Microsoft SQL Server 2016 and Azure SQL Database

Permission Syntax

Most permission statements have the format :

AUTHORIZATION PERMISSION ON SECURABLE::NAME TO PRINCIPAL

AUTHORIZATION must be GRANT, REVOKE or DENY.

PERMISSION is listed in the charts below.

ON SECURABLE::NAME is the server, server object, database, or database object and its name. (ON SECURABLE::NAME is omitted

Database Engine Permissions

Sample grant statement: GRANT UPDATE ON OBJECT::Production.Parts TO PartsTeam

Database Level Permissions

To remove a previously granted permission, use REVOKE, not DENY.

Top Level Database Permissions

How to Read this Chart

CONTROL SERVER

Black, green, and purple arrows and boxes point to subordinate permissions that are included in the scope of higher a level permission.

Brown arrows and boxes indicate some of the statements that can use the permission.

Permissions in black apply to both SQL Server 2016 and Azure SQL Database

Permissions in red apply only to SQL Server 2016

Permissions in blue apply only to Azure SQL Database

The newest permissions are underlined

ALTER ANY APPLICATION ROLE See Application Roles Permissions Chart

STATEMENTS:
CREATE DATABASE
ALTER DATABASE
DROP DATABASE

ALTER ANY SERVER AUDIT

ALTER ON DATABASE::<name>

ALTER ANY DATABASE

ALTER ANY USER

ALTER ANY CONTRACT See Service Broker Permissions Chart

STATEMENTS:

ALTER ANY DATABASE AUDIT

CREATE DATABASE AUDIT SPECIFICATION

ALTER ANY DATABASE DDL TRIGGER

CREATE/ALTER/DROP database triggers

CREATE LOGIN

ALTER ANY DATASPACE

ALTER LOGIN

ALTER ANY EXTERNAL DATA SOURCE

DROP LOGIN

ALTER ANY EXTERNAL FILE FORMAT

PARTITION & PLAN GUIDE statements

db_accessadmin role

ALTER ANY MESSAGE TYPE See Service Broker Permissions Chart

db_owner role

EXECUTE AS

ALTER ANY DATABASE

VIEW DEFINITION ON DATABASE::<name>

VIEW DEFINITION ON ASSEMBLY::<name>

REFERENCES ON DATABASE::<name>

REFERENCES ON ASSEMBLY::<name>

ALTER ON DATABASE::<name>

TAKE OWNERSHIP ON ASSEMBLY::<name>

ALTER ANY ASSEMBLY

ALTER ON ASSEMBLY::<name>
STATEMENTS:
ALTER ASSEMBLY

Note: CREATE and ALTER ASSEMBLY

statements sometimes require server
level EXTERNAL ACCESS ASSEMBLY
and UNSAFE ASSEMBLY permissions,
and can require membership in the
sysadmin fixed server role.

CREATE USER

DROP ASSEMBLY
CREATE ASSEMBLY

CREATE ASSEMBLY

When contained databases are enabled, creating a database user

SQL Database can be a push replication subscriber which

that authenticates at the database, grants CONNECT ON DATABASE

ALTER ANY ROLE See Database Role Permissions Chart

requires no special permissions.

Event Notification Permissions (SQL Server only)

to that user, and it can access SQL Server without a login.

ALTER ANY ROUTE See Service Broker Permissions Chart

Granting ALTER ANY USER allows a principal to create a user based

on a login, but does not grant the server level permission to view

ALTER ANY SECURITY POLICY

CONTROL SERVER

CONTROL ON DATABASE::<name>

information about logins.

ALTER ANY SERVICE See Service Broker Permissions Chart

ALTER ANY SYMMETRIC KEY See Symmetric Key Permissions Chart

ALTER ON DATABASE::<name>

ALTER ANY USER See Connect and Authentication Database Permissions Chart

Database Role Permissions

Database scoped event notifications

ALTER ANY DATABASE EVENT NOTIFICATION

ALTER ANY EVENT NOTIFICATION

CREATE AGGREGATE

ADMINISTER BULK OPERATIONS

bulkadmin role

STATEMENTS:
STATEMENTS:
CREATE/ALTER/DROP server triggers
CREATE/ALTER/DROP server triggers

