sql server 用户访问权限设置

大多数服务及其属性可通过使用SQL Server 配置管理器进行配置。

以下是在C 盘安装Windows 的情况下最新的四个版本的路径。

安装的服务SQL Server根据您决定安装的组件，SQL Server 安装程序将安装以下服务：∙SQL Server Database Services - 用于SQL Server 关系数据库引擎的服务。

可执行文件为<MSSQLPATH>\MSSQL\Binn\sqlservr.exe。

∙SQL Server 代理 - 执行作业、监视SQL Server、激发警报以及允许自动执行某些管理任务。

SQL Server 代理服务在SQL Server Express 的实例上存在，但处于禁用状态。

可执行文件为<MSSQLPATH>\MSSQL\Binn\sqlagent.exe。

∙Analysis Services - 为商业智能应用程序提供联机分析处理(OLAP) 和数据挖掘功能。

可执行文件为<MSSQLPATH>\OLAP\Bin\msmdsrv.exe。

∙Reporting Services - 管理、执行、创建、计划和传递报表。

可执行文件为<MSSQLPATH>\ReportingServices\ReportServer\Bin\ReportingServicesService.exe。

∙Integration Services - 为Integration Services 包的存储和执行提供管理支持。

可执行文件的路径是<MSSQLPATH>\130\DTS\Binn\MsDtsSrvr.exe ∙SQL Server Browser - 向客户端计算机提供SQL Server 连接信息的名称解析服务。

可执行文件的路径为c:\Program Files (x86)\Microsoft SQLServer\90\Shared\sqlbrowser.exe∙全文搜索 - 对结构化和半结构化数据的内容和属性快速创建全文索引，从而为SQL Server 提供文档筛选和断字功能。

