Microsoft SQL Server 2016 and Azure SQL Database

NOTES: • The CONTROL SERVER permission has all permissions on the instance of SQL Server or SQL Database.
• The CONTROL DATABASE permission has all permissions on the database.
• Permissions do not imply role memberships and role memberships do not grant permissions. (E.g. CONTROL SERVER does not imply
Permission Syntax membership in the sysadmin fixed server role. Membership in the db_owner role does not grant the CONTROL DATABASE permission.)
Most permission statements have the format :
However, it is sometimes possible to impersonate between roles and equivalent permissions.
AUTHORIZATION PERMISSION ON SECURABLE::NAME TO PRINCIPAL

Database Engine Permissions

• Granting any permission on a securable allows VIEW DEFINITION on that securable. It is an implied permissions and it cannot be revoked,
• AUTHORIZATION must be GRANT, REVOKE or DENY.
• PERMISSION is listed in the charts below.
but it can be explicitly denied by using the DENY VIEW DEFINITION statement.
• ON SECURABLE::NAME is the server, server object, database, or database object and its name. (ON SECURABLE::NAME is omitted • SQL Database permissions refer to version 12.
for server-wide and database-wide permissions.) • Object owners can delete them but they do not have full permissions on them.
• PRINCIPAL is the login, user, or role which receives or loses the permission. Grant permissions to roles whenever possible.
• A DENY on a table is overridden by a GRANT on a column. However, a subsequent DENY on the table will remove the column GRANT.
Sample grant statement: GRANT UPDATE ON OBJECT::Production.Parts TO PartsTeam
Denying a permission at any level, overrides a related grant.
To remove a previously granted permission, use REVOKE, not DENY.
Database Level Permissions db_owner has all permissions in the database.
How to Read this Chart Top Level Database Permissions db_owner role

• Most of the more granular permissions are included in more than one higher level scope permission. So permissions can be inherited
from more than one type of higher scope. CONTROL SERVER CONTROL DATABASE STATEMENTS: DROP DATABASE Connect and Authentication – Database Permissions Assembly Permissions
• Black, green, and purple arrows and boxes point to subordinate permissions that are included in the scope of higher a level permission.
CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON USER::<name> CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON ASSEMBLY::<name>
• Brown arrows and boxes indicate some of the statements that can use the permission.
CREATE ANY DATABASE CREATE DATABASE ** STATEMENTS: CREATE DATABASE, RESTORE DATABASE ** NOTE: CREATE DATABASE is a database level permission that can only be
• Permissions in black apply to both SQL Server 2016 and Azure SQL Database
ALTER ANY DATABASE ALTER ON DATABASE::<name> granted in the master database. For SQL Database use the dbmanager role.
• Permissions in red apply only to SQL Server 2016
• Permissions in blue apply only to Azure SQL Database
ALTER ANY APPLICATION ROLE – See Application Roles Permissions Chart
• The newest permissions are underlined VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON USER::<name> VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON ASSEMBLY::<name>
VIEW ANY DEFINITION VIEW ANY DEFINITION
ALTER ANY ASSEMBLY – See Assembly Permissions Chart
ALTER ANY ASYMMETRIC KEY – See Asymmetric Key Permissions Chart REFERENCES ON DATABASE::<name> REFERENCES ON ASSEMBLY::<name>
STATEMENTS:

Azure SQL Database Permissions ALTER ANY CERTIFICATE – See Certificate Permissions Chart
ALTER ANY COLUMN ENCRYPTION KEY
ALTER ANY DATABASE ALTER ON DATABASE::<name> IMPERSONATE ON USER::<name> EXECUTE AS ALTER ANY DATABASE ALTER ON DATABASE::<name> TAKE OWNERSHIP ON ASSEMBLY::<name>

