Blog Post

Server level database permissions

,

T-SQL Tuesday Sometimes you have a requirement to grant permissions to every database on an instance. Historically this has required creating a user (database level principal) on each database and granting it the correct permission. And making sure to grant those permissions to the model database so that future databases have the correct permission as they are created. There is now a better way! And that makes this a perfect subject for this month’s T-SQL Tuesday. Matt Gordon (b/t) is our host this month with the subject Fixing Old Problems with Shiny New Toys.

So what’s our shiny new permissions toy? Well, over time we have been getting more and more server level permissions that affect database level objects. A lot of these can be really useful and I’m hoping we will see more and more of them.

Permissions to control a database

Server Level PermissionMinimum VersionDefinition
CREATE DATABASE2012+Pretty self explainitory. The ability to create new databases.
ALTER ANY DATABASE2012+Change database properties.
VIEW ANY DATABASE2012+Kind of like VIEW DEFINITION but for database properties.

Permissions that affect permissions within every database

Server Level PermissionMinimum VersionDatabase Equivilent
ADMINISTER BULK OPERATIONSRequired for bulk operations in any database
CONNECT ANY DATABASE 2014+CONNECT
SELECT ALL USER SECURABLES 2014+SELECT
VIEW ANY DEFINITION2012+VIEW DEFINITION

So now if we want to grant someone read access to every database on the instance it’s as simple as creating the login (server level principal) and granting it CONNECT ANY DATABASE and SELECT ALL USER SECURABLES.

Some additional links:

SQL 2014 Learning Series 1: CONNECT ANY DATABASE
SQL 2014 Learning Series 2: SELECT ALL USER SECURABLES
New SQL Server 2014 Permissions: CONNECT ANY DATABASE
Is it safe to grant ADMINISTER BULK OPERATIONS

And of course the disclaimer: I’m by no means perfect, so if I missed anything let me know and I’ll add it to the list.

Filed under: Microsoft SQL Server, Security, SQLServerPedia Syndication, T-SQL Tuesday Tagged: microsoft sql server, security, T-SQL Tuesday

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating

Related content

Technical Article

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.

You rated this post out of 5. Change rating

2009-02-23

1,567 reads

Technical Article

Networking - Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I'd like to talk about social networking. We'll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let...

You rated this post out of 5. Change rating

2009-02-17

1,530 reads

Technical Article

Speaking at Community Events - More Thoughts

Last week I posted Speaking at Community Events - Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I've got a few more thoughts on the topic this week, and I look forward to your comments.

You rated this post out of 5. Change rating

2009-02-13

360 reads