Top Level Server PermissionsDatabase Level PermissionsALTER ANY APPLICATION ROLE ALTER ANY ASSEMBLY ALTER ANY ASYMMETRIC KEY ALTER ANY CERTIFICATE ALTER ANY CONTRACTALTER ANY DATABASE AUDIT ALTER ANY DATABASE DDL TRIGGERALTER ANY DATABASE EVENT NOTIFICATION ALTER ANY DATASPACEALTER ANY FULLTEXT CATALOGALTER ANY MESSAGE TYPEALTER ANY REMOTE SERVICE BINDING ALTER ANY ROLE ALTER ANY ROUTE ALTER ANY SCHEMA ALTER ANY SERVICE ALTER ANY SYMMETRIC KEYALTER ANY USER –See Connect and Authentication –Database Permissions ChartCREATE AGGREGATE CREATE DEFAULT CREATE FUNCTION CREATE PROCEDURE CREATE QUEUE CREATE RULE CREATE SYNONYM CREATE TABLE CREATE TYPE CREATE VIEWCREATE XML SCHEMA COLLECTIONTop Level Database PermissionsCONTROL ON DATABASE::<name>CREATE ASSEMBLY CREATE ASYMMETRIC KEY CREATE CERTIFICATE CREATE CONTRACTCREATE DATABASE DDL EVENT NOTIFICATIONCREATE FULLTEXT CATALOG CREATE MESSAGE TYPECREATE REMOTE SERVICE BINDING CREATE ROLE CREATE ROUTE CREATE SCHEMA CREATE SERVICE CREATE SYMMETRIC KEYAUTHENTICATE BACKUP DATABASE BACKUP LOG CHECKPOINTCONNECT REPLICATION DELETE EXECUTE INSERT REFERENCES SELECT UPDATEVIEW DEFINITION TAKE OWNERSHIP SHOWPLANSUBSCRIBE QUERY NOTIFICATIONS VIEW DATABASE STATECONTROL SERVERCONNECT DATABASESTATEMENTS:CREATE DATABASE AUDIT SPECIFICATION CREATE/ALTER/DROP database triggersPARTITION & PLAN GUIDE statementsSTATEMENTS:Combined with TRUSTWORTHY allows delegation of authentication BACKUP DATABASE BACKUP LOG CHECKPOINTCREATE ANY DATABASE ALTER ANY DATABASEALTER ANY SERVER AUDIT ALTER ANY EVENT NOTIFICATIONAUTHENTICATE SERVERVIEW ANY DEFINITIONALTER TRACEVIEW SERVER STATE STATEMENTS:Applies to subordinate objects in the database. See Database Permissions –Schema Objects chart.TAKE OWNERSHIP ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name>RECEIVE ON OBJECT::<queue name>SELECT ON OBJECT::<queue name>VIEW CHANGE TRACKING ON OBJECT::<name> SELECT ON OBJECT::<table |view name>INSERT ON OBJECT::< table |view name> UPDATE ON OBJECT::< table |view name> DELETE ON OBJECT::< table |view name>EXECUTE ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name> REFERENCES ON OBJECT|TYPE|XML SCHEMA COLLECTION:<name> VIEW DEFINITION ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name>ALTER ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name>TAKE OWNERSHIP ON SCHEMA::<name>VIEW CHANGE TRACKING ON SCHEMA::<name>SELECT ON SCHEMA::<name>INSERT ON SCHEMA::<name>UPDATE ON SCHEMA::<name>DELETE ON SCHEMA::<name>EXECUTE ON SCHEMA::<name>REFERENCES ON SCHEMA::<name>VIEW DEFINITION ON SCHEMA::<name>ALTER ON SCHEMA::<name>CREATE SEQUENCESELECT ON DATABASE::<name>INSERT ON DATABASE::<name>UPDATE ON DATABASE::<name>DELETE ON DATABASE::<name>EXECUTE ON DATABASE::<name>REFERENCES ON DATABASE::<name>VIEW DEFINITION ON DATABASE::<name>TAKE OWNERSHIP ON DATABASE::<name>ALTER ON DATABASE::<name>ALTER ANY SCHEMACREATE SCHEMACREATE AGGREGATE CREATE DEFAULT CREATE FUNCTION CREATE PROCEDURE CREATE QUEUE CREATE RULE CREATE SYNONYM CREATE TABLE CREATE TYPE CREATE VIEWCREATE XML SCHEMA COLLECTIONVIEW ANY DEFINITIONVIEW ANY DATABASEALTER ANY DATABASEServer PermissionsDatabase PermissionsSchema PermissionsObject Permissions Type PermissionsXML Schema Collection PermissionsDatabase Permissions –Schema ObjectsNotes:•To create a schema object (such as a table) you must have CREATE permission for that object type plus ALTER ON SCHEMA::<name> for the schema of the object. Might require REFERENCES ON OBJECT::<name> for any referenced CLR type or XML schema collection.•To alter an object (such as a table) you must have ALTER permission on the object (or schema ),or CONTROL permission on the object.CONTROL ON SERVERCONTROL ON DATABASE::<name>CONTROL ON SCHEMA ::<name>CONTROL ON OBJECT|TYPE|XML SCHEMA COLLECTION ::<name>OBJECT permissions apply to the following database objects:AGGREGATE DEFAULT FUNCTION PROCEDURE QUEUE RULE SYNONYM TABLE VIEW(All permissions do not apply to all objects. For example UPDATE only applies to tables and views.)