Outside the Database ALTER ANY COLUMN MASTER KEY

ALTER ANY CONTRACT – See Service Broker Permissions Chart STATEMENTS: ALTER ANY USER ALTER ON USER::<name> ALTER ANY ASSEMBLY ALTER ON ASSEMBLY::<name>
Notes:
ALTER ANY SERVER AUDIT ALTER ANY DATABASE AUDIT CREATE DATABASE AUDIT SPECIFICATION
• Server-level permissions cannot be granted on SQL Database. Use the STATEMENTS:
Top Level Server Permissions loginmanager and dbmanager roles in the master database instead. ALTER ANY DATABASE DDL TRIGGER CREATE/ALTER/DROP database triggers
ALTER USER
STATEMENTS:
ALTER ASSEMBLY
ALTER ANY EVENT NOTIFICATION ALTER ANY DATABASE EVENT NOTIFICATION – See Event Notifications Permissions Chart
DROP USER Note: CREATE and ALTER ASSEMBLY
STATEMENTS: DROP ASSEMBLY
ALTER ANY DATABASE EVENT SESSION statements sometimes require server
Server-Level Principal Login loginmanager role
loginmanager role CREATE LOGIN CONNECT ANY DATABASE CONNECT REPLICATION ON DATABASE::<name> level EXTERNAL ACCESS ASSEMBLY CREATE ASSEMBLY CREATE ASSEMBLY
ALTER ANY DATASPACE PARTITION & PLAN GUIDE statements CONNECT ON DATABASE::<name> CREATE USER and UNSAFE ASSEMBLY permissions,
ALTER LOGIN ALTER ANY EXTERNAL DATA SOURCE and can require membership in the
dbmanager role DROP LOGIN sysadmin fixed server role.
ALTER ANY EXTERNAL FILE FORMAT
ALTER ANY FULLTEXT CATALOG – See Full-text Permissions Chart db_accessadmin role
STATEMENTS: USER DATABASE NOTES:
If you create ALTER ANY MESSAGE TYPE – See Service Broker Permissions Chart
CREATE DATABASE
a database db_owner role • When contained databases are enabled, creating a database user • SQL Database can be a push replication subscriber which
ALTER ANY REMOTE SERVICE BINDING – See Service Broker Permissions Chart
ALTER DATABASE
that authenticates at the database, grants CONNECT ON DATABASE requires no special permissions.
ALTER ANY ROLE – See Database Role Permissions Chart
DROP DATABASE CONTROL ON DATABASE::<name>
ALTER ANY ROUTE – See Service Broker Permissions Chart
to that user, and it can access SQL Server without a login. Event Notification Permissions (SQL Server only)
• Granting ALTER ANY USER allows a principal to create a user based
ALTER ANY SCHEMA – See Database Permissions – Schema Objects Chart
on a login, but does not grant the server level permission to view CONTROL SERVER CONTROL ON DATABASE::<name>
db_ddladmin role ALTER ANY SECURITY POLICY
information about logins.
ALTER ANY SERVICE – See Service Broker Permissions Chart

Server Level Permissions for SQL Server ALTER ANY SYMMETRIC KEY – See Symmetric Key Permissions Chart
ALTER ON DATABASE::<name>
ALTER ANY USER – See Connect and Authentication – Database Permissions Chart

Top Level Server Permissions Database Role Permissions ALTER ANY EVENT NOTIFICATION ALTER ANY DATABASE EVENT NOTIFICATION Database scoped event notifications
CREATE AGGREGATE
sysadmin role
CREATE DEFAULT CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON ROLE::<name>
STATEMENTS:
STATEMENTS:
CREATE FUNCTION CREATE DDL EVENT NOTIFICATION CREATE DATABASE DDL EVENT NOTIFICATION Database scoped DDL event notifications
CONTROL SERVER CREATE/ALTER/DROP server triggers
CREATE/ALTER/DROP server triggers
CREATE PROCEDURE
ADMINISTER BULK OPERATIONS bulkadmin role OPENROWSET(BULK…. CREATE QUEUE CREATE TRACE EVENT NOTIFICATION Event notifications on trace events
OPENROWSET(BULK …
ALTER ANY AVAILABILITY GROUP – See Availability Group Permissions CREATE RULE
VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON ROLE::<name>
CREATE AVAILABILTY GROUP CREATE SYNONYM
ALTER ANY CONNECTION KILL CREATE TABLE
CREATE TYPE ALTER ON DATABASE::<name> TAKE OWNERSHIP ON ROLE::<name> Note: EVENT NOTIFICATION permissions also affect service
ALTER ANY CREDENTIAL CREATE/ALTER/DROP CREDENTIAL db_securityadmin role ALTER ANY DATABASE
processadmin role broker. See the service broker chart for more into.
ALTER ANY DATABASE – See Database Permission Charts dbcreator role CREATE VIEW
CREATE ANY DATABASE – See Top Level Database Permissions CREATE XML SCHEMA COLLECTION
ALTER ANY ROLE ALTER ON ROLE::<name>
ALTER ANY ENDPOINT – See Connect and Authentication
CREATE ENDPOINT – See Connect and Authentication STATEMENTS:
STATEMENTS:
ALTER ANY EVENT NOTIFICATION Server scoped event notifications ALTER DATABASE SCOPED CONFIGURATION
CREATE DDL EVENT NOTIFICATION
ALTER ANY DATABASE SCOPED CONFIGURATION ALTER ROLE <name> ADD MEMBER Service Broker Permissions (SQL Server only)
Server scoped DDL event notifications ALTER ANY MASK DROP ROLE
CREATE TRACE EVENT NOTIFICATION Event notifications on trace events AUTHENTICATE SERVER AUTHENTICATE Combined with TRUSTWORTHY allows delegation of authentication
CREATE ROLE CREATE ROLE
NOTES: Only members of the db_owner CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON SERVICE::<name>
ALTER ANY EVENT SESSION Extended event sessions BACKUP DATABASE BACKUP DATABASE
fixed database role can add or remove
ALTER ANY LINKED SERVER setupadmin role sp_addlinkedserver BACKUP LOG db_backupoperator role BACKUP LOG
members from fixed database roles.
ALTER ANY LOGIN – See Connect and Authentication securityadmin role CHECKPOINT CHECKPOINT
ALTER ANY SERVER AUDIT CREATE/ALTER/DROP SERVER AUDIT CONNECT REPLICATION – See Connect and Authentication – Database Permissions Chart
and SERVER AUDIT SPECIFICATION VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON SERVICE::<name>
ALTER ANY SERVER ROLE – See Server Role Permissions DELETE
CREATE SERVER ROLE – See Server Role Permissions SEND ON SERVICE::<name>
EXECUTE
ALTER RESOURCES (NA. Use diskadmin role instead.) STATEMENTS: TAKE OWNERSHIP ON SERVICE::<name>

