Creates an entry in the security system that allows a user in the current database to work with data in the current database or execute specific Transact-SQL statements.
Statement permissions:
GRANT {ALL | statement[,...n]}
TO security_account[,...n]
Object permissions:
GRANT
{ALL [PRIVILEGES] | permission[,...n]}
{
[(column[,...n])] ON {table | view}
| ON {table | view}[(column[,...n])]
| ON {stored_procedure | extended_procedure}
}
TO security_account[,...n]
[WITH GRANT OPTION]
[AS {group | role}]
When a permission is granted to a SQL Server user or Windows NT user account, the specified security_account is the only account affected by the permission. If a permission is granted to a SQL Server role or a Windows NT group, the permission affects all users in the current database who are members of the group or role. If there are permission conflicts between a group or role and its members, the most restrictive permission (DENY) takes precedence. security_account must exist in the current database; permissions cannot be granted to a user, role, or group in another database, unless the user has already been created or given access to the current database.
Two special security accounts can be used with GRANT. Permissions granted to the public role are applied to all users in the database. Permissions granted to the guest user are used by all users who do not have a user account in the database.
When granting permissions to a Windows NT local or global group, specify the domain or computer name the group is defined on, followed by a backslash, then the group name. However, to grant permissions to a Windows NT built-in local group, specify BUILTIN instead of the domain or computer name.
Object permissions granted on a table can also include REFERENCES, and object permissions granted on a procedure can include EXECUTE. When permissions are granted on columns, the permissions list can include SELECT or UPDATE. When permissions are granted on stored procedures, the permissions list can include only EXECUTE.
When a user adds a row to a table with a FOREIGN KEY constraint, or changes data in a column with a FOREIGN KEY constraint, SQL Server must validate the data in the column with the data referenced in the FOREIGN KEY constraint. If the user does not have SELECT permissions on the referenced column or table, the REFERENCES permission for the column must be granted to the user. The REFERENCES permission cannot be granted for a system table.
Cross-database permissions are not allowed; permissions can be granted only to users in the current database for objects and statements in the current database. If a user needs permissions to objects in another database, create the user account in the other database, or grant the user account access to the other database, as well as the current database.
Note System stored procedures are the exception because EXECUTE permissions are already granted to the public role, allowing everyone to execute them. However, after a system stored procedure is executed, it checks the user’s role membership. If the user is not a member of the appropriate fixed server or database role necessary to run the stored procedure, the stored procedure does not continue.
The REVOKE statement can be used to remove granted permissions, and the DENY statement can be used to prevent a user from gaining permissions through a GRANT to their user account.
A granted permission removes the denied or revoked permission at the level granted (user, group, or role). The same permission denied at another level such as group or role containing the user takes precedence. However, although the same permission revoked at another level still applies, it does not prevent the user from accessing the object.
If a user activates an application role, the effect of GRANT is null for any objects the user accesses using the application role. Therefore, although a user may be granted access to a specific object in the current database, if the user uses an application role that does not have access to the object, the user also does not have access while the application role is activated.
The sp_helprotect system stored procedure reports permissions on a database object or user.
GRANT permissions depend on the statement permissions being granted and the object involved in the permissions. The members of the sysadmin role can grant any permissions in any database. Object owners can grant permissions for the objects they own. Members of the db_owner or db_securityadmin roles can grant any permissions on any statement or object in their database.
Statements that require permissions are those that add objects in the database or perform administrative activities with the database. Each statement that requires permissions has a certain set of roles that automatically have permissions to execute the statement. For example, the CREATE TABLE permission defaults to members of the sysadmin and db_owner and db_ddladmin roles. The permissions to execute the SELECT statement for a table default to the sysadmin and db_owner roles, and the owner of the object.
There are some Transact-SQL statements that cannot be granted as permissions; the ability to execute these statements require membership in a fixed role that has implied permissions to execute special statements. For example, to execute the SHUTDOWN statement, the user must be added as member of the serveradmin role.
Members of the dbcreator, processadmin, securityadmin, and serveradmin fixed server roles have permissions to execute only these Transact-SQL statements.
Statement |
dbcreator |
process admin |
security admin |
server admin |
|
|---|---|---|---|---|---|
| ALTER DATABASE | X | ||||
| CREATE DATABASE | X | ||||
| DBCC | X (1) | ||||
| DENY | X (2) | ||||
| GRANT | X (2) | ||||
| KILL | X | ||||
| RECONFIGURE | X | ||||
| RESTORE | X | ||||
| REVOKE | X (2) | ||||
| SHUTDOWN | X | ||||
| (1) For more information, see the DBCC statement. | |||||
| (2) Applies to the CREATE DATABASE statement only. | |||||
Note Members of the diskadmin and setupadmin fixed server roles do not have permissions to execute any Transact-SQL statements, only certain system stored procedures. Members of the sysadmin fixed server role, however, have permissions to execute all Transact-SQL statements.
