Tell me Server level permission and DB level permission in SQL Server?

-

There are two type of  security role SERVER LEVEL and DATABASE LEVEL.

Server level Fixed Roles:

Fixed server-level roleDescription
sysadminMembers of the sysadmin fixed server role can perform any activity in the server. Important: permissions can't be denied to members of this role.
serveradminMembers of the serveradmin fixed server role can change server-wide configuration options and shut down the server.
securityadminMembers of the securityadmin fixed server role manage logins and their properties. They can GRANTDENY, and REVOKE server-level permissions. securityadmin can also GRANTDENY, and REVOKE database-level permissions if they have access to a database. Additionally, securityadmin can reset passwords for SQL Server logins.

IMPORTANT: The ability to grant access to the Database Engine and to configure user permissions allows the security admin to assign most server permissions. The securityadmin role should be treated as equivalent to the sysadmin role. As an alternative, starting with SQL Server 2022 (16.x), consider using the new fixed server role ##MS_LoginManager##.
processadminMembers of the processadmin fixed server role can end processes that are running in an instance of SQL Server.
setupadminMembers of the setupadmin fixed server role can add and remove linked servers by using Transact-SQL statements. (sysadmin membership is needed when using Management Studio.)
bulkadminMembers of the bulkadmin fixed server role can run the BULK INSERT statement.

The bulkadmin role or ADMINISTER BULK OPERATIONS permissions isn't supported for SQL Server on Linux. Only the sysadmin can perform bulk inserts for SQL Server on Linux.
diskadminThe diskadmin fixed server role is used for managing disk files.
dbcreatorMembers of the dbcreator fixed server role can create, alter, drop, and restore any database.
publicEvery SQL Server login belongs to the public server role. When a server principal isn't granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object. Only assign public permissions on any object when you want the object to be available to all users. You can't change membership in public.

Note: public is implemented differently than other roles, and permissions can be granted, denied, or revoked from the public fixed server roles.

Database level Fixed Roles: 

Fixed database role nameDescription
db_ownerMembers of the db_owner fixed database role can perform all configuration and maintenance activities on the database, and can also DROP the database in SQL Server. (In SQL Database and Azure Synapse, some maintenance activities require server-level permissions and can't be performed by db_owners.)
db_securityadminMembers of the db_securityadmin fixed database role can modify role membership for custom roles only and manage permissions. Members of this role can potentially elevate their privileges and their actions should be monitored.
db_accessadminMembers of the db_accessadmin fixed database role can add or remove access to the database for Windows logins, Windows groups, and SQL Server logins.
db_backupoperatorMembers of the db_backupoperator fixed database role can back up the database.
db_ddladminMembers of the db_ddladmin fixed database role can run any Data Definition Language (DDL) command in a database. Members of this role can potentially elevate their privileges by manipulating code that might get executed under high privileges and their actions should be monitored.
db_datawriterMembers of the db_datawriter fixed database role can add, delete, or change data in all user tables. In most use cases, this role is combined with db_datareader membership to allow reading the data that is to be modified.
db_datareaderMembers of the db_datareader fixed database role can read all data from all user tables and views. User objects can exist in any schema except sys and INFORMATION_SCHEMA.
db_denydatawriterMembers of the db_denydatawriter fixed database role can't add, modify, or delete any data in the user tables within a database.
db_denydatareaderMembers of the db_denydatareader fixed database role can't read any data from the user tables and views within a database.


Comments

Post a Comment

Popular posts from this blog

SQL Server Service Account Password Rotation (Including SPN Updates and AAG Handling)

-
  Runbook: SQL Server Service Account Password Rotation (Including SPN Updates and AAG Handling) Environment Primary Server: ServerA Secondary Server: ServerB SQL Server: AlwaysOn Availability Group (AAG) with Automatic Failover Task Breakdown 1. Before Change Start Tasks ✅ 1.1 Raise Change Ticket Open a Change Request (CR) in ITSM Jira tool. Add details: SQL Service account password rotation. Update SPNs. Application validation. Attach: Impact Analysis Backout Plan 1.2 Get CAB Approval Submit CR for CAB review and approval. Get approvals from: CAB QA Application owners 1.3 Create New AD Service Account. Request AD team to create: Username: SQLService_ServerA Password: Strong and non-expiring. Permissions: Add to Domain Users Add to Local Administrators Group Command to Add Account to Local Admin Group: net localgroup administrators "DOMAIN\SQLService_ServerA" /add 1.4 Grant SQL Server Access Connect to SQL Server as sys...
Read more

How to use Azure Automatic performance tuning ?

-
  Automatic performance tuning in Azure SQL Database is a powerful feature that helps optimize query performance without manual intervention. It includes capabilities like automatic plan correction , index tuning , and query regression detection . Here's a step-by-step guide to enable and manage it, especially focused on query performance tuning : Step-by-Step: Enable Automatic Performance Tuning in Azure SQL Step 1: Open Azure Portal Go to https://portal.azure.com Sign in with your Azure account. Step 2: Go to Your SQL Database Navigate to "SQL databases" Click on the target database you want to enable tuning for. Step 3: Enable Automatic Tuning In the left-side menu, find and click on "Automatic tuning" You will see the following options: Force Last Good Plan – Automatically reverts to a known good query plan if performance regresses. Create Index – Azure creates recommended indexes automatically. Drop Index – Azure drops unused or dupl...
Read more

How to Upgrade SQL Server from 2014 to 2022, Apply the Latest Patches Post-Upgrade, and Install the Latest SSMS Tool?

-
Firstly, ensure that you have completed this on in a non-production environment. Assume infrastructure is set up for SQL Server mirroring: - Principal A - Primary - Mirror B - Secondary - Commit mode - Synchronous commit. change ticket. Before change steps: 1. Create a change ticket. 2. Conduct a peer review of the change ticket. 3. Obtain approval from the Change Advisory Board (CAB). 4. Get QA approval for application testing following the SQL Server version upgrade, installation of SSMS, and the latest cumulative update (CU) patch. 5. Download the latest patch executable from the Microsoft website and transfer the CU to both servers. 6. Move the existing SQL Server 2022 installation media to both servers. 7. Download the latest version of SSMS from the Microsoft website and transfer it to both servers. 8. Schedule stop of alerts for unnecessary tickets from the monitoring tool. During the change window steps: 1. Create backups of the system databases. 2. Take a snapshot of the opera...
Read more