For SQL Server 6.5 information, see GRANT Statement in What's New for SQL Server 6.5.
Assigns permissions to users.
GRANT {ALL | statement_list}
TO {PUBLIC | name_list}
GRANT {ALL | permission_list}
ON {table_name [(column_list)] | view_name [(column_list)] |
stored_procedure_name | extended_stored_procedure_name}
TO {PUBLIC | name_list}
where
If more than one statement is listed, separate them with commas.
Permissions granted on a table can also include REFERENCES. REFERENCES allows a user to create FOREIGN KEY constraints that reference another table without having SELECT permission on that table. REFERENCES permission needs to be granted only to the person creating the FOREIGN KEY.
When permissions are granted on columns, the permission list can include SELECT and/or UPDATE.
When permissions are granted on stored procedures, the permission list can include EXECUTE only.
If multiple permissions are listed, separate them with commas.
Permission to use a statement or object defaults to the system administrator, the database owner, the object owner, or the default group public. Some permissions are transferable. When possible, the user to whom the permissions default can transfer permission to other users. Users at higher levels (the database owner and system administrator) are either automatically granted the permission or (in the case of database owners) can temporarily obtain permissions.
By default, the system administrator has all permissions. The system administrator can assign a database owner by using the sp_changedbowner system stored procedure. Once assigned, a database owner (or the system administrator) can GRANT "statement" permissions to users within that database. Once a user has been given "statement" permissions, he or she can create an object. That user becomes the object owner of the object(s) he or she has created. Object owners always retain rights to their object(s). "Object" permissions must be granted to other users before they can access that object.
Database users can belong to only one group in addition to the group public. Users are always a member of the group public. For permissions that default to public, no permission is required ¾ that is, no explicit GRANT or REVOKE statement must be executed.
When permissions are given, information is stored within the sysprotects table. The sysprotects table manages permissions by updating rows based on each GRANT and REVOKE statement. You can grant or revoke permissions only on objects in the current database.
If permissions are granted to the group public, they will override any previous permissions given to any other user or group of that database. When permissions are given (or revoked) the permissions are order-sensitive. (The statement executed most recently is the one that takes effect.) This can produce undesired results if care is not taken in granting/revoking permissions. For best results, grant/revoke permissions to the least-selective group first (usually public), then grant/revoke permissions on a group-by-group basis, on an individual-by-individual basis, and then to/from the guest user.
A guest user can be added by using the sp_adduser system stored procedure to allow users with login IDs on SQL Server to use the database without a specific database username (and usually with limited permissions).
The sp_helprotect system stored procedure reports permissions on a database object or on a user. For details, see the sp_helprotect system stored procedure.
GRANT and REVOKE permission defaults to particular users and cannot be transferred.
The following table details permissions for Transact-SQL statements:
Defaults to |