CREATE DEFAULT

OPENROWSET(BULK.
OPENROWSET(BULK

CREATE QUEUE
CREATE RULE

ALTER ANY CONNECTION

KILL

CREATE TABLE

ALTER ANY CREDENTIAL

CREATE/ALTER/DROP CREDENTIAL

CREATE TYPE

VIEW ANY DEFINITION

db_securityadmin role

CREATE VIEW

dbcreator role

ALTER ANY DATABASE

ALTER ANY DATABASE SCOPED CONFIGURATION

CREATE DDL EVENT NOTIFICATION

Server scoped DDL event notifications

ALTER ANY MASK

CREATE TRACE EVENT NOTIFICATION

Event notifications on trace events

Combined with TRUSTWORTHY allows delegation of authentication

Extended event sessions

BACKUP DATABASE

BACKUP DATABASE

sp_addlinkedserver

BACKUP LOG

db_backupoperator role

CREATE/ALTER/DROP SERVER AUDIT

and SERVER AUDIT SPECIFICATION

DROP ROLE
CREATE ROLE

NOTES: Only members of the db_owner

CREATE ROLE

VIEW ANY DEFINITION

DELETE

Applies to subordinate objects in the database. See

SELECT
SELECT on
on server-level
server-level DMVs
DMVs

SELECT

Database Permissions Schema Objects chart.

ALTER SETTINGS

sp_configure,
sp_configure, RECONFIGURE
RECONFIGURE

UPDATE

ALTER TRACE

Notes:

sp_trace_create
sp_create_trace

AUTHENTICATE SERVER

Allows
Allows server-level
server-level delegation
delegation

VIEW ANY DEFINITION

VIEW DEFINITION

STATEMENTS:

TAKE OWNERSHIP

ALTER AUTHORIZATION

CONNECT SQL See Connect and Authentication

EXECUTE ANY EXTERNAL SCRIPT

CONNECT ANY DATABASE

KILL DATABASE CONNECTION

IMPERSONATE ANY LOGIN

ALTER TRACE

VIEW ANY COLUMN MASTER KEY DEFINITION

EXTERNAL ACCESS ASSEMBLY

public role

VIEW SERVER STATE

CONTROL ON DATABASE::<name>

CONTROL ON APPLICATION ROLE::<name>

ALTER SERVICE

membership in a role or ALTER permission on a role.

ALTER AUTHORIZATION exists at many levels in the permission model but is

VIEW ANY DEFINITION

VIEW DEFINITION ON DATABASE::<name>

DROP SERVICE

VIEW DEFINITION ON APPLICATION ROLE::<name>

CREATE SERVICE

CREATE SERVICE

In both SQL Server and SQL Database the public database role does not initially have access to any user objects.

ALTER ANY DATABASE

ALTER ON DATABASE::<name>
CONTROL SERVER
ALTER ANY APPLICATION ROLE

In SQL Server 2016, the public database role has the VIEW ANY COLUMN MASTER KEY DEFINITION and VIEW ANY
COLUMN ENCRYPTION KEY DEFINITION permissions by default. They can be revoked.

VIEW DATABASE STATE

CONTROL ON DATABASE::<name>

CONTROL ON REMOTE SERVICE BINDING::<name>

ALTER ON APPLICATION ROLE::<name>

STATEMENTS:
ALTER APPLICATION ROLE

* NOTE: The SHUTDOWN statement requires the SQL Server SHUTDOWN permission. Starting, stopping, and pausing the Database
Engine from SSCM, SSMS, or Windows requires Windows permissions, not SQL Server permissions.
public role

Schema Permissions

Connect and Authentication Server Permissions

CONTROL ON DATABASE::<name>

CONTROL ON SCHEMA ::<name>

Object Permissions
Type Permissions
XML Schema Collection Permissions

VIEW DEFINITION ON LOGIN::<name>

IMPERSONATE ON LOGIN::<name>

STATEMENTS:

ALTER ON LOGIN::<name>

EXECUTE AS

db_datawriter role
db_denydatawriter role

STATEMENTS:

VIEW ANY DEFINITION

ALTER LOGIN, sp_addlinkedsrvlogin

DROP LOGIN
CREATE LOGIN

SELECT ON SCHEMA::<name>

SELECT ON OBJECT::<table |view name>

INSERT ON DATABASE::<name>

INSERT ON SCHEMA::<name>

INSERT ON OBJECT::< table |view name>

UPDATE ON DATABASE::<name>

UPDATE ON SCHEMA::<name>

UPDATE ON OBJECT::< table |view name>

DELETE ON DATABASE::<name>

DELETE ON SCHEMA::<name>

DELETE ON OBJECT::< table |view name>

EXECUTE ON DATABASE::<name>

EXECUTE ON SCHEMA::<name>

EXECUTE ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name>

REFERENCES ON DATABASE::<name>

REFERENCES ON SCHEMA::<name>

REFERENCES ON OBJECT|TYPE|XML SCHEMA COLLECTION:<name>

VIEW DEFINITION ON DATABASE::<name>

VIEW DEFINITION ON SCHEMA::<name>

VIEW DEFINITION ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name>

TAKE OWNERSHIP ON DATABASE::<name>

TAKE OWNERSHIP ON SCHEMA::<name>

TAKE OWNERSHIP ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name>

ALTER ANY DATABASE

ALTER ON SCHEMA::<name>

Enabling a login (ALTER LOGIN <name> ENABLE) is not the same as granting CONNECT SQL permission.

To map a login to a credential, see ALTER ANY CREDENTIAL.

CREATE DEFAULT

When contained databases are enabled, users can access SQL Server without a login. See database user

CREATE FUNCTION

permissions.

CREATE PROCEDURE

To connect using a login you must have :

CREATE QUEUE

An enabled login

CREATE RULE

CONNECT SQL

CREATE SYNONYM

CONNECT for the database (if specified)

CREATE TABLE

REFERENCES ON SYMMETRIC KEY::<name>

ALTER ON DATABASE::<name>

TAKE OWNERSHIP ON SYMMETRIC KEY::<name>

CONTROL SERVER

STATEMENTS:

CREATE REMOTE SERVICE BINDING

CONTROL ON DATABASE::<name>

CONTROL ON CONTRACT::<name>

VIEW DEFINITION ON DATABASE::<name>

VIEW DEFINITION ON CONTRACT::<name>

REFERENCES ON DATABASE::<name>

REFERENCES ON CONTRACT::<name>
TAKE OWNERSHIP ON CONTRACT::<name>

ALTER ANY DATABASE

ALTER ON DATABASE::<name>

ALTER SYMMETRIC KEY

key), and requires permission on the

ALTER ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name>

ALTER ON SYMMETRIC KEY::<name>

ALTER ANY CONTRACT

DROP SYMMETRIC KEY

key encryption hierarchy.

CREATE SYMMETRIC KEY

ALTER ON CONTRACT::<name>
STATEMENTS:

CREATE SYMMETRIC KEY

DROP CONTRACT

OBJECT permissions apply to the following database objects:

CREATE CONTRACT

AGGREGATE

CREATE CONTRACT

DEFAULT

Asymmetric Key Permissions

FUNCTION
PROCEDURE
QUEUE

CONTROL SERVER

CONTROL ON ASYMMETRIC KEY::<name>

CONTROL ON DATABASE::<name>

RULE

CONTROL SERVER

CONTROL ON DATABASE::<name>

CONTROL ON ROUTE::<name>

SYNONYM
TABLE

CREATE TYPE

CONTROL ON ENDPOINT::<name>

REFERENCES ON DATABASE::<name>

VIEW DEFINITION permission on the

CREATE SEQUENCE

The CREATE LOGIN statement creates a login and grants CONNECT SQL to that login.
CREATE AGGREGATE

VIEW DEFINITION ON SYMMETRIC KEY::<name>

key (implied by any permission on the

CREATE SCHEMA

Notes:

VIEW DEFINITION ON DATABASE::<name>

ALTER ANY SYMMETRIC KEY

Note: OPEN SYMMETRIC KEY requires

ALTER ON DATABASE::<name>
ALTER ANY SCHEMA

CREATE REMOTE SERVICE BINDING

VIEW ANY DEFINITION

RECEIVE ON OBJECT::<queue name>

CONNECT SQL

DROP REMOTE SERVICE BINDING

CONTROL ON SYMMETRIC KEY::<name>

CONTROL ON DATABASE::<name>

VIEW ANY DEFINITION

SELECT ON OBJECT::<queue name>

ALTER ANY DATABASE

ALTER REMOTE SERVICE BINDING

VIEW CHANGE TRACKING ON OBJECT::<name>

SELECT ON DATABASE::<name>

VIEW ANY DATABASE

ALTER ON REMOTE SERVICE BINDING::<name>

STATEMENTS:

Symmetric Key Permissions

CONTROL SERVER

VIEW CHANGE TRACKING ON SCHEMA::<name>

ALTER ON DATABASE::<name>
ALTER ANY REMOTE SERVICE BINDING

db_ddladmin role

CONTROL ON OBJECT|TYPE|XML SCHEMA COLLECTION ::<name>

VIEW DEFINITION ON REMOTE SERVICE BINDING::<name>

TAKE OWNERSHIP ON REMOTE SERVICE BINDING::<name>

ALTER ANY DATABASE

CONTROL ON LOGIN::<name>

db_datareader role
db_denydatareader role

VIEW DEFINITION ON DATABASE::<name>

CREATE APPLICATION ROLE

Database Permissions

CONTROL ON SERVER

VIEW ANY DEFINITION

DROP APPLICATION ROLE

Database Permissions Schema Objects

Server Permissions

VIEW

CREATE VIEW

VIEW ANY DEFINITION

(All permissions do not apply to all objects. For example

CREATE XML SCHEMA COLLECTION

UPDATE only applies to tables and views.)

VIEW ANY DEFINITION

ALTER ON SERVICE::<name>
STATEMENTS:

ALTER AUTHORIZATION for any object might also require IMPERSONATE or

VIEW ANY DATABASE See Database Permissions Schema

securityadmin role

ALTER ON DATABASE::<name>
ALTER ANY SERVICE

The public database role has many grants to system objects, which is necessary to manage internal actions.

VIEW ANY COLUMN ENCRYPTION KEY DEFINITION

VIEW ANY DEFINITION

CONTROL SERVER

ALTER ANY DATABASE

Notes:

UNMASK

UNSAFE ASSEMBLY

VIEW DEFINITION ON SERVICE::<name>

TAKE OWNERSHIP ON SERVICE::<name>

Application Role Permissions

never inherited from ALTER AUTHORIZATION at a higher level.

SUBSCRIBE QUERY NOTIFICATIONS

SHUTDOWN*

SHOWPLAN

SELECT ALL USER SECURABLES

CONTROL ON SERVICE::<name>

SEND ON SERVICE::<name>

REFERENCES

ALTER ANY LOGIN

VIEW DEFINITION ON DATABASE::<name>

EXECUTE
DBCC
DBCC FREECACHE
FREECACHE and
and SQLPERF
SQLPERF

VIEW ANY DEFINITION

CONTROL ON DATABASE::<name>

members from fixed database roles.

CHECKPOINT

STATEMENTS:

CONTROL SERVER

CONTROL SERVER

fixed database role can add or remove

INSERT

SHUTDOWN

Service Broker Permissions (SQL Server only)

ALTER ROLE <name> ADD MEMBER

CONNECT REPLICATION See Connect and Authentication Database Permissions Chart

ALTER RESOURCES (NA. Use diskadmin role instead.)

VIEW SERVER STATE

STATEMENTS:

BACKUP LOG

CHECKPOINT

CREATE SERVER ROLE See Server Role Permissions

ALTER SERVER STATE

Note: EVENT NOTIFICATION permissions also affect service

ALTER ON ROLE::<name>

ALTER DATABASE SCOPED CONFIGURATION

AUTHENTICATE

AUTHENTICATE SERVER

securityadmin role

ALTER ANY SERVER ROLE See Server Role Permissions

TAKE OWNERSHIP ON ROLE::<name>

STATEMENTS:
Server scoped event notifications

ALTER ANY SERVER AUDIT

ALTER ON DATABASE::<name>

ALTER ANY ROLE

CREATE ENDPOINT See Connect and Authentication

ALTER ANY LOGIN See Connect and Authentication

VIEW DEFINITION ON ROLE::<name>

broker. See the service broker chart for more into.

