You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/relational-databases/security/authentication-access/server-level-roles.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -51,7 +51,7 @@ The following table shows the fixed server-level roles and their capabilities.
51
51
|**securityadmin**| Members of the **securityadmin** fixed server role manage logins and their properties. They can `GRANT`, `DENY`, and `REVOKE` server-level permissions. **securityadmin** can also `GRANT`, `DENY`, and `REVOKE` database-level permissions if they have access to a database. Additionally, **securityadmin** can reset passwords for [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] logins.<br /><br />**IMPORTANT:** The ability to grant access to the [!INCLUDE [ssDE](../../../includes/ssde-md.md)] and to configure user permissions allows the security admin to assign most server permissions. The **securityadmin** role should be treated as equivalent to the **sysadmin** role. As an alternative, starting with [!INCLUDE [sssql22-md](../../../includes/sssql22-md.md)], consider using the new fixed server role **##MS_LoginManager##**. |
52
52
|**processadmin**| Members of the **processadmin** fixed server role can end processes that are running in an instance of [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)]. |
53
53
|**setupadmin**| Members of the **setupadmin** fixed server role can add and remove linked servers by using [!INCLUDE [tsql](../../../includes/tsql-md.md)] statements. (**sysadmin** membership is needed when using [!INCLUDE [ssManStudio](../../../includes/ssmanstudio-md.md)].) |
54
-
|**bulkadmin**| Members of the **bulkadmin** fixed server role can run the `BULK INSERT` statement.<br /><br />The **bulkadmin** role or `ADMINISTER BULK OPERATIONS` permissions aren't supported for [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] on Linux.<br /><br />Bulk operations (`BULK INSERT` statements) are not supported for logins based on Microsoft Entra authentication, on either Linux or Windows. In this scenario, only members of the **sysadmin** role can perform bulk inserts for [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)]. |
54
+
|**bulkadmin**| Members of the **bulkadmin** fixed server role can run the `BULK INSERT` statement. Members of this role can potentially elevate their privileges under certain conditions. It is strongly recommended to apply the principle of least privilege when assigning this role and to monitor all activity performed by its members. <br /><br />The **bulkadmin** role or `ADMINISTER BULK OPERATIONS` permissions aren't supported for [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] on Linux.<br /><br />Bulk operations (`BULK INSERT` statements) are not supported for logins based on Microsoft Entra authentication, on either Linux or Windows. In this scenario, only members of the **sysadmin** role can perform bulk inserts for [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)]. |
55
55
|**diskadmin**| The **diskadmin** fixed server role is used for managing disk files. |
56
56
|**dbcreator**| Members of the **dbcreator** fixed server role can create, alter, drop, and restore any database. |
57
57
|**public**| Every [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] login belongs to the **public** server role. When a server principal isn't granted or denied specific permissions on a securable object, the user inherits the permissions granted to **public** on that object. Only assign **public** permissions on any object when you want the object to be available to all users. You can't change membership in **public**.<br /><br />**Note:****public** is implemented differently than other roles, and permissions can be granted, denied, or revoked from the **public** fixed server roles. |
@@ -63,7 +63,7 @@ The following table shows the fixed server-level roles and their capabilities.
63
63
64
64
The following table shows fixed server-level roles introduced in [!INCLUDE [sssql22-md](../../../includes/sssql22-md.md)], and their capabilities.
65
65
66
-
> [!NOTE]
66
+
> [!NOTE]
67
67
> These server-level permissions aren't available for Azure SQL Managed Instance or Azure Synapse Analytics. `##MS_PerformanceDefinitionReader##`, `##MS_ServerPerformanceStateReader##`, and `##MS_ServerSecurityStateReader##` is introduced in [!INCLUDE [sssql22-md](../../../includes/sssql22-md.md)], and aren't available in Azure SQL Database.
0 commit comments