ALTER SERVER STATE

INSERT
Applies to subordinate objects in the database. See
Application Role Permissions ALTER ANY DATABASE ALTER ON DATABASE::<name>
DBCC
DBCC FREE…CACHE
FREE…CACHE and
and SQLPERF
SQLPERF REFERENCES
serveradmin role
VIEW SERVER STATE SELECT
SELECT on
on server-level
server-level DMV’s
DMV’s SELECT Database Permissions – Schema Objects chart.
CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON APPLICATION ROLE::<name> ALTER ANY SERVICE ALTER ON SERVICE::<name>
ALTER SETTINGS sp_configure,
sp_configure, RECONFIGURE
RECONFIGURE UPDATE Notes:
ALTER TRACE sp_trace_create
sp_create_trace VIEW ANY DEFINITION VIEW DEFINITION STATEMENTS: STATEMENTS:
• ALTER AUTHORIZATION for any object might also require IMPERSONATE or
AUTHENTICATE SERVER Allows
Allows server-level
server-level delegation
delegation TAKE OWNERSHIP ALTER AUTHORIZATION ALTER SERVICE
membership in a role or ALTER permission on a role.
CONNECT SQL – See Connect and Authentication EXECUTE ANY EXTERNAL SCRIPT DROP SERVICE
• ALTER AUTHORIZATION exists at many levels in the permission model but is VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON APPLICATION ROLE::<name>
CONNECT ANY DATABASE CREATE SERVICE CREATE SERVICE
KILL DATABASE CONNECTION never inherited from ALTER AUTHORIZATION at a higher level.
IMPERSONATE ANY LOGIN ALTER TRACE SHOWPLAN
SELECT ALL USER SECURABLES Notes:
SUBSCRIBE QUERY NOTIFICATIONS
• In both SQL Server and SQL Database the public database role does not initially have access to any user objects. ALTER ANY DATABASE ALTER ON DATABASE::<name>
SHUTDOWN SHUTDOWN* UNMASK
public role The public database role has many grants to system objects, which is necessary to manage internal actions. CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON REMOTE SERVICE BINDING::<name>
UNSAFE ASSEMBLY VIEW ANY COLUMN MASTER KEY DEFINITION
• In SQL Server 2016, the public database role has the VIEW ANY COLUMN MASTER KEY DEFINITION and VIEW ANY ALTER ANY APPLICATION ROLE ALTER ON APPLICATION ROLE::<name>
EXTERNAL ACCESS ASSEMBLY VIEW ANY COLUMN ENCRYPTION KEY DEFINITION
VIEW ANY DEFINITION VIEW SERVER STATE COLUMN ENCRYPTION KEY DEFINITION permissions by default. They can be revoked. STATEMENTS:
VIEW DATABASE STATE
VIEW ANY DATABASE – See Database Permissions – Schema ALTER APPLICATION ROLE
DROP APPLICATION ROLE VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON REMOTE SERVICE BINDING::<name>
* NOTE: The SHUTDOWN statement requires the SQL Server SHUTDOWN permission. Starting, stopping, and pausing the Database
Engine from SSCM, SSMS, or Windows requires Windows permissions, not SQL Server permissions.
Database Permissions – Schema Objects CREATE APPLICATION ROLE TAKE OWNERSHIP ON REMOTE SERVICE BINDING::<name>