ALTER ANY ENDPOINT See Connect and Authentication

setupadmin role

VIEW DEFINITION ON DATABASE::<name>

CREATE XML SCHEMA COLLECTION

CREATE ANY DATABASE See Top Level Database Permissions

ALTER ANY EVENT SESSION

Database scoped DDL event notifications

Event notifications on trace events

CREATE TRACE EVENT NOTIFICATION

CREATE SYNONYM

ALTER ANY EVENT NOTIFICATION

CREATE DATABASE DDL EVENT NOTIFICATION

CREATE DDL EVENT NOTIFICATION

CREATE PROCEDURE

CREATE AVAILABILTY GROUP

ALTER ANY DATABASE See Database Permission Charts

CONTROL ON ROLE::<name>

CONTROL ON DATABASE::<name>

CONTROL SERVER

CREATE FUNCTION

ALTER ANY AVAILABILITY GROUP See Availability Group Permissions

CONTROL ON ASSEMBLY::<name>

NOTES:

ALTER ANY REMOTE SERVICE BINDING See Service Broker Permissions Chart

CONTROL ON DATABASE::<name>

CONTROL SERVER

CONTROL ON DATABASE::<name>

ALTER ON USER::<name>

CONNECT REPLICATION ON DATABASE::<name>

CONNECT ON DATABASE::<name>

CONNECT ANY DATABASE

ALTER ANY FULLTEXT CATALOG See Full-text Permissions Chart

sysadmin role

A DENY on a table is overridden by a GRANT on a column. However, a subsequent DENY on the table will remove the column GRANT.

VIEW ANY DEFINITION

DROP USER

Top Level Server Permissions

ALTER USER

ALTER ANY DATABASE EVENT SESSION

Server Level Permissions for SQL Server

serveradmin role

Object owners can delete them but they do not have full permissions on them.

STATEMENTS:

ALTER ANY SCHEMA See Database Permissions Schema Objects Chart

ALTER ANY LINKED SERVER

IMPERSONATE ON USER::<name>

ALTER ANY DATABASE EVENT NOTIFICATION See Event Notifications Permissions Chart

db_ddladmin role

processadmin role

ALTER ANY COLUMN MASTER KEY

USER DATABASE

If you create
a database

SQL Database permissions refer to version 12.

ALTER ANY COLUMN ENCRYPTION KEY

STATEMENTS:

dbmanager role

STATEMENTS:

ALTER ANY CERTIFICATE See Certificate Permissions Chart

ALTER ANY EVENT NOTIFICATION

Server-Level Principal Login

Granting any permission on a securable allows VIEW DEFINITION on that securable. It is an implied permissions and it cannot be revoked,

CONTROL SERVER

VIEW DEFINITION ON USER::<name>

ALTER ANY ASYMMETRIC KEY See Asymmetric Key Permissions Chart

Notes:
Server-level permissions cannot be granted on SQL Database. Use the
loginmanager and dbmanager roles in the master database instead.

loginmanager
role
loginmanager role

VIEW DEFINITION ON DATABASE::<name>

VIEW ANY DEFINITION

ALTER ANY ASSEMBLY See Assembly Permissions Chart

Top Level Server Permissions

However, it is sometimes possible to impersonate between roles and equivalent permissions.

granted in the master database. For SQL Database use the dbmanager role.

ALTER ON DATABASE::<name>

Azure SQL Database Permissions

Outside the Database

membership in the sysadmin fixed server role. Membership in the db_owner role does not grant the CONTROL DATABASE permission.)

** NOTE: CREATE DATABASE is a database level permission that can only be

STATEMENTS: CREATE DATABASE, RESTORE DATABASE

CREATE DATABASE **

CONTROL ON USER::<name>

CONTROL ON DATABASE::<name>

CONTROL SERVER

ALTER ANY DATABASE

Permissions do not imply role memberships and role memberships do not grant permissions. (E.g. CONTROL SERVER does not imply

Assembly Permissions

Connect and Authentication Database Permissions

STATEMENTS: DROP DATABASE

CONTROL DATABASE

CREATE ANY DATABASE

db_owner has all permissions in the database.

db_owner role

Most of the more granular permissions are included in more than one higher level scope permission. So permissions can be inherited
from more than one type of higher scope.

The CONTROL DATABASE permission has all permissions on the database.

but it can be explicitly denied by using the DENY VIEW DEFINITION statement.

