Table 8-15 and Table 8-16 list all grantable system privileges. Privileges marked with an asterisk (*) may be granted or revoked when enable granular permissions is disabled.
For a list of all grantable privileges and permissions in alphabetic order, see Table 1-22 in the grant command in Reference Manual: Commands.
Possessing one privilege may imply possessing another,
more granular, privilege. For example, a user with select
any table privilege implies the user has select permission
on all user tables. See Table 1-22 in the grant command in Reference
Manual: Commands for a complete list of privileges pairs
that have an implied relationship.
Privilege name |
Operations the privilege authorizes |
---|---|
Privileges management |
|
manage security permissions |
Granting and revoking security privileges |
manage server permissions |
Granting and revoking nonsecurity server-wide privileges not related to security. |
Audit management |
|
manage auditing |
Acting as the database owner of sybsecurity Executing these commands:
Executing these system store procedures:
|
Login and role management |
|
allow exceptional login |
Granting login to the server when:
|
change password |
Executing this command:
Executing these system store procedures:
|
manage any login |
Executing these commands:
Executing these system procedures:
Executing this function:
|
manage any login profile |
Executing these commands:
Executing this system procedure:
|
manage any remote login |
Executing these system procedures:
|
manage roles |
Executing these commands:
Executing these system procedures:
|
Database Management |
|
checkpoint |
Executing the checkpoint command for a specified database |
checkpoint any database |
Executing the checkpoint command for any database |
create database* |
Executing the create database command |
dump any database |
Executing these commands for any database:
|
dump database |
Executing these commands for a specified database:
|
load any database |
Executing these commands for any database:
|
load database |
Executing these commands for a specified database:
|
manage any database |
Performing database maintenance operations on any database Executing these commands:
Executing these system procedures:
|
manage any database (continued) |
Executing these dbcc commands:
Executing these functions:
|
mount any database |
Executing the mount database command for any database |
online any database |
Executing the online database command for any database |
online database |
Executing the online database command for a specified database |
own any database |
Acting as database owner for the specified database See own database for a list of operations the privilege is authorized to perform. |
own database |
Acting as database owner for any database except sybsecurity Executing these commands:
|
own database (continued) |
Executing these system procedures:
Executing these dbcc commands:
|
quiesce any database |
Executing the quiesce database command for any database |
unmount any database |
Executing the unmount database command for any database |
Server Maintenance |
|
manage any thread pool |
Executing these commands:
|
manage cluster |
Managing cluster-related configurations and operations Executing the shutdown cluster command (requires shutdown privilege) Executing these system procedures:
Executing these dbcc commands:
|
manage disk |
Executing these commands:
Executing these system procedures:
|
manage security configuration |
Enable or disable security related configurations Executing these system procedures:
|
manage server |
Manage server maintenance operations Executing these system procedures:
Executing these dbcc commands:
Executing these functions:
|
manage server configuration |
Enable or disable server configurations not related to security Executing these system procedures:
|
shutdown |
Shutting down the:
Execute the shutdown command. |
dbcc |
|
dbcc checkalloc any database |
Executing dbcc checkalloc in any database |
dbcc checkcatalog any database |
Executing dbcc checkcatalog in any database |
dbcc checkdb any database |
Executing dbcc checkdb in any database |
dbcc check index any database |
Executing dbcc checkindex in any database |
dbcc checkstorage any database |
Executing dbcc checkstorage in any database |
dbcc checktable any database |
Executing dbcc checktable in any database |
dbcc checkverify any database |
Executing dbcc checkverify in any database |
dbcc fix_text any database |
Executing dbcc fix_text in any database |
dbcc indexalloc any database |
Executing dbcc indexalloc in any database |
dbcc reindex any database |
Executing dbcc reindex in any database |
dbcc tablealloc any database |
Executing dbcc tablealloc in any database |
dbcc textalloc any database |
Executing dbcc textalloc in any database |
dbcc tune |
Executing dbcc tune |
Application Management |
|
manage any execution class |
Executing these system procedures:
|
manage any ESP |
Executing these system procedures:
|
manage data cache |
Executing these system procedures:
|
manage dump configuration |
Managing dump configuration for a backup server Executing these commands:
Executing these system procedures:
|
manage lock promotion threshold |
Executing these system procedures:
|
monitor qp performance |
Monitoring query processing performance Executing these commands:
Executing these system procedures:
Executing these dbcc commands:
|
manage resource limit |
Executing these system procedures:
|
Others |
|
connect* |
Connecting to any server using the connect command |
kill |
Killing processes owned by the privilege holder |
kill any process |
Killing any process owned by any user |
map external file |
Mapping a proxy table to a directory or file on a remote server |
monitor server replication |
Displaying replication status Executing these system procedures:
|
set proxy |
Executing set proxy to change the identity to another user |
set tracing* |
Executing these commands:
Executing these dbcc commands:
|
set tracing any process |
Executing these commands:
Executing these dbcc commands:
|
set switch |
Enabling or disabling any trace flag Executing these commands:
Executing these dbcc commands:
Executing this stored procedure:
|
show switch |
Displays traceflags that are on Execute the show switch command |
use any database |
Accessing any database when the privilege holder is not a valid user of the database and there is no “guest” account in the database Execute the use database command |
use database |
Accessing the specified database when the privilege holder is not a valid user of the database and there is no guest account in the database Execute the use database command |
Privilege name |
Operations this privilege authorizes |
---|---|