public role
Object Permissions ALTER ANY DATABASE ALTER ON DATABASE::<name>
Server Permissions Database Permissions Schema Permissions Type Permissions
XML Schema Collection Permissions ALTER ANY REMOTE SERVICE BINDING ALTER ON REMOTE SERVICE BINDING::<name>
Connect and Authentication – Server Permissions db_ddladmin role
STATEMENTS:
CONTROL ON SERVER CONTROL ON DATABASE::<name> CONTROL ON SCHEMA ::<name> CONTROL ON OBJECT|TYPE|XML SCHEMA COLLECTION ::<name> Symmetric Key Permissions ALTER REMOTE SERVICE BINDING
CONTROL SERVER CONTROL ON LOGIN::<name>
DROP REMOTE SERVICE BINDING
CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON SYMMETRIC KEY::<name>
db_datareader role CREATE REMOTE SERVICE BINDING CREATE REMOTE SERVICE BINDING
db_denydatareader role VIEW CHANGE TRACKING ON SCHEMA::<name> VIEW CHANGE TRACKING ON OBJECT::<name>
SELECT ON DATABASE::<name> SELECT ON SCHEMA::<name> SELECT ON OBJECT::<table |view name>
VIEW ANY DEFINITION VIEW DEFINITION ON LOGIN::<name> INSERT ON DATABASE::<name> INSERT ON SCHEMA::<name> INSERT ON OBJECT::< table |view name>
db_datawriter role
IMPERSONATE ON LOGIN::<name> STATEMENTS: UPDATE ON DATABASE::<name> UPDATE ON SCHEMA::<name> UPDATE ON OBJECT::< table |view name> VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON SYMMETRIC KEY::<name> CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON CONTRACT::<name>
db_denydatawriter role VIEW ANY DEFINITION
ALTER ANY LOGIN ALTER ON LOGIN::<name> EXECUTE AS DELETE ON DATABASE::<name> DELETE ON SCHEMA::<name> DELETE ON OBJECT::< table |view name>
REFERENCES ON DATABASE::<name> REFERENCES ON SYMMETRIC KEY::<name>
EXECUTE ON DATABASE::<name> EXECUTE ON SCHEMA::<name> EXECUTE ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name>
REFERENCES ON DATABASE::<name> REFERENCES ON SCHEMA::<name> REFERENCES ON OBJECT|TYPE|XML SCHEMA COLLECTION:<name> ALTER ANY DATABASE ALTER ON DATABASE::<name> TAKE OWNERSHIP ON SYMMETRIC KEY::<name>
securityadmin role STATEMENTS:
VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON SCHEMA::<name> VIEW DEFINITION ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name> VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON CONTRACT::<name>
ALTER LOGIN, sp_addlinkedsrvlogin
TAKE OWNERSHIP ON DATABASE::<name> TAKE OWNERSHIP ON SCHEMA::<name> TAKE OWNERSHIP ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name> REFERENCES ON DATABASE::<name> REFERENCES ON CONTRACT::<name>
DROP LOGIN ALTER ANY SYMMETRIC KEY ALTER ON SYMMETRIC KEY::<name>
VIEW ANY DATABASE RECEIVE ON OBJECT::<queue name> Note: OPEN SYMMETRIC KEY requires TAKE OWNERSHIP ON CONTRACT::<name>
CREATE LOGIN
SELECT ON OBJECT::<queue name> VIEW DEFINITION permission on the ALTER ANY DATABASE ALTER ON DATABASE::<name>
STATEMENTS:
ALTER ANY DATABASE ALTER ON DATABASE::<name> key (implied by any permission on the
ALTER SYMMETRIC KEY
CONNECT SQL ALTER ANY SCHEMA ALTER ON SCHEMA::<name> ALTER ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name> key), and requires permission on the ALTER ANY CONTRACT ALTER ON CONTRACT::<name>
DROP SYMMETRIC KEY
CREATE SCHEMA CREATE SEQUENCE key encryption hierarchy. CREATE SYMMETRIC KEY STATEMENTS:
Notes: CREATE SYMMETRIC KEY
• The CREATE LOGIN statement creates a login and grants CONNECT SQL to that login. DROP CONTRACT
OBJECT permissions apply to the following database objects:
• Enabling a login (ALTER LOGIN <name> ENABLE) is not the same as granting CONNECT SQL permission. CREATE AGGREGATE CREATE CONTRACT CREATE CONTRACT
AGGREGATE
• To map a login to a credential, see ALTER ANY CREDENTIAL. CREATE DEFAULT
DEFAULT
• When contained databases are enabled, users can access SQL Server without a login. See database user CREATE FUNCTION