•To drop an object (such as a table) you must have ALTER permission on the schema or CONTROL permission on the object.•To create an index requires ALTER OBJECT::<name> permission on the table or view.•To create or alter a trigger on a table or view requires ALTER OBJECT::<name> on the table or view.•To create statistics requires ALTER OBJECT::<name> on the table or view.CONTROL SERVERVIEW ANY DEFINITIONALTER ANY DATABASECONTROL ON DATABASE::<name>VIEW DEFINITION ON DATABASE::<name>REFERENCES ON DATABASE::<name>ALTER ON DATABASE::<name>ALTER ANY FULLTEXT CATALOGCREATE FULLTEXT CATALOG Certificate PermissionsFull-text PermissionsAssembly PermissionsQuestions and comments to ************************Server Role PermissionsCONTROL SERVERVIEW ANY DEFINITIONALTER ANY SERVER ROLEVIEW DEFINITION ON SERVER ROLE::<name>TAKE OWNERSHIP ON SERVER ROLE::<name>ALTER ON SERVER ROLE::<name>CONTROL ON SERVER ROLE::<name>Most permission statements have the format :AUTHORIZATION PERMISSION ON SECURABLE::NAME TO PRINCIPAL•AUTHORIZATION must be GRANT, REVOKE or DENY.•PERMISSION is listed in the charts below.•ON SECURABLE::NAME is the server, server object, database, or database object and its name. Some permissions do not require ON SECURABLE::NAME.•PRINCIPAL is the login, user, or role which receives or loses the permission. Grant permissions to roles whenever possible.Sample grant statement: GRANT UPDATE ON OBJECT::Production.Parts TO PartsTeam Denying a permission at any level, overrides a related grant.To remove a previously granted permission, use REVOKE, not DENY.NOTES:•The CONTROL SERVER permission has all permissions on the instance of SQL Server.•The CONTROL DATABASE permission has all permissions on the database.•Permissions do not imply role memberships and role memberships do not grant permissions. (E.g. CONTROL SERVER does not imply membership in the sysadmin fixed server role. Membership in the db_owner role does not grant the CONTROL DATABASE permission.) However, it is sometimes possible to impersonate between roles and equivalent permissions.•Granting any permission on a securable allows VIEW DEFINITION on that securable. It is an implied permissions and it cannot be revoked, but it can be explicitly denied by using the DENY VIEW DEFINITION statement.Server Level PermissionsNotes:•Creating a full-text index requires ALTER permission on the table and REFERENCES permission on the full-text catalog.•Dropping a full-text index requires ALTER permission on the table.STATEMENTS:DROP DATABASEMarch 28, 2014How to Read this Chart•Most of the more granular permissions are included in more than one higher level scope permission. So permissions can be inherited from more than one type of higher scope.•Black, green, and blue arrows and boxes point to subordinate permissions that are included in the scope of higher a level permission.•Brown arrows and boxes indicate some of the statements that can use the permission.CREATE SERVER ROLEAvailability Group PermissionsCONTROL SERVERVIEW ANY DEFINITIONALTER ANY AVAILABILITY GROUPVIEW DEFINITION ON AVAILABILITY GROUP::<name>TAKE OWNERSHIP ON AVAILABILITY GROUP::<name>ALTER ON AVAILABILITY GROUP::<name>CONTROL ON AVAILABILITY GROUP::<name>CREATE AVAILABILITY GROUPADMINISTER BULK OPERATIONSALTER ANY AVAILABILITY GROUP –See Availability Group PermissionsCREATE AVAILABILTY GROUPALTER ANY CONNECTION ALTER ANY CREDENTIALALTER ANY DATABASE –See Database Permission ChartsCREATE ANY DATABASE –See Top Level Database PermissionsALTER ANY ENDPOINT –See Connect and AuthenticationCREATE ENDPOINT –See Connect and AuthenticationALTER ANY EVENT NOTIFICATIONCREATE DDL EVENT NOTIFICATION CREATE TRACE EVENT NOTIFICATIONALTER ANY EVENT SESSION ALTER ANY LINKED SERVERALTER