Identify and resolve SQL Server problems BEFORE they happen with SQL diagnostic manager

Server level permissions for SQL Server 2005 and SQL Server 2008

By: K. Brian Kelley | Read Comments (4) | Print Brian is a SQL Server author and columnist focusing primarily on SQL Server security. Related Tips: More

Problem
I am new to SQL Server 2005/2008 having administered SQL Server 2000 and below. I have heard there are a lot of new permissions at the server level. What are they and what do they give rights to perform?

Solution
SQL Server 2005 introduced a new concept to SQL Server security and permissions: securables. Securables are anything within SQL Server that can have a permission assigned. One such securable is the server.

Below are the list of server-level permissions:

Permission	Effect
ADMINISTER BULK OPERATIONS	Grants or denies the ability to execute BULK INSERT commands. However, INSERT permissions must exist for the login with respect to the table being loaded. In addition, ALTER TABLE permissions may also be required. The bulkadmin fixed server role is granted this permission implicitly.
ALTER ANY CONNECTION	Grants or denies the ability to manage existing connections to SQL Server such as through the use of the KILL reserved word. The processadmin fixed server role has this permission granted implicitly.
ALTER ANY CREDENTIAL	Grants or denies the ability to manage credentials. Credentials are Windows user account/password combinations which can used outside of SQL Server. They are used with SQL Server Agent jobs to set security context for a job running outside of SQL Server.
ALTER ANY DATABASE	Grants or denies the ability to drop or modify existing databases as well as create new databases. The dbcreator fixed server role has this permission granted implicitly.
ALTER ANY ENDPOINT	Grants or denies the ability to create, drop, or modify endpoints. The sysadmin fixed server role has this permission granted implicitly.
ALTER ANY EVENT NOTIFICATION	Grants or denies the ability to create any event notification using CREATE EVENT NOTIFICATION with respect to Service Broker.
ALTER ANY LINKED SERVER	Grants or denies the ability to create, drop, or modify linked server connections.
ALTER ANY LOGIN	Grants or denies the ability to create, drop, or modify logins. To affect a login which is a member of the sysadmin fixed server role or a login which has been granted CONTROL SERVER permissions, you must also have CONTROL SERVER permissions. The securityadmin fixed server role has this permission granted implicitly.
ALTER ANY RESOURCES	Grants or denies the ability to manage disk resources for SQL Server. The diskadmin and serveradmin fixed server roles are granted this permission implicitly.
ALTER SERVER STATE	Grants or denies the ability to manage some aspects of the server, such as DBCC FREEPROCCACHE,and DBCC FREESYSTEMCACHE.
ALTER SETTINGS	Grants or denies the ability to execute sp_configure and change settings. Also grants or denies the ability to execute RECONFIGURE afterwards. This permissions is granted by default to members of the serveradmin and sysadmin fixed server role.
ALTER TRACE	Grants or denies the ability to execute a server-side or SQL Server Profiler trace. Without this permission, the only logins capable of running traces are members of the sysadmin fixed server role.
AUTHENTICATE SERVER	Grants or denies the ability to use a particular signature across all databases on the server when impersonation is used..
CONNECT SQL	Grants or denies the ability to connect to the SQL Server. All logins, when newly created, are granted this permission automatically.
CONTROL SERVER	Grants or denies the ability to do anything on the SQL Server. The sysadmin fixed server role has this permission granted implicitly.
CREATE ANY DATABASE	Grants or denies the ability to create new databases. The dbcreator fixed server role has this permission granted implicitly.
CREATE DDL EVENT NOTIFICATION	Grants or denies the ability to create a DDL event notification using CREATE EVENT NOTIFICATION with respect to Service Broker.
CREATE ENDPOINT	Grants or denies to create an endpoint, a connection into SQL Server. The serveradmin and sysadmin fixed server roles has this permission granted implicitly.
CREATE TRACE EVENT NOTIFICATION	Grants or denies the ability to create a trace event notification using CREATE EVENT NOTIFICATION with respect to Service Broker.
EXTERNAL ACCESS ASSEMBLY	Grants or denies the ability to add CLR assemblies to SQL Server that have a permissions set = EXTERNAL_ACCESS.
SHUTDOWN	Grants or denies the ability to shutdown the SQL Server service. The sysadmin and serveradmin fixed servers have this permission implicitly.
UNSAFE ASSEMBLY	Grants or denies the ability to add CLR assemblies to SQL Server that have a permissions set = UNSAFE.
VIEW ANY DATABASE	Grants or denies the ability to see metadata on databases through sys.databases, sysdatabases, or sp_helpdb. The public fixed server role has this permission implicitly (meaning anyone who can connect to the SQL Server instance).
VIEW ANY DEFINITION	Grants or denies the abilities to see the T-SQL code and any metadata for any object within the server.
VIEW SERVER STATE	Grants or denies the ability to see server level configuration information. The serveradmin fixed server role has this permission implicitly.