Permission management |
|
manage any object permission |
Granting and revoking object permissions |
manage database permissions |
Granting and revoking database privileges |
Manage user |
|
manage any user |
Executing these system procedures:
|
Set user |
|
setuser |
Impersonating another user |
Replication Management |
|
manage replication |
Managing replication settings in a database Executing these commands:
Executing these system procedures:
Executing these dbcc commands:
|
Maintains database |
|
manage database |
Performing database maintenance operations without accessing dbo-owned data Executing these commands:
Executing these system procedures:
|
manage database (continued) |
Executing these dbcc commands:
Executing these built-in functions:
|
Manage query plan |
|
manage abstract plans |
Executing these system procedures:
|
dbcc |
|
dbcc checkalloc* |
Executing dbcc checkalloc in the database |
dbcc checkcatalog* |
Executing dbcc checkcatalog in the database |
dbcc checkdb* |
Executing dbcc checkdb in the database |
dbcc checkindex* |
Executing dbcc checkindex in the database |
dbcc checkstorage* |
Executing dbcc checkstorage in the database |
dbcc checktable* |
Executing dbcc checktable in the database |
dbcc checkverify* |
Executing dbcc checkverify in the database |
dbcc fix_text* |
Executing dbcc fix_text in the database |
dbcc indexalloc* |
Executing dbcc indexalloc in the database |
dbcc reindex* |
Executing dbcc reindex in the database |
dbcc tablealloc* |
Executing dbcc tablealloc in the database |
dbcc textalloc* |
Executing dbcc textalloc in the database |
manage checkstorage |
Managing dbcc checkstorage-related settings on the database (specified with the procedures in which the privilege is granted) Executing these dbcc stored procedures:
|
report checkstorage |
Executing dbcc procedures to generate reports about dbcc checkstorage results on the database (specified with the procedures in which the privilege is granted) Executing these dbcc stored procedures:
|
System Catalog |
|
select any audit table |
Selecting any audit table in sybsecurity (available only in sybsecurity database) |
select any system catalog |
Selecting all columns from any system table in the current database |
truncate any audit table |
Truncating any audit table in sybsecurity (available only in the sybsecurity database) |
update any security catalog |
Updating, inserting, and deleting these security-related system catalogs, which are restricted from direct update:
|
Manage objects |
|
alter any object owner |
Altering ownership for any object in the database Execute the alter ... modify owner command. |
create any object |
Creating any of these objects owned by anyone:
Executing these commands:
|
drop any object |
Dropping any of these objects owned by anyone:
Executing these commands:
|
Manage encryption |
|
create encryption key* |
Creating encryption keys in the database |
manage any encryption key |
Creating, altering , and dropping column encryption keys, master keys, and service keys owned by anyone Executing these commands:
Executing sp_encryption |
manage column encryption key |
Creating, altering, and dropping column encryption keys |
manage master key |
Creating, altering, and dropping master keys |
manage service key |
Creating, altering, and dropping service keys |
Defaults |
|
create default* |
Creating self-owned default Execute the create default command |
create any default |
Creating defaults owned by anyone Execute the create default command |
drop any default |
Dropping defaults owned by anyone Execute the drop default command |
Functions |
|
create function* |
Creating self-owned user-defined function Executing these commands:
|
create any function |
Creating functions owned by anyone Executing these commands:
|
drop any function |
Dropping functions owned by anyone Executing these commands:
|
execute any function |
Running user-defined functions owned by anyone Execute the execute command |
Indexes |
|
create any index |
Creating indexes on tables owned by anyone Execute the create index command |
Procedures |
|
create procedure |
Creating self-owned procedures Execute the create procedure command |
create any procedure |
Creating procedures owned by anyone Execute the create procedure command |
execute any procedure |
Execute procedures owned by anyone Execute the execute command. |
drop any procedure |
Dropping procedures owned by anyone Execute the drop procedure command |
Rules |
|
create rule* |
Creating self-owned rule Execute the create rule command |
create any rule |
Creating rule owned by anyone Execute the create rule command |
drop any rule |
Dropping rules owned by anyone Execute the drop rule command. |
Tables |
|
alter any table |
Altering user tables owned by anyone Execute the alter table command. |
create any table |
Creating user tables owned by anyone Execute the create table command. |
create table* |
Creating self-owned user tables Execute the create table command |
decrypt any table |
Decrypting any encrypted table |
delete any table |
Delete rows of user tables owned by anyone Executing these commands:
|
drop any table |
Dropping user tables owned by anyone Execute the drop table command. |
identity_insert any table |
Enabling or disabling identity_update on any user table Execute the set identity_insert command |
identity_update any table |
Enabling or disabling identity_insert on any user table Execute the set identity_update command |
insert any table |
Inserting user tables owned by anyone Executing these commands:
|
manage any statistics |
Update or delete statistics on any table owned by anyone Executing these commands:
Executing sp_modifystats |
references any table |
Referencing user tables owned by anyone |
reorg any table |
Reorganizing user tables owned by anyone Execute the reorg command |
select any table |
Selecting user tables owned by anyone Execute these commands:
|
transfer any table |
Transferring data to or from user tables owned by anyone Execute the transfer table command |
truncate any table |
Truncating user tables owned by anyone Execute the truncate table command |
update any table |
Updating user tables owned by anyone Execute these commands:
|
Trigger |
|
create trigger* |
Creating self-owned trigger. Execute the create trigger command. |
create any trigger |
Creating triggers owned by anyone Execute the create trigger command |
drop any trigger |
Dropping triggers owned by anyone Execute the drop trigger command |
Views |
|
create view* |
Creating self-owned view Execute the create view command |
create any view |
Creating views owned by anyone Execute the create view command. |
drop any view |
Dropping views owned by anyone Execute the drop view command. |