ANY LOGIN –See Connect and Authentication ALTER ANY SERVER AUDITALTER ANY SERVER ROLE –See Server Role PermissionsCREATE SERVER ROLE –See Server Role PermissionsALTER RESOURCES (Not used. Use diskadmin fixed server role instead.)ALTER SERVER STATEVIEW SERVER STATEALTER SETTINGS ALTER TRACEAUTHENTICATE SERVERCONNECT SQL –See Connect and Authentication CONNECT ANY DATABASE IMPERSONATE ANY LOGIN SELECT ALL USER SECURABLES SHUTDOWN UNSAFE ASSEMBLYEXTERNAL ACCESS ASSEMBLYVIEW ANY DEFINITIONVIEW ANY DATABASE –See Database Permissions –Schema* NOTE:The SHUTDOWN statement requires the SQL Server SHUTDOWN permission. Starting, stopping, and pausing the Database Engine from SSCM, SSMS, or Windows requires Windows permissions, not SQL Server permissions.STATEMENTS:CREATE/ALTER/DROP server triggers OPENROWSET(BULK….KILL CREATE/ALTER/DROP CREDENTIAL DBCC FREE…CACHE and SQLPERF SELECT on server-level DMV’s sp_configure, RECONFIGURE sp_create_traceAllows server-level delegationCONTROL SERVERSTATEMENTS:CREATE/ALTER/DROP server triggers OPENROWSET(BULK …KILLServer scoped event notifications Server scoped DDL event notifications Event notifications on trace events Extended event sessions sp_addlinkedserverDBCC FREE…CACHE and SQLPERF SELECT on server-level DMV’s sp_configure, RECONFIGURE sp_trace_create Allows server-level delegation SHUTDOWN*CREATE/ALTER/DROP SERVER AUDIT and SERVER AUDIT SPECIFICATION CONTROL SERVERVIEW ANY DEFINITION ALTER ANY LOGINCONNECT SQLCONTROL ON LOGIN::<name>Connect and Authentication –Server PermissionsVIEW ANY DEFINITIONALTER ANY ENDPOINTCREATE ENDPOINTCONNECT ON ENDPOINT::<name>TAKE OWNERSHIP ON ENDPOINT::<name>VIEW DEFINITION ON ENDPOINT::<name>ALTER ON ENDPOINT::<name>CONTROL ON ENDPOINT::<name>Notes:•The CREATE LOGIN statement creates a login and grants CONNECT SQL to that login.•Enabling a login (ALTER LOGIN <name> ENABLE) is not the same as granting CONNECT SQL permission.•To map a login to a credential, see ALTER ANY CREDENTIAL.•When contained databases are enabled, users can access SQL Server without a login. See database user permissions.•To connect using a login you must have :o An enabled login o CONNECT SQLoCONNECT for the database (if specified)VIEW DEFINITION ON LOGIN::<name>IMPERSONATE ON LOGIN::<name>ALTER ON LOGIN::<name>STATEMENTS:ALTER LOGIN, sp_addlinkedsrvlogin DROP LOGIN CREATE LOGINSTATEMENTS:ALTER ENDPOINT DROP ENDPOINTCREATE ENDPOINTSTATEMENTS:ALTER SERVER ROLE <name> ADD MEMBER DROP SERVER ROLECREATE SERVER ROLESTATEMENTS:ALTER AVAILABILITY GROUP DROP AVAILABILITY GROUPCREATE AVAILABILITY GROUPCONTROL ON FULLTEXT CATALOG::<name>VIEW DEFINITION ON FULLTEXT CATALOG::<name>REFERENCES ON FULLTEXT CATALOG::<name>TAKE OWNERSHIP ON FULLTEXT CATALOG::<name>ALTER ON FULLTEXT CATALOG::<name>STATEMENTS:ALTER FULLTEXT CATALOG CREATE FULLTEXT CATALOGDatabase Role PermissionsCONTROL SERVERVIEW ANY DEFINITIONALTER ANY DATABASEVIEW DEFINITION ON DATABASE::<name>ALTER ON DATABASE::<name>ALTER ANY ROLE CREATE ROLE CONTROL ON DATABASE::<name>VIEW DEFINITION ON ROLE::<name>TAKE OWNERSHIP ON ROLE::<name>ALTER ON ROLE::<name>CONTROL ON ROLE::<name>STATEMENTS:ALTER ROLE <name> ADD MEMBER DROP ROLECREATE ROLESymmetric Key PermissionsCONTROL SERVERVIEW ANY DEFINITIONALTER ANY DATABASEVIEW DEFINITION ON DATABASE::<name>REFERENCES ON DATABASE::<name>ALTER ON DATABASE::<name>ALTER ANY SYMMETRIC KEYCREATE SYMMETRIC KEY CONTROL ON DATABASE::<name>VIEW DEFINITION ON SYMMETRIC KEY::<name>REFERENCES ON SYMMETRIC KEY::<name>TAKE OWNERSHIP ON SYMMETRIC KEY::<name>ALTER ON SYMMETRIC KEY::<name>CONTROL ON SYMMETRIC KEY::<name>STATEMENTS:ALTER SYMMETRIC KEY DROP SYMMETRIC KEY CREATE SYMMETRIC KEYNote: OPEN SYMMETRIC KEY requires VIEW DEFINITION permission on the key (implied by any permission on the key), and requires permission on the key encryption hierarchy.Asymmetric Key PermissionsCONTROL SERVERVIEW