permissions. CREATE PROCEDURE

FUNCTION
Asymmetric Key Permissions
PROCEDURE
• To connect using a login you must have : CREATE QUEUE
QUEUE CONTROL ON DATABASE::<name> CONTROL ON ASYMMETRIC KEY::<name>
o An enabled login CREATE RULE CONTROL SERVER CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON ROUTE::<name>
RULE
o CONNECT SQL CREATE SYNONYM
SYNONYM
o CONNECT for the database (if specified) CREATE TABLE
TABLE
CREATE TYPE
CONTROL ON ENDPOINT::<name> VIEW
CREATE VIEW VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON ROUTE::<name>
(All permissions do not apply to all objects. For example VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON ASYMMETRIC KEY::<name>
CREATE XML SCHEMA COLLECTION TAKE OWNERSHIP ON ROUTE::<name>
UPDATE only applies to tables and views.) REFERENCES ON DATABASE::<name> REFERENCES ON ASYMMETRIC KEY::<name>
VIEW ANY DEFINITION
CONNECT ON ENDPOINT::<name> ALTER ON DATABASE::<name> TAKE OWNERSHIP ON ASYMMETRIC KEY::<name> ALTER ANY DATABASE ALTER ON DATABASE::<name>
ALTER ANY DATABASE
TAKE OWNERSHIP ON ENDPOINT::<name>
VIEW DEFINITION ON ENDPOINT::<name> ALTER ANY ROUTE ALTER ON ROUTE::<name>
ALTER ANY ENDPOINT ALTER ON ENDPOINT::<name> ALTER ANY ASYMMETRIC KEY ALTER ON ASYMMETRIC KEY::<name>
Notes: STATEMENTS:
• To create a schema object (such as a table) you must have CREATE permission for that object type • To drop an object (such as a table) you must have ALTER permission on the schema or CONTROL ALTER ROUTE
STATEMENTS: Note: ADD SIGNATURE requires STATEMENTS:
plus ALTER ON SCHEMA::<name> for the schema of the object. Might require REFERENCES ON permission on the object. DROP ROUTE
ALTER ENDPOINT CONTROL permission on the key, and ALTER ASYMMETRIC KEY
OBJECT::<name> for any referenced CLR type or XML schema collection. • To create an index requires ALTER OBJECT::<name> permission on the table or view. CREATE ROUTE CREATE ROUTE
DROP ENDPOINT requires ALTER permission on the DROP ASYMMETRIC KEY
• To alter an object (such as a table) you must have ALTER permission on the object (or schema), or • To create or alter a trigger on a table or view requires ALTER OBJECT::<name> on the table or view.
CREATE ENDPOINT CREATE ENDPOINT object. CREATE ASYMMETRIC KEY CREATE ASYMMETRIC KEY
CONTROL permission on the object. • To create statistics requires ALTER OBJECT::<name> on the table or view.

CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON MESSAGE TYPE::<name>

Server Role Permissions Full-text Permissions Certificate Permissions

CONTROL SERVER CONTROL ON SERVER ROLE::<name> CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON CERTIFICATE::<name> VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON MESSAGE TYPE::<name>
CONTROL ON SEARCH PROPERTY LIST::<name>
CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON FULLTEXT STOPLIST::<name> REFERENCES ON DATABASE::<name> REFERENCES ON MESSAGE TYPE::<name>
CONTROL ON FULLTEXT CATALOG::<name> TAKE OWNERSHIP ON MESSAGE TYPE::<name>
ALTER ANY DATABASE ALTER ON DATABASE::<name>

VIEW ANY DEFINITION VIEW DEFINITION ON SERVER ROLE::<name> VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON CERTIFICATE::<name>
VIEW DEFINITION ON SEARCH PROPERTY LIST::<name> ALTER ANY MESSAGE TYPE ALTER ON MESSAGE TYPE::<name>
TAKE OWNERSHIP ON SERVER ROLE::<name> REFERENCES ON DATABASE::<name> REFERENCES ON CERTIFICATE::<name>
VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON FULLTEXT STOPLIST::<name> STATEMENTS:
ALTER ANY SERVER ROLE ALTER ON SERVER ROLE::<name>
VIEW DEFINITION ON FULLTEXT CATALOG::<name> ALTER ANY DATABASE ALTER ON DATABASE::<name> TAKE OWNERSHIP ON CERTIFICATE::<name> ALTER MESSAGE TYPE
DROP MESSAGE TYPE
STATEMENTS: REFERENCES ON SEARCH PROPERTY LIST::<name> CREATE MESSAGE TYPE CREATE MESSAGE TYPE
ALTER SERVER ROLE <name> ADD MEMBER ALTER ANY CERTIFICATE ALTER ON CERTIFICATE::<name>
REFERENCES ON DATABASE::<name> REFERENCES ON FULLTEXT STOPLIST::<name> CREATE QUEUE
DROP SERVER ROLE REFERENCES ON FULLTEXT CATALOG::<name>
STATEMENTS:
CREATE SERVER ROLE CREATE SERVER ROLE
Note: ADD SIGNATURE requires ALTER CERTIFICATE
TAKE OWNERSHIP ON FULLTEXT CATALOG::<name> TAKE OWNERSHIP ON FULLTEXT STOPLIST::<name> TAKE OWNERSHIP ON SEARCH PROPERTY LIST::<name> CONTROL permission on the certificate, Notes:
NOTES: To add a member to a fixed server role, you must be a member of DROP CERTIFICATE
and requires ALTER permission on the • The user executing the CREATE CONTRACT statement must have REFERENCES permission on
that fixed server role, or be a member of the sysadmin fixed server role. object. CREATE CERTIFICATE CREATE CERTIFICATE all message types specified.
ALTER ANY DATABASE ALTER ON DATABASE::<name> • The user executing the CREATE SERVICE statement must have REFERENCES permission on
the queue and all contracts specified.
• To execute the CREATE or ALTER REMOTE SERVICE BINDING the user must have
ALTER ON SEARCH PROPERTY LIST::<name> impersonate permission for the principal specified in the statement.
Availability Group Permissions • When the CREATE or ALTER MESSAGE TYPE statement specifies a schema collection, the user
ALTER ANY FULLTEXT CATALOG ALTER ON FULLTEXT STOPLIST::<name> executing the statement must have REFERENCES permission on the schema collection
ALTER ON FULLTEXT CATALOG::<name> specified.
CONTROL SERVER CONTROL ON AVAILABILITY GROUP::<name> • See the ALTER ANY EVENT NOTIFICATION chart for more permissions related to Service

CREATE FULLTEXT CATALOG

STATEMENTS: Questions and comments to Broker.
• See the SCHEMA OBJECTS chart for QUEUE permissions.
ALTER FULLTEXT CATALOG [email protected] • The ALTER CONTRACT permission exists but at this time there is no ALTER CONTRACT
statement.
STATEMENTS:
CREATE FULLTEXT CATALOG
ALTER FULLTEXT STOPLIST
VIEW ANY DEFINITION STATEMENTS:
VIEW DEFINITION ON AVAILABILITY GROUP::<name> CREATE FULLTEXT STOPLIST
ALTER SEARCH PROPERTY LIST
TAKE OWNERSHIP ON AVAILABILITY GROUP::<name>
ALTER ANY AVAILABILITY GROUP CREATE SEARCH PROPERTY LIST
ALTER ON AVAILABILITY GROUP::<name>
STATEMENTS: May 25, 2016
STATEMENTS: DROP FULLTEXT CATALOG
Notes:
ALTER AVAILABILITY GROUP DROP FULLTEXT STOPLIST © 2016 Microsoft Corporation. All rights reserved.
• Creating a full-text index requires ALTER permission on the table and REFERENCES permission on the full-text catalog.
DROP AVAILABILITY GROUP DROP FULLTEXT SEARCH PROPERTYLIST
• Dropping a full-text index requires ALTER permission on the table.
CREATE AVAILABILITY GROUP CREATE AVAILABILITY GROUP