granted with GRANT option: CONTROL

Granted: VIEW ANY DATABASE

db_securityadmin

Granted: ALTER ANY APPLICATION ROLE, ALTER ANY ROLE, CREATE SCHEMA, VIEW DEFINITION

Granted: VIEW ANY DATABASE

dbm_monitor

Granted: VIEW most recent status in Database Mirroring Monitor

The dbm_monitor fixed database role is created in the msdb database when the first database is registered in Database Mirroring Monitor. The new dbm_monitor role has no members until a system administrator assigns users to the role.
ms189612.note(en-US,SQL.90).gifImportant:

Granted: VIEW ANY DATABASE

Reference

Database-Level Roles

Concepts

Permissions of Fixed Server Roles
Permissions Hierarchy

Other Resources

GRANT (Transact-SQL)
DENY (Transact-SQL)
REVOKE (Transact-SQL)

Help and Information

Getting SQL Server 2005 Assistance
Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ
Be careful with GRANT VIEW DEFINITION and the Visual Studio SQLCLR project type

In Visual Studio 2005, the SQLCLR project type has an interesting behavor that developers and security administrators need to keep in mind. When using Visual Studio 2005 to deploy a project to a server in debug mode, Visual Studio also copies the source files up to SQL Server. This can easily be seen by doing:

select * from sys.assembly_files where name like '%cs'

If you look at the content field, you'll see that its in binary form, so there's no problem, right? Well, actually, there is. If the source code thusly deployed was written in C#, its entirely possible to get it back out in a readable form using:

select cast(content as xml) from sys.assembly_files where name like '%cs'

If there are hardcoded passwords or other trade secrets represented in the code, all a user has to gain in the VIEW DEFINITION right and they execute these queries.

History