Protection information is stored in the sysprotects table at the database level. For database-specific dbcc commands that work only in a particular database, the information is stored in the sysprotects table of the target database.
grant and revoke commands can apply only to local objects in the database, except:
create database
connect
set session authorization/set proxy
To grant permissions for these commands to a user, that user must be a valid user in master.
The following commands are are effective server-wide, but are not database-specific:
Server-wide dbcc commands such as tune.
Database-specific dbcc commands that are granted server-wide, such as grant dbcc checkstorage granted to storage_admin_role.