ANY DEFINITIONALTER ANY DATABASEVIEW DEFINITION ON DATABASE::<name>REFERENCES ON DATABASE::<name>ALTER ON DATABASE::<name>ALTER ANY ASYMMETRIC KEYCREATE ASYMMETRIC KEYCONTROL ON DATABASE::<name>VIEW DEFINITION ON ASYMMETRIC KEY::<name>REFERENCES ON ASYMMETRIC KEY::<name>TAKE OWNERSHIP ON ASYMMETRIC KEY::<name>ALTER ON ASYMMETRIC KEY::<name>CONTROL ON ASYMMETRIC KEY::<name>STATEMENTS:ALTER ASYMMETRIC KEY DROP ASYMMETRIC KEYCREATE ASYMMETRIC KEYNote: ADD SIGNATURE requires CONTROL permission on the key, andrequires ALTER permission on the object.CONTROL SERVERVIEW ANY DEFINITIONALTER ANY DATABASEVIEW DEFINITION ON DATABASE::<name>REFERENCES ON DATABASE::<name>ALTER ON DATABASE::<name>ALTER ANY CERTIFICATE CREATE CERTIFICATE CONTROL ON DATABASE::<name>VIEW DEFINITION ON CERTIFICATE::<name>REFERENCES ON CERTIFICATE::<name>TAKE OWNERSHIP ON CERTIFICATE::<name>ALTER ON CERTIFICATE::<name>CONTROL ON CERTIFICATE::<name>STATEMENTS:ALTER CERTIFICATE DROP CERTIFICATECREATE CERTIFICATENote: ADD SIGNATURE requiresCONTROL permission on the certificate, and requires ALTER permission on the object.CONTROL SERVERVIEW ANY DEFINITIONALTER ANY DATABASEVIEW DEFINITION ON DATABASE::<name>REFERENCES ON DATABASE::<name>ALTER ON DATABASE::<name>ALTER ANY ASSEMBLY CREATE ASSEMBLYCONTROL ON DATABASE::<name>VIEW DEFINITION ON ASSEMBLY::<name>REFERENCES ON ASSEMBLY::<name>TAKE OWNERSHIP ON ASSEMBLY::<name>ALTER ON ASSEMBLY::<name>CONTROL ON ASSEMBLY::<name>STATEMENTS:ALTER ASSEMBLYDROP ASSEMBLYCREATE ASSEMBLYEvent Notification PermissionsCONTROL SERVERALTER ANY EVENT NOTIFICATIONCREATE DDL EVENT NOTIFICATIONCREATE TRACE EVENT NOTIFICATIONALTER ON DATABASE::<name>ALTER ANY DATABASE EVENT NOTIFICATION CREATE DATABASE DDL EVENT NOTIFICATIONCONTROL ON DATABASE::<name>Database scoped event notificationsDatabase scoped DDL event notificationsEvent notifications on trace eventsNote: EVENT NOTIFICATION permissions also affect service broker. See the service broker chart for more into.Connect and Authentication –Database PermissionsCONTROL SERVERVIEW ANY DEFINITIONALTER ANY DATABASEVIEW DEFINITION ON DATABASE::<name>ALTER ON DATABASE::<name>ALTER ANY USER CONNECT ON DATABASE::<name>CONTROL ON DATABASE::<name>VIEW DEFINITION ON USER::<name>IMPERSONATE ON USER::<name>ALTER ON USER::<name>CONTROL ON USER::<name>STATEMENTS:ALTER USER DROP USER CREATE USERNOTES:•When contained databases are enabled, creating a database user that authenticates at the database, grants CONNECT DATABASE to that user,and it can access SQL Server without a login.•Granting ALTER ANY USER allows a principal to create a user based on a login, but does not grant the server level permission to view information about logins.Replication PermissionsCONTROL SERVERCONTROL ON DATABASE::<name>CONNECT REPLICATION ON DATABASE::<name>CONNECT ON DATABASE::<name>Application Role PermissionsCONTROL SERVERVIEW ANY DEFINITION ALTER ANY DATABASE CONTROL ON DATABASE::<name>VIEW DEFINITION ON DATABASE::<name>ALTER ON DATABASE::<name>ALTER ANY APPLICATION ROLECONTROL ON APPLICATION ROLE::<name>VIEW DEFINITION ON APPLICATION ROLE::<name>ALTER ON APPLICATION ROLE::<name>STATEMENTS:ALTER APPLICATION ROLE DROP APPLICATION ROLE CREATE APPLICATION ROLESTATEMENTS:DROP FULLTEXT CATALOG DROP FULLTEXT STOPLISTDROP FULLTEXT SEARCH PROPERTYLISTCONTROL ON FULLTEXT STOPLIST::<name>VIEW DEFINITION ON FULLTEXT STOPLIST::<name>REFERENCES ON FULLTEXT STOPLIST::<name>TAKE OWNERSHIP ON FULLTEXT STOPLIST::<name>ALTER ON FULLTEXT STOPLIST::<name>STATEMENTS:ALTER FULLTEXT STOPLIST CREATE FULLTEXT STOPLISTCONTROL ON SEARCH PROPERTY LIST::<name>VIEW DEFINITION ON SEARCH PROPERTY LIST::<name>REFERENCES ON SEARCH PROPERTY LIST::<name>TAKE OWNERSHIP ON SEARCH PROPERTY LIST::<name>ALTER ON SEARCH PROPERTY LIST::<name>STATEMENTS:ALTER SEARCH PROPERTY LIST CREATE SEARCH PROPERTY LISTService Broker PermissionsNotes:•The user executing the CREATE CONTRACT statement must have REFERENCES permission on all message typesspecified.