Share via


Permissions of Fixed Server Roles (Database Engine)

Fixed server roles can be mapped to the more specific permissions that are included in SQL Server. Fixed server roles are provided for convenience and backward compatibility. Assign more specific permissions whenever possible.

The following table describes the mapping of the fixed server roles to permissions.

Fixed server role

Server-level permission

bulkadmin

Granted: ADMINISTER BULK OPERATIONS

dbcreator

Granted: ALTER ANY DATABASE

diskadmin

Granted: ALTER RESOURCES

processadmin

Granted: ALTER ANY CONNECTION, ALTER SERVER STATE

securityadmin

Granted: ALTER ANY LOGIN

Security noteSecurity Note
The ability to grant access to the Database Engine and to configure user permissions allows the security admin to assign most server permissions. The securityadmin role should be treated as equivalent to the sysadmin role.

serveradmin

Granted: ALTER ANY ENDPOINT, ALTER RESOURCES, ALTER SERVER STATE, ALTER SETTINGS, SHUTDOWN, VIEW SERVER STATE

setupadmin

Granted: ALTER ANY LINKED SERVER

sysadmin

Granted with GRANT option: CONTROL SERVER

Remarks

The public role is granted VIEW ANY DATABASE permission.

Members of the securityadmin fixed server role can grant both server-level and database-level permissions.

Fixed server roles are not equivalent to their server-level permission. For example, the sysadmin fixed server role has the CONTROL SERVER permission. But granting the CONTROL SERVER permission does not make a login a member of the sysadmin fixed server role. The IS_SRVROLEMEMBER (Transact-SQL) function will correctly report that the login is not a member of the sysadmin fixed server role. Members of the sysadmin fixed server role are identified as the dbo user in all databases, but logins with the CONTROL SERVER permission, are not.

Change History

Updated content

Corrected the permission of dbcreator.

Added the warning about the securityadmin role.

Clarified that roles are not equivalent to their permissions.