Because system procedures are located in the master database, their permissions are set there.
Some of the system procedures can be run only by database owners. These procedures check whether the user executing the procedure is the owner of the database from which it is being executed.
Other system procedures (for example, all the sp_help procedures) can be executed by any user who has been granted permission – but this permission must be granted in master. In other words, a user must have permission to execute a system procedure in all databases or in none of them.
SQL Server users who do not have usernames in the master database are treated as guests in master and thus are automatically granted permission on many of the system procedures. To deny a user permission on a system procedure, the SA must add that user to the master database and write a REVOKE statement that applies to that procedure. Because permissions for system procedures are set in the master database, the owner of a database cannot directly control permissions on the system procedures within his or her own database.