Modify account permissions

更新时间:
复制 MD 格式

This topic lists the permissions for different account types in ApsaraDB RDS for SQL Server and their scopes. You can modify the permissions of standard and privileged accounts. A system admin account has all permissions on all databases, and its permissions cannot be modified.

Account permissions

For security, ApsaraDB RDS for SQL Server restricts certain permissions. Instead, Alibaba Cloud provides stored procedures to perform these restricted operations. For more information, see stored procedures.

Note

The ApsaraDB RDS console lets you grant permissions at the database level. To grant more granular permissions on specific objects in a database, such as tables, you can use standard SQL statements in SQL Server. For more information, refer to the official Microsoft tutorial GRANT object permissions.

System admin account

  • Scope: All databases on the instance

  • Permissions: A system admin account has all permissions on the SQL Server instance. For more information, refer to the official Microsoft tutorial Database Permissions.

Standard and privileged accounts

Scope: The databases authorized for the account.

Type

Roles

Permissions

Owner

  • Server-level roles

    • public

    • processadmin

    • setupadmin

  • Database-level roles

    • public

    • db_owner

Server-level permissions

  • CONNECT SQL

  • ALTER ANY LOGIN

  • ALTER ANY LINKED SERVER

  • ALTER ANY CONNECTION

  • ALTER TRACE

  • VIEW ANY DATABASE

  • VIEW SERVER STATE

  • ALTER SERVER STATE

Database-level permissions

  • CREATE TABLE

  • CREATE VIEW

  • CREATE PROCEDURE

  • CREATE FUNCTION

  • CREATE RULE

  • CREATE DEFAULT

  • CREATE TYPE

  • CREATE ASSEMBLY

  • CREATE XML SCHEMA COLLECTION

  • CREATE SCHEMA

  • CREATE SYNONYM

  • CREATE AGGREGATE

  • CREATE ROLE

  • CREATE MESSAGE TYPE

  • CREATE SERVICE

  • CREATE CONTRACT

  • CREATE REMOTE SERVICE BINDING

  • CREATE ROUTE

  • CREATE QUEUE

  • CREATE SYMMETRIC KEY

  • CREATE ASYMMETRIC KEY

  • CREATE FULLTEXT CATALOG

  • CREATE CERTIFICATE

  • CREATE DATABASE DDL EVENT NOTIFICATION

  • CONNECT

  • CONNECT REPLICATION

  • CHECKPOINT

  • SUBSCRIBE QUERY NOTIFICATIONS

  • AUTHENTICATE

  • SHOWPLAN

  • ALTER ANY USER

  • ALTER ANY ROLE

  • ALTER ANY APPLICATION ROLE

  • ALTER ANY COLUMN ENCRYPTION KEY

  • ALTER ANY COLUMN MASTER KEY

  • ALTER ANY SCHEMA

  • ALTER ANY ASSEMBLY

  • ALTER ANY DATABASE SCOPED CONFIGURATION

  • ALTER ANY DATASPACE

  • ALTER ANY EXTERNAL DATA SOURCE

  • ALTER ANY EXTERNAL FILE FORMAT

  • ALTER ANY MESSAGE TYPE

  • ALTER ANY CONTRACT

  • ALTER ANY SERVICE

  • ALTER ANY REMOTE SERVICE BINDING

  • ALTER ANY ROUTE

  • ALTER ANY FULLTEXT CATALOG

  • ALTER ANY SYMMETRIC KEY

  • ALTER ANY ASYMMETRIC KEY

  • ALTER ANY CERTIFICATE

  • ALTER ANY SECURITY POLICY

  • SELECT

  • INSERT

  • UPDATE

  • DELETE

  • REFERENCES

  • EXECUTE

  • ALTER ANY DATABASE DDL TRIGGER

  • ALTER ANY DATABASE EVENT NOTIFICATION

  • ALTER ANY DATABASE AUDIT

  • ALTER ANY DATABASE EVENT SESSION

  • KILL DATABASE CONNECTION

  • VIEW ANY COLUMN ENCRYPTION KEY DEFINITION

  • VIEW ANY COLUMN MASTER KEY DEFINITION

  • VIEW DATABASE STATE

  • VIEW DEFINITION

  • TAKE OWNERSHIP

  • ALTER

  • ALTER ANY MASK

  • UNMASK

  • EXECUTE ANY EXTERNAL SCRIPT

  • CONTROL

Read-Only

  • Server-level roles

    • public

    • processadmin

    • setupadmin

  • Database-level roles

    • public

    • db_datareader

Server-level permissions

  • CONNECT SQL

  • ALTER ANY LOGIN

  • ALTER ANY LINKED SERVER

  • ALTER ANY CONNECTION

  • ALTER TRACE

  • VIEW ANY DATABASE

  • VIEW SERVER STATE

  • ALTER SERVER STATE

Database-level permissions

  • CONNECT

  • SHOWPLAN

  • SELECT

  • KILL DATABASE CONNECTION

  • VIEW ANY COLUMN ENCRYPTION KEY DEFINITION

  • VIEW ANY COLUMN MASTER KEY DEFINITION

  • VIEW DATABASE STATE

Read/Write (DML)

  • Server-level roles

    • public

    • processadmin

    • setupadmin

  • Database-level roles

    • public

    • db_datareader

    • db_datawriter

Server-level permissions

  • CONNECT SQL

  • ALTER ANY LOGIN

  • ALTER ANY LINKED SERVER

  • ALTER ANY CONNECTION

  • ALTER TRACE

  • VIEW ANY DATABASE

  • VIEW SERVER STATE

  • ALTER SERVER STATE

Database-level permissions

  • CONNECT

  • SHOWPLAN

  • SELECT

  • INSERT

  • UPDATE

  • DELETE

  • KILL DATABASE CONNECTION

  • VIEW ANY COLUMN ENCRYPTION KEY DEFINITION

  • VIEW ANY COLUMN MASTER KEY DEFINITION

  • VIEW DATABASE STATE

Global read-only account

  • Scope: All user databases on the instance.

  • Permission type: Read-only. This permission automatically applies to newly created databases.

Modify account permissions

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

  2. In the left-side navigation pane, click Accounts.

  3. Find the account you want to modify, and then click Change Permissions in the Actions column.

  4. In the Edit Account Permissions panel, configure the account permissions:

    • To modify the authorized databases, select one or more databases and click image.png or image.png to configure their permissions.

    • To modify the permission level, in the Authorized Databases section, select a permission level:

      • Read-Only: Grants the db_datareader database role in SQL Server.

      • Read/Write (DML): Grants the db_datawriter and db_datareader database roles in SQL Server.

      • Owner: Grants the db_owner database role in SQL Server.

      For more information about database-level roles, refer to the Microsoft official documentation.

  5. Click OK.

FAQ

  • Q: Why can't I create a table in my ApsaraDB RDS for SQL Server database using an account with Read/Write (DML) permissions?

  • A: Accounts with the Read/Write (DML) permission level are mapped to the standard SQL Server database roles db_datareader and db_datawriter. These roles do not include the CREATE TABLE permission. For more information, see Account permissions. If you need to create tables in the database, use one of the following methods:

    • Method 1: Run standard SQL statements in SQL Server. For more information, refer to the official Microsoft tutorials GRANT Database Permissions and Database-Level Roles.

    • Method 2: In the ApsaraDB RDS console, go to the Accounts page and change the permission level of the account to Owner. The Owner permission level includes the permission to create tables, but it also grants extensive permissions. Grant this permission level with caution. For instructions, see Modify account permissions.

    If you need to grant only the CREATE TABLE permission to an account, we recommend that you use Method 1. This method provides a higher level of security.