•The user executing the CREATE SERVICE statement must have REFERENCES permission on the queue and allcontracts specified.•To execute the CREATE or ALTER REMOTE SERVICE BINDING the user must have impersonate permission forthe principal specified in the statement.•When the CREATE or ALTER MESSAGE TYPE statement specifies a schema collection, the user executing thestatement must have REFERENCES permission on the schema collection specified.•See the ALTER ANY EVENT NOTIFICATION chart for more permissions related to Service Broker.•See the SCHEMA OBJECTS chart for QUEUE permissions.•The ALTER CONTRACT permission exists but at this time there is no ALTER CONTRACT statement.CONTROL ON REMOTE SERVICE BINDING::<name>VIEW DEFINITION ON REMOTE SERVICE BINDING::<name>TAKE OWNERSHIP ON REMOTE SERVICE BINDING::<name>ALTER ON REMOTE SERVICE BINDING::<name>STATEMENTS:ALTER REMOTE SERVICE BINDINGDROP REMOTE SERVICE BINDINGCREATE REMOTE SERVICE BINDINGCONTROL SERVERVIEW ANY DEFINITIONALTER ANY DATABASECONTROL ON DATABASE::<name>VIEW DEFINITION ON DATABASE::<name>ALTER ON DATABASE::<name>ALTER ANY REMOTE SERVICE BINDINGCREATE REMOTE SERVICE BINDINGCONTROL ON CONTRACT::<name>VIEW DEFINITION ON CONTRACT::<name>REFERENCES ON CONTRACT::<name>TAKE OWNERSHIP ON CONTRACT::<name>ALTER ON CONTRACT::<name>STATEMENTS:DROP CONTRACTCREATE CONTRACTCONTROL SERVER VIEW ANY DEFINITIONALTER ANY DATABASECONTROL ON DATABASE::<name>VIEW DEFINITION ON DATABASE::<name>REFERENCES ON DATABASE::<name>ALTER ON DATABASE::<name>ALTER ANY CONTRACTCREATE CONTRACTCONTROL ON SERVICE::<name>VIEW DEFINITION ON SERVICE::<name>SEND ON SERVICE::<name>TAKE OWNERSHIP ON SERVICE::<name>ALTER ON SERVICE::<name>STATEMENTS:ALTER SERVICE DROP SERVICECREATE SERVICECONTROL SERVERVIEW ANY DEFINITION ALTER ANY DATABASE CONTROL ON DATABASE::<name>VIEW DEFINITION ON DATABASE::<name>ALTER ON DATABASE::<name>ALTER ANY SERVICECREATE SERVICESTATEMENTS:ALTER ROUTE DROP ROUTE CREATE ROUTECONTROL SERVERVIEW ANY DEFINITIONALTER ANY DATABASECONTROL ON DATABASE::<name>VIEW DEFINITION ON DATABASE::<name>ALTER ON DATABASE::<name>ALTER ANY ROUTECREATE ROUTE CONTROL ON ROUTE::<name>VIEW DEFINITION ON ROUTE::<name>TAKE OWNERSHIP ON ROUTE::<name>ALTER ON ROUTE::<name>STATEMENTS:ALTER MESSAGE TYPEDROP MESSAGE TYPE CREATE MESSAGE TYPECONTROL SERVER VIEW ANY DEFINITIONALTER ANY DATABASECONTROL ON DATABASE::<name>VIEW DEFINITION ON DATABASE::<name>REFERENCES ON DATABASE::<name>ALTER ON DATABASE::<name>ALTER ANY MESSAGE TYPECREATE MESSAGE TYPECREATE QUEUECONTROL ON MESSAGE TYPE::<name>VIEW DEFINITION ON MESSAGE TYPE::<name>REFERENCES ON MESSAGE TYPE::<name>TAKE OWNERSHIP ON MESSAGE TYPE::<name>ALTER ON MESSAGE TYPE::<name>Permission SyntaxCREATE DATABASE **ALTER ON DATABASE::<name>STATEMENTS: CREATE DATABASE, RESTORE DATABASE** NOTE:CREATE DATABASE is a database level permissionthat can only be granted in the master database.STATEMENTS:EXECUTE ASSTATEMENTS:EXECUTE ASSTATEMENTS:ALTER AUTHORIZATIONNotes:•ALTER AUTHORIZATION for any object might also require IMPERSONATE or membership in a role or ALTER permission on a role.•ALTER AUTHORIZATION exists at many levels in the permission model but is never inherited from ALTER AUTHORIZATION at a higher level.Note: CREATE and ALTER ASSEMBLY statements sometimes require server level EXTERNAL ACCESS ASSEMBLY and UNSAFE ASSEMBLY permissions, and can require membership in the sysadmin fixed server role.NOTES:Only members of the db_owner fixed database role can add or remove members from fixed database roles.NOTES:To add a member to a fixed server role, you must be a member of that fixed server role, or be a member of the sysadmin fixed server role.© 2014 Microsoft Corporation. All rights reserved.Database Engine PermissionsMicrosoft SQL Server 2014。

【原】SQLServer权限⽤户设置⼀、为什么要设置权限⽤户windows 验证登陆，只能在本机访问，⽤sqlserver验证登陆（也就是sa登陆），可以在局域⽹任意⼀台电脑访问登陆。

由于某种原因，给其他软件或者数据库开放接⼝，给对⽅⼀个账号但是要限制对⽅的访问权限的时候，就需要设置权限⽤户。

⼆、怎么去设置权限⽤户1、选择安全性---右击新建登录名（我们以test登录名为例）2、选择"常规"选项---设置你要新建的登录名---设置SQL Server⾝份验证密码---取消强制实施密码策略---选择⽬标数据库3、选择"服务器⾓⾊"--选择public服务器⾓⾊：服务器⾓⾊似乎是针对SQL Server登录名、Windows 帐户的，⽽某个数据库中建⽴的⽤户是不能具有服务器⾓⾊的。

例如：任何登录名建⽴后默认都是public服务器⾓⾊，public没有权限建⽴新的数据库；如果登录名具有dbcreator服务器⾓⾊，⽤它登录后，就可以创建新数据库；如果登录名具有securityadmin服务器⾓⾊，⽤它登录后，就可以管理其他登录名。

sysadmin 固定服务器⾓⾊的成员可以在服务器中执⾏任何活动serveradmin 固定服务器⾓⾊的成员可以更改服务器范围内的配置选项并关闭服务器securityadmin 固定服务器⾓⾊的成员管理登录名及其属性。

他们可以 GRANT、DENY 和 REVOKE 服务器级权限。

他们还可以GRANT、DENY 和 REVOKE 数据库级权限（如果他们具有数据库的访问权限）。

此外，他们还可以重置 SQL Server 登录名的密码。

processadmin 固定服务器⾓⾊的成员可以终⽌在 SQL Server 实例中运⾏的进程setupadmin 固定服务器⾓⾊的成员可以添加和删除链接服务器bulkadmin 固定服务器⾓⾊的成员可以运⾏ BULK INSERT 语句diskadmin 固定服务器⾓⾊⽤于管理磁盘⽂件dbcreator 固定服务器⾓⾊的成员可以创建、更改、删除和还原任何数据库public 每个 SQL Server 登录名均属于 public 服务器⾓⾊4、⽤户映射---选择要映射的数据库（也就是新建的登录名能访问那个数据库）---选择相应的数据库的操作权限数据库⾓⾊：作⽤范围数据，⽽⾮服务器（db_owner和 db_securityadmin 数据库⾓⾊的成员可以管理固定数据库⾓⾊成员⾝份。

SQL语句操作SQLSERVER数据库登录名、⽤户及权限要想成功访问 SQL Server 数据库中的数据，我们需要两个⽅⾯的授权：1. 获得准许连接 SQL Server 服务器的权利；2. 获得访问特定数据库中数据的权利（select, update, delete, create table ...）。

假设，我们准备建⽴⼀个 dba 数据库帐户，⽤来管理数据库 mydb。

1. ⾸先在 SQL Server 服务器级别，创建登陆帐户（create login）--创建登陆帐户（create login）create login dba with password='abcd1234@', default_database=mydb登陆帐户名为：“dba”，登陆密码：abcd1234@”，默认连接到的数据库：“mydb”。

这时候，dba 帐户就可以连接到 SQL Server 服务器上了。

但是此时还不能访问数据库中的对象（严格的说，此时 dba 帐户默认是 guest 数据库⽤户⾝份，可以访问 guest 能够访问的数据库对象）。

要使 dba 帐户能够在 mydb 数据库中访问⾃⼰需要的对象，需要在数据库 mydb 中建⽴⼀个“数据库⽤户”，赋予这个“数据库⽤户” 某些访问权限，并且把登陆帐户“dba” 和这个“数据库⽤户” 映射起来。

习惯上，“数据库⽤户” 的名字和 “登陆帐户”的名字相同，即：“dba”。

创建“数据库⽤户”和建⽴映射关系只需要⼀步即可完成：2. 创建数据库⽤户（create user）：--为登陆账户创建数据库⽤户（create user）,在mydb数据库中的security中的user下可以找到新创建的dbacreate user dba for login dba with default_schema=dbo并指定数据库⽤户“dba” 的默认 schema 是“dbo”。

SqlServer设置用户只能查看并访问特定数据库
现需要限定特定的用户只能查看并访问特定的数据库，防止多个用户对数据库操作时一些误操作。

参考i6first的如何让用户只能访问特定的数据库(MSSQL)博文
1.新建登录用户
以管理员身份登陆数据库（权限最高的身份如sa），点击安全性->登录名，右键新建登录名，输入登录名和密码，取消强制实施密码策略。

2.将服务器角色设置为public
3.将public服务器角色的属性->取消查看所有数据库的权限
点击安全性->服务器角色->public，右键属性。

点击服务器后如下图取消查看任意数据库的权限
或者执行如下SQL：
REVOKE VIEW ANY DATABASE TO [public]
4.将待授权的数据库的db_owner指派给刚注册的新用户
在数据库中新建查询，输入下列sql语句。

完成对用户权限的设定，做到了新建用户只能查看和操作特定数据库（除系统数据库外）Use [WH_R]//WH_R为数据库名称
go
EXEC dbo.sp_changedbowner N'user'//user为刚新建的用户
•1
•2
•3。

sql server 数据库用户权限管理的设置-回复Elasticsearch是一个开源的分布式搜索和分析引擎，它提供了强大的聚合功能，用于对大型数据集进行分析和聚合操作。

在Elasticsearch中，聚合是通过使用特定的聚合组件来执行的，其中之一就是terms聚合。

terms 聚合用于对字段的值进行分组，并计算每个分组的文档数或其他统计信息。

在进行terms聚合时，默认情况下，Elasticsearch根据每个分组的文档数进行排序。

也就是说，文档数最多的分组将排在前面。

如果有多个分组具有相同的文档数，则根据词条的字典顺序进行排序。

下面将逐步回答关于Elasticsearch terms聚合的默认排序规则，并解释如何自定义排序规则。

步骤1：什么是terms聚合？terms聚合是Elasticsearch中的一种聚合，用于对字段的值进行分组。

它将具有相同值的文档分到一个分组，并计算每个分组的文档数或其他统计信息。

步骤2：默认的排序规则是什么？在terms聚合中，默认情况下，Elasticsearch根据每个分组的文档数进行排序。

文档数最多的分组将排在前面。

步骤3：如何自定义排序规则？要自定义排序规则，可以使用Elasticsearch中的order参数。

order参数允许我们指定聚合结果的排序方式。

可以根据不同的字段进行排序，也可以使用内置的一些特殊选项。

例如，可以按字母顺序对聚合结果进行排序，可以使用以下代码：json{"aggs": {"my_terms": {"terms": {"field": "my_field","order": {"_key": "asc"}}}}}在上面的示例中，通过将order参数设置为"_key"和"asc"来按字母顺序对聚合结果进行排序。

sqlserver服务账户和权限管理配置培训资料SQL Server是一款常用的关系型数据库管理系统，用于存储、管理和操纵数据。

在企业中使用SQL Server时，确保服务账户和权限的正确配置非常重要。

本篇培训资料将介绍SQL Server服务账户和权限管理的基本概念以及具体配置方法。

一、SQL Server服务账户1. 什么是SQL Server服务账户SQL Server服务账户是SQL Server实例运行所需的Windows 账户，用于执行数据库引擎服务、代理服务和数据库服务，并提供运行时环境。

每个服务都需要独立的服务账户。

2. 服务账户的类型SQL Server服务账户分为本地账户和域账户两种类型：- 本地账户：仅限于本地服务器上使用，适用于独立服务器或测试环境。

- 域账户：存储在Windows域中的账户，可以跨多个服务器使用，适用于大规模企业环境。

3. 选择适当的服务账户在选择服务账户时应考虑以下几个因素：- 安全性：为了最大程度地保护数据库的安全，建议使用域账户，并遵循最少特权原则。

- 管理：使用域账户可以集中管理，并为不同的服务分配不同的账户，便于维护和审计。

- 高可用性：确保服务账户拥有适当的权限，以便支持SQLServer集群、镜像和Always On可用性组等功能。

二、SQL Server权限管理1. 什么是权限权限是指用户或用户组对数据库对象执行特定操作的能力。

SQL Server使用细粒度权限模型来管理数据库访问，确保只有经授权的用户可以执行特定操作。

2. 常见的权限类型- 基本权限：包括SELECT、INSERT、UPDATE、DELETE等，用于控制对表或视图的读写操作。

- DDL权限：用于控制对数据库结构的更改，如CREATE、ALTER和DROP等。

- 系统权限：用于控制对服务器级别的操作，如CREATE LOGIN、CREATE DATABASE和SHUTDOWN等。