权限(数据库引擎)Permissions (Database Engine)

适用对象:是SQL Server 是Azure SQL 数据库 是Azure Synapse Analytics (SQL DW) 是并行数据仓库 APPLIES TO: yesSQL Server yesAzure SQL Database yesAzure Synapse Analytics (SQL DW) yesParallel Data Warehouse

每个 SQL ServerSQL Server 安全对象都有可以授予主体的关联权限。Every SQL ServerSQL Server securable has associated permissions that can be granted to a principal. 数据库引擎Database Engine 中的权限在分配给登录名和服务器角色的服务器级别,以及分配给数据库用户和数据库角色的数据库级别进行管理。Permissions in the 数据库引擎Database Engine are managed at the server level assigned to logins and server roles, and at the database level assigned to database users and database roles. Azure SQL 数据库Azure SQL Database 的模型拥有与数据库权限相同的系统,但服务器级别权限不可用。The model for Azure SQL 数据库Azure SQL Database has the same system for the database permissions, but the server level permissions are not available. 本主题包含权限的完整列表。This topic contains the complete list of permissions. 有关典型的权限实现,请参阅 Getting Started with Database Engine PermissionsFor a typical implementation of the permissions, see Getting Started with Database Engine Permissions.

SQL Server 2017 (14.x)SQL Server 2017 (14.x)Azure SQL 数据库Azure SQL Database 的权限总数是 237。The total number of permissions for SQL Server 2017 (14.x)SQL Server 2017 (14.x) and Azure SQL 数据库Azure SQL Database is 237. 大多数权限适用于所有平台,但有些则不适用。Most permissions apply to all platforms, but some do not. 例如,无法对 Azure SQL 数据库Azure SQL Database 授予服务器级别权限,并且只有几个权限对 Azure SQL 数据库Azure SQL Database 有意义。For example server level permissions cannot be granted on Azure SQL 数据库Azure SQL Database, and a few permissions only make sense on Azure SQL 数据库Azure SQL Database. SQL Server 2016 (13.x)SQL Server 2016 (13.x) 公布有 230 个权限。exposed 230 permissions. SQL Server 2014 (12.x)SQL Server 2014 (12.x) 公布有 219 个权限。exposed 219 permissions. SQL Server 2012 (11.x)SQL Server 2012 (11.x) 公布有 214 个权限。exposed 214 permissions. SQL Server 2008 R2SQL Server 2008 R2 公布有 195 个权限。exposed 195 permissions. Sys.fn_builtin_permissions 主题指定哪些是最新版本中的新增主题。The sys.fn_builtin_permissions topic specifies which topics are new in recent versions.

了解权限后,通过 GRANTREVOKEDENY 语句,将服务器级别权限应用于登录名和数据库级别权限用户。Once you understand the permissions, apply server level permissions to logins and database level permissions users with the GRANT, REVOKE, and DENY statements. 例如:For Example:

GRANT SELECT ON OBJECT::HumanResources.Employee TO Larry;
REVOKE SELECT ON OBJECT::HumanResources.Employee TO