PRINCIPAL is the login, user, or role which receives or loses the permission. Grant permissions to roles whenever possible.

Denying a permission at any level, overrides a related grant.

The CONTROL SERVER permission has all permissions on the instance of SQL Server or SQL Database.

for server-wide and database-wide permissions.)

NOTES:

CONNECT ON ENDPOINT::<name>

ALTER ANY DATABASE

VIEW DEFINITION ON DATABASE::<name>

VIEW DEFINITION ON ASYMMETRIC KEY::<name>

REFERENCES ON DATABASE::<name>

REFERENCES ON ASYMMETRIC KEY::<name>

ALTER ON DATABASE::<name>

TAKE OWNERSHIP ON ASYMMETRIC KEY::<name>

VIEW ANY DEFINITION

VIEW DEFINITION ON DATABASE::<name>

VIEW DEFINITION ON ROUTE::<name>

TAKE OWNERSHIP ON ROUTE::<name>

ALTER ANY DATABASE

ALTER ON DATABASE::<name>

TAKE OWNERSHIP ON ENDPOINT::<name>

VIEW DEFINITION ON ENDPOINT::<name>
ALTER ANY ENDPOINT

ALTER ON ENDPOINT::<name>
STATEMENTS:

ALTER ANY ROUTE

Notes:

DROP ENDPOINT
CREATE ENDPOINT

To create a schema object (such as a table) you must have CREATE permission for that object type

To drop an object (such as a table) you must have ALTER permission on the schema or CONTROL
permission on the object.

plus ALTER ON SCHEMA::<name> for the schema of the object. Might require REFERENCES ON

ALTER ENDPOINT
CREATE ENDPOINT

ALTER ANY ASYMMETRIC KEY

OBJECT::<name> for any referenced CLR type or XML schema collection.

To create an index requires ALTER OBJECT::<name> permission on the table or view.

To alter an object (such as a table) you must have ALTER permission on the object (or schema), or

To create or alter a trigger on a table or view requires ALTER OBJECT::<name> on the table or view.

CONTROL permission on the object.

To create statistics requires ALTER OBJECT::<name> on the table or view.

ALTER ON ASYMMETRIC KEY::<name>

Note: ADD SIGNATURE requires

STATEMENTS:

CONTROL permission on the key, and

ALTER ASYMMETRIC KEY

requires ALTER permission on the

object.

STATEMENTS:
ALTER ROUTE
DROP ROUTE
CREATE ROUTE

DROP ASYMMETRIC KEY

CREATE ASYMMETRIC KEY

Full-text Permissions

CONTROL SERVER

CONTROL ON DATABASE::<name>

CONTROL ON SEARCH PROPERTY LIST::<name>

CONTROL ON DATABASE::<name>

CONTROL SERVER

CONTROL ON DATABASE::<name>

CONTROL ON CERTIFICATE::<name>

VIEW ANY DEFINITION

CONTROL ON FULLTEXT STOPLIST::<name>

VIEW DEFINITION ON DATABASE::<name>

VIEW DEFINITION ON MESSAGE TYPE::<name>

REFERENCES ON DATABASE::<name>

REFERENCES ON MESSAGE TYPE::<name>

TAKE OWNERSHIP ON MESSAGE TYPE::<name>

CONTROL ON FULLTEXT CATALOG::<name>

ALTER ANY DATABASE
VIEW ANY DEFINITION

VIEW DEFINITION ON SERVER ROLE::<name>

TAKE OWNERSHIP ON SERVER ROLE::<name>

ALTER ANY SERVER ROLE

ALTER ON SERVER ROLE::<name>

VIEW DEFINITION ON SEARCH PROPERTY LIST::<name>

VIEW ANY DEFINITION

CONTROL ON MESSAGE TYPE::<name>

Certificate Permissions

CONTROL ON SERVER ROLE::<name>

CONTROL SERVER

CREATE ROUTE

CREATE ASYMMETRIC KEY

CONTROL SERVER

Server Role Permissions

ALTER ON ROUTE::<name>

VIEW DEFINITION ON DATABASE::<name>

VIEW ANY DEFINITION

VIEW DEFINITION ON FULLTEXT STOPLIST::<name>

VIEW DEFINITION ON FULLTEXT CATALOG::<name>

ALTER ANY DATABASE

VIEW DEFINITION ON DATABASE::<name>

VIEW DEFINITION ON CERTIFICATE::<name>

REFERENCES ON DATABASE::<name>

REFERENCES ON CERTIFICATE::<name>

ALTER ON DATABASE::<name>

TAKE OWNERSHIP ON CERTIFICATE::<name>

ALTER ON DATABASE::<name>
ALTER ANY MESSAGE TYPE

ALTER ON MESSAGE TYPE::<name>

STATEMENTS:
ALTER MESSAGE TYPE
DROP MESSAGE TYPE

STATEMENTS:

REFERENCES ON SEARCH PROPERTY LIST::<name>

ALTER SERVER ROLE <name> ADD MEMBER

REFERENCES ON DATABASE::<name>

DROP SERVER ROLE

TAKE OWNERSHIP ON FULLTEXT CATALOG::<name>

ALTER ANY DATABASE

TAKE OWNERSHIP ON FULLTEXT STOPLIST::<name>

TAKE OWNERSHIP ON SEARCH PROPERTY LIST::<name>

ALTER ON DATABASE::<name>

ALTER ANY FULLTEXT CATALOG

DROP CERTIFICATE
CREATE CERTIFICATE

CREATE CERTIFICATE

ALTER ON FULLTEXT CATALOG::<name>

CONTROL ON AVAILABILITY GROUP::<name>

ALTER FULLTEXT CATALOG

STATEMENTS:
ALTER FULLTEXT STOPLIST
CREATE FULLTEXT STOPLIST

VIEW DEFINITION ON AVAILABILITY GROUP::<name>

TAKE OWNERSHIP ON AVAILABILITY GROUP::<name>

STATEMENTS:
ALTER SEARCH PROPERTY LIST
CREATE SEARCH PROPERTY LIST

ALTER ON AVAILABILITY GROUP::<name>

May 25, 2016

STATEMENTS:
STATEMENTS:

DROP FULLTEXT CATALOG

ALTER AVAILABILITY GROUP

DROP FULLTEXT STOPLIST

DROP AVAILABILITY GROUP

DROP FULLTEXT SEARCH PROPERTYLIST

CREATE AVAILABILITY GROUP

Questions and comments to

[email protected]

STATEMENTS:
CREATE FULLTEXT CATALOG

CREATE AVAILABILITY GROUP

ALTER CERTIFICATE

ALTER ON FULLTEXT STOPLIST::<name>

CREATE FULLTEXT CATALOG

ALTER ANY AVAILABILITY GROUP

Note: ADD SIGNATURE requires

CONTROL permission on the certificate,
and requires ALTER permission on the
object.

ALTER ON SEARCH PROPERTY LIST::<name>

Availability Group Permissions

CREATE QUEUE

STATEMENTS:

that fixed server role, or be a member of the sysadmin fixed server role.

VIEW ANY DEFINITION

ALTER ON CERTIFICATE::<name>

REFERENCES ON FULLTEXT CATALOG::<name>

NOTES: To add a member to a fixed server role, you must be a member of

CONTROL SERVER

ALTER ANY CERTIFICATE

REFERENCES ON FULLTEXT STOPLIST::<name>

CREATE SERVER ROLE

CREATE SERVER ROLE

CREATE MESSAGE TYPE

Notes:

Creating a full-text index requires ALTER permission on the table and REFERENCES permission on the full-text catalog.

Dropping a full-text index requires ALTER permission on the table.

2016 Microsoft Corporation. All rights reserved.

Notes:
The user executing the CREATE CONTRACT statement must have REFERENCES permission on
all message types specified.
The user executing the CREATE SERVICE statement must have REFERENCES permission on
the queue and all contracts specified.
To execute the CREATE or ALTER REMOTE SERVICE BINDING the user must have
impersonate permission for the principal specified in the statement.
When the CREATE or ALTER MESSAGE TYPE statement specifies a schema collection, the user
executing the statement must have REFERENCES permission on the schema collection
specified.
See the ALTER ANY EVENT NOTIFICATION chart for more permissions related to Service
Broker.
See the SCHEMA OBJECTS chart for QUEUE permissions.
The ALTER CONTRACT permission exists but at this time there is no ALTER CONTRACT
statement.

CREATE MESSAGE TYPE