Okay I found out that I was missing - server wide securables.
For anyone with same problem you can either check it directly from SSMS in Instance > Security > Logins > Login Properties > Securable or through this query
SELECT l.name as grantee_name, p.state_desc, p.permission_name
FROM sys.server_permissions AS p JOIN sys.server_principals AS l
ON p.grantee_principal_id = l.principal_id