Permissions of the Standard Roles

The following standard server permissions are available in every SQL Server:

Fixed server-level roleDatabase-level permissionServer-level permission
db_accessadminALTER ANY USER, CREATE SCHEMA
Permission with GRANT option: CONNECT
VIEW ANY DATABASE
db_backupoperatorBACKUP DATABASE, BACKUP LOG, CHECKPOINTVIEW ANY DATABASE
db_datareaderSELECTVIEW ANY DATABASE
db_datawriterDELETE, INSERT, UPDATEVIEW ANY DATABASE
db_ddladminALTER ANY ASSEMBLY, ALTER ANY ASYMMETRIC KEY, ALTER ANY CERTIFICATE, ALTER ANY CONTRACT, ALTER ANY DATABASE DDL TRIGGER, ALTER ANY DATABASE EVENT, NOTIFICATION, ALTER ANY DATASPACE, ALTER ANY FULLTEXT CATALOG, ALTER ANY MESSAGE TYPE, ALTER ANY REMOTE SERVICE BINDING, ALTER ANY ROUTE, ALTER ANY SCHEMA, ALTER ANY SERVICE, ALTER ANY SYMMETRIC KEY, CHECKPOINT, CREATE AGGREGATE, CREATE DEFAULT, CREATE FUNCTION, CREATE PROCEDURE, CREATE QUEUE, CREATE RULE, CREATE SYNONYM, CREATE TABLE, CREATE TYPE, CREATE VIEW, CREATE XML SCHEMA COLLECTION, REFERENCESVIEW ANY DATABASE
db_denydatareaderNo permission: SELECTVIEW ANY DATABASE
db_denydatawriterNo permission: DELETE, INSERT, UPDATEVIEW ANY DATABASE
db_ownerPermission with GRANT option: CONTROLVIEW ANY DATABASE
db_securityadminALTER ANY APPLICATION ROLE, ALTER ANY ROLE, CREATE SCHEMA, VIEW DEFINITIONVIEW ANY DATABASE
dbm_monitorVIEW of the latest status in the Database Mirroring Monitor
Important: The fixed database role dbm_monitor is created in the msdb database when the first database is registered in the Database Mirroring Monitor. The new dbm_monitor role has no members until a system administrator assigns users to the role.
VIEW ANY DATABASE

Fixed database roles are not equivalent to their database-level permission.

For example, the fixed database role db_owner has the CONTROL DATABASE permission.

However, granting the CONTROL DATABASE permission does not make a user a member of the fixed database role db_owner.

Members of the fixed database role db_owner are identified in the databases as the user dbo, whereas users with the CONTROL DATABASE permission are not.

Unless the built-in default user sa of Microsoft SQL Server is to be used for Q-Matrix™, the special user for Q-Matrix™ must be assigned the db_owner permission.

This applies only if the settings are made via Microsoft SQL Management Studio, since the special rights that are required cannot be set via the graphical interface.

With this setting, Q-Matrix™ can be used in normal operational mode, i.e. successful logins to Q-Matrix™ allow managing the data in the database on the SQL server.

Special cases:

  • Creating the initial Q-Matrix™ database
    For the initial database to be created, the user must in this case have the db_owner permission.
  • Applying updates in the Q-Matrix™ database
    For updates to be applied to the database, the user must in this case be assigned the db_owner permission.

In addition to these standard permission settings, the user can also be granted special CONTROL rights.

To do this, the required rights must be assigned to the user via a Transact SQL (T-SQL) command.

The syntax to be used is as follows:

GRANT <permission> [ ,...n ]
    TO <database_principal> [ ,...n ] [ WITH GRANT OPTION ]
    [ AS <database_principal> ]
<permission>::=
permission | ALL [ PRIVILEGES ]
<database_principal> ::=
    Database_user
    | Database_role
    | Application_role
    | Database_user_mapped_to_Windows_User
    | Database_user_mapped_to_Windows_Group
    | Database_user_mapped_to_certificate
    | Database_user_mapped_to_asymmetric_key
    | Database_user_with_no_login

See also: https://technet.microsoft.com/de-de/library/ms178569(v=sql.105).aspx