Can be granted /revoked |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Statement |
System admin | DB owner |
Object owner |
Public |
Yes |
No |
N/A |
||||||
ALTER DATABASE | ¾ | X | ¾ | ¾ | (1) | ¾ | ¾ | ||||||
ALTER TABLE | ¾ | ¾ | X | ¾ | ¾ | X | ¾ | ||||||
BEGIN TRANSACTION | ¾ | ¾ | ¾ | X | ¾ | ¾ | X | ||||||
CHECKPOINT | ¾ | X | ¾ | ¾ | ¾ | X | ¾ | ||||||
COMMIT TRANSACTION | ¾ | ¾ | ¾ | X | ¾ | ¾ | X | ||||||
CREATE DATABASE | X | ¾ | ¾ | ¾ | X | ¾ | ¾ | ||||||
CREATE DEFAULT | ¾ | X | ¾ | ¾ | X | ¾ | ¾ | ||||||
CREATE INDEX | ¾ | ¾ | X (3) | ¾ | ¾ | X | ¾ | ||||||
CREATE PROCEDURE | ¾ | X | ¾ | ¾ | X | ¾ | ¾ | ||||||
CREATE RULE | ¾ | X | ¾ | ¾ | X | ¾ | ¾ | ||||||
CREATE TABLE | ¾ | X | ¾ | (2) | X (2) | ¾ | ¾ | ||||||
CREATE TRIGGER | ¾ | ¾ | X (3) | ¾ | ¾ | X | ¾ | ||||||
CREATE VIEW | ¾ | X | ¾ | ¾ | X | ¾ | ¾ | ||||||
DBCC (4) | ¾ | X | ¾ | ¾ | ¾ | X | ¾ | ||||||
DELETE | ¾ | ¾ | X | ¾ | X | ¾ | ¾ | ||||||
DISK INIT | X | ¾ | ¾ | ¾ | ¾ | X | ¾ | ||||||
DISK MIRROR | X | ¾ | ¾ | ¾ | ¾ | X | ¾ | ||||||
DISK REFIT | X | ¾ | ¾ | ¾ | ¾ | X | ¾ | ||||||
DISK REINIT | X | ¾ | ¾ | ¾ | ¾ | X | ¾ | ||||||
DISK REMIRROR | X | ¾ | ¾ | ¾ | ¾ | X | ¾ | ||||||
DISK UNMIRROR | X | ¾ | ¾ | ¾ | ¾ | X | ¾ | ||||||
DROP any object | ¾ | ¾ | X | ¾ | ¾ | X | ¾ | ||||||
DUMP DATABASE | ¾ | X | ¾ | ¾ | X | ¾ | ¾ | ||||||
DUMP TRANSACTION | ¾ | X | ¾ | ¾ | X | ¾ | ¾ | ||||||
EXECUTE (5) | ¾ | ¾ | X | ¾ | X | ¾ | ¾ | ||||||
GRANT | ¾ | X | ¾ | ¾ | ¾ | X | ¾ | ||||||
GRANT on object | ¾ | ¾ | X | ¾ | ¾ | X | ¾ | ||||||
INSERT | ¾ | ¾ | X | ¾ | X | ¾ | ¾ | ||||||
KILL | X | ¾ | ¾ | ¾ | ¾ | X | ¾ | ||||||
LOAD DATABASE | ¾ | X | ¾ | ¾ | ¾ | X | ¾ | ||||||
LOAD TRANSACTION | ¾ | X | ¾ | ¾ | ¾ | X | ¾ | ||||||
¾ | ¾ | ¾ | X | ¾ | ¾ | X | |||||||
RAISERROR | ¾ | ¾ | ¾ | X | ¾ | ¾ | X | ||||||
READTEXT | ¾ | ¾ | X | ¾ | (6) | ¾ | ¾ | ||||||
RECONFIGURE | X | ¾ | ¾ | ¾ | ¾ | X | ¾ | ||||||
REFERENCES | ¾ | ¾ | X | ¾ | X | ¾ | ¾ | ||||||
REVOKE | ¾ | X | ¾ | ¾ | ¾ | X | ¾ | ||||||
REVOKE on object | ¾ | ¾ | X | ¾ | ¾ | X | ¾ | ||||||
ROLLBACK TRANSACTION | ¾ | ¾ | ¾ | X | ¾ | ¾ | X | ||||||
SAVE TRANSACTION | ¾ | ¾ | ¾ | X | ¾ | ¾ | X | ||||||
SELECT | ¾ | ¾ | X | ¾ | X | ¾ | ¾ | ||||||
SET | ¾ | ¾ | ¾ | X | ¾ | ¾ | X | ||||||
SETUSER | ¾ | X | ¾ | ¾ | ¾ | X | ¾ | ||||||
SHUTDOWN | X | ¾ | ¾ | ¾ | ¾ | X | ¾ | ||||||
TRUNCATE TABLE | ¾ | ¾ | X | ¾ | ¾ | X | ¾ | ||||||
UPDATE | ¾ | ¾ | X | ¾ | X | ¾ | ¾ | ||||||
UPDATE STATISTICS | ¾ | ¾ | X | ¾ | ¾ | X | ¾ | ||||||
UPDATETEXT | ¾ | ¾ | X | ¾ | (7) | ¾ | ¾ | ||||||
WRITETEXT | ¾ | ¾ | X | ¾ | (7) | ¾ | ¾ | ||||||
(1) Transferred with CREATE DATABASE permission. | |||||||||||||
(2) Public can create temporary tables; no permission required. | |||||||||||||
(3) Defaults to the table owner. | |||||||||||||
(4) For the list of all DBCC statement permissions see the DBCC statement. | |||||||||||||
(5) Defaults to stored-procedure owner. | |||||||||||||
(6) Transferred with SELECT permission. | |||||||||||||
(7) Transferred with UPDATE permission. |
This example shows how to grant multiple statement permissions to multiple users.
GRANT CREATE DATABASE, CREATE TABLE TO Mary, John
This example shows preferred ordering of permissions. First, SELECT permissions are given to the group public. After this, specific permissions are given to a few users. These users (Mary, John, and Tom) then have all permissions to the authors table.
GRANT SELECT ON authors TO public go GRANT INSERT, UPDATE, DELETE ON authors TO Mary, John, Tom
REVOKE | sp_changegroup |
SETUSER | sp_dropgroup |
sp_addgroup | sp_dropuser |
sp_addlogin | sp_helpgroup |
sp_adduser | sp_helprotect |
sp_changedbowner | sp_helpuser |