While all of these server level permissions are important, some of the ones to pay particular attention to are:

• CONTROL SERVER - can do anything within SQL Server
• SHUTDOWN - can shutdown the SQL Server service
• ALTER SETTINGS - can run sp_configure and change the configuration of SQL Server.
• ALTER ANY LOGIN - can modify logins to SQL Server
• ALTER ANY DATABASE - can modify databases in SQL Server.
• CREATE ENDPOINT - can create new connection points for SQL Server.
• ALTER TRACE - Can execute traces against the SQL Server.

---

Listing Permissions

A quick and easy script you can use to see what permissions are assigned at the server level is the following. It uses the sys.server_permissions catalog view joined against the sys.server_principals catalog view to pull back all the server-level permissions belonging to SQL Server logins, Windows user logins, and Windows group logins:

SELECT    [srvprin].[name] [server_principal],   [srvprin].[type_desc] [principal_type],   [srvperm].[permission_name],   [srvperm].[state_desc]  FROM [sys].[server_permissions] srvperm   INNER JOIN [sys].[server_principals] srvprin     ON [srvperm].[grantee_principal_id] = [srvprin].[principal_id] WHERE [srvprin].[type] IN ('S', 'U', 'G') ORDER BY [server_principal], [permission_name];

---

Granting Permissions

Granting rights is pretty straight forward.  To grant "SHUTDOWN" rights to login "DBUser1" you would issue the following command:

GRANT SHUTDOWN TO DBUser1

 

Next Steps

• Take the time to check out what server rights logins have on your server
• Check out these additional security tips:
  • How to find out what SQL Server rights have been granted to the Public role
  • Identify SQL Server 2005 Standard Login Settings
  • Script to determine permissions in SQL Server 2005
  • Auditing Windows Groups from SQL Server
  • Giving and removing permissions in SQL Server
  • Database level permissions for SQL Server 2005 and 2008
     

Related Tips: More | Become a paid author

Last Update: 3/24/2009

Share:

Share

Tweet

Free SQL Server Learning Building Blocks for Your SQL Server Career Database development best practices What Are You Waiting For?

Comments and Feedback:

Tuesday, March 24, 2009 - 3:37:57 AM - @tif
I would just like to add that list of all server level permissions may be generated as following if required. SELECT permission_name FROM fn_my_permissions(null, 'server') order by 1 GO

Thursday, July 08, 2010 - 3:18:44 AM - tinof

Please allow a question: You wrote to 'ALTER ANY LOGIN"  ... To affect a login which is a member of the sysadmin fixed server role or a login which has been granted CONTROL SERVER permissions, you must also have CONTROL SERVER permissions. I can't see this in my enviroment (SQL Server 2005): I can drop a login assigned to the sysadmin role and with CONTROL SERVER permission even if i am logged in as a user who does'nt have the CONTROL SERVER permission. What is wrong? I would need 'Master -User', who administrate other logins, but they better should'nt be able to delete i.e. the sa - user ;-) . Thank's Tino

Thursday, June 02, 2011 - 10:39:10 AM - Sam Schafer
Thank you for the details. BOL lists the permissions but does not explain them. Most you can glean from the name, some not quite so clear.

Thursday, June 09, 2011 - 9:47:43 AM - Lelo121

Hi, I am fairly new on SQL Server so please excuse if I strile you as ignorant... Would you please explain the relationship between the stored procedure sp_srvrolepermission and the results of the query listed above? When I run the stored procedure I notice that there are many permissions assigned to the fixed server roles, however, when I look at the server permissions assigned to a server login, not all of the permissions listed as a result of sp_srvrolepermission are tied to a server login.

Post a Comment or Question

Keep it clean and stay on the subject or we may delete your comment.
Your email address is not published. Required fields are marked with an asterisk (*)

*Name

*Email

Notify for updates

Comments *** NOTE *** - If you want to include code from SQL Server Management Studio (SSMS) in your post, please copy the code from SSMS and paste the code into a text editor like NotePad before copying the code below to remove the SSMS formatting.
*Enter Code

 

Sponsor Information

Try the free performance monitoring tool from Idera! It takes just 5 minutes to connect your SQL Databases to source control. Got 5 minutes? Get started now. SQL Server Consultants - What you don't know could be your biggest asset - Guaranteed Results Join the over million SQL Server Professionals who get their issues resolved daily. Are you waiting on SQL Server? Learn about these DMV's.