Members of the following fixed database roles have permissions to execute the specified Transact-SQL statements.
Statement |
db_owner |
db_datareader | db_datawriter | db_ddladmin | db_backupoperator | db_securityadmin | |
|---|---|---|---|---|---|---|---|
| ALTER DATABASE | X | X | |||||
| ALTER PROCEDURE | X | X | |||||
| ALTER TABLE | X (1) | X | |||||
| ALTER TRIGGER | X | X | |||||
| ALTER VIEW | X (1) | X | |||||
| BACKUP | X | X | |||||
| CHECKPOINT | X | X | |||||
| CREATE DEFAULT | X | X | |||||
| CREATE INDEX | X (1) | X | |||||
| CREATE PROCEDURE |
X | X | |||||
| CREATE RULE | X | X | |||||
| CREATE SCHEMA | X | X | |||||
| CREATE TABLE | X | X | |||||
| CREATE TRIGGER | X (1) | X | |||||
| CREATE VIEW | X | X | |||||
| DBCC | X | X (2) | |||||
| DELETE | X (1) | X | |||||
| DENY | X | X | |||||
| DENY on object | X | ||||||
| DROP | X (1) | X | |||||
| EXECUTE | X (1) | ||||||
| GRANT | X | X | |||||
| GRANT on object | X (1) | ||||||
| INSERT | X (1) | X | |||||
| READTEXT | X (1) | X | |||||
| REFERENCES | X (1) | X | |||||
| RESTORE | X | ||||||
| REVOKE | X | X | |||||
| REVOKE on object | X (1) | ||||||
| SELECT | X (1) | X | |||||
| SETUSER | X | ||||||
| TRUNCATE TABLE | X (1) | X | |||||
| UPDATE | X (1) | X | |||||
| UPDATE STATISTICS |
X (1) | ||||||
| UPDATETEXT | X (1) | X | |||||
| WRITETEXT | X (1) | X | |||||
| 1 Permission applies to the object owner as well. | |||||||
| 2 For more information, see the DBCC statement. | |||||||
Note Members of the db_accessadmin fixed database role do not have permissions to execute any Transact-SQL statements, only certain system stored procedures.
The Transact-SQL statements that do not require permissions to be executed (automatically granted to public) are:
| BEGIN TRANSACTION | COMMIT TRANSACTION |
| RAISERROR | |
| ROLLBACK TRANSACTION | SAVE TRANSACTION |
| SET |
For more information about the permissions required to execute the system stored procedures, see the appropriate system stored procedure.
This example grants multiple statement permissions to the users Mary and John, and the Corporate\BobJ Windows NT group.
GRANT CREATE DATABASE, CREATE TABLE
TO Mary, John, [Corporate\BobJ]
This example shows the preferred ordering of permissions. First, SELECT permissions are granted to the public role. Then, specific permissions are granted to users Mary, John, and Tom. These users then have all permissions to the authors table.
USE pubs
GO
GRANT SELECT
ON authors
TO public
GO
GRANT INSERT, UPDATE, DELETE
ON authors
TO Mary, John, Tom
GO
This example grants CREATE TABLE permissions to all members of the Accounting role.
GRANT CREATE TABLE TO Accounting
The Plan_Data table is owned by the user Jean. Jean grants SELECT permissions, specifying the WITH GRANT OPTION clause, on Plan_Data to the Accounting role. The user Jill, who is member of Accounting, wants to grant SELECT permissions on the Plan_Data table to the user Jack, who is not a member of Accounting.
Because the permission to GRANT other users SELECT permissions to the Plan_Data table were granted to the Accounting role and not Jill explicitly, Jill cannot grant permissions for the table based on the permissions granted through being a member of the Accounting role. Jill must use the AS clause to assume the grant permissions of the Accounting role.
/* User Jean */
GRANT SELECT ON Plan_Data TO Accounting WITH GRANT OPTION
/* User Jill */
GRANT SELECT ON Plan_Data TO Jack AS Accounting
| Allowing Access by Granting Permissions | DENY |
| REVOKE | sp_dropgroup |
| sp_addgroup | sp_dropuser |
| sp_addlogin | sp_helpgroup |
| sp_adduser | sp_helprotect |
| sp_changedbowner | sp_helpuser |
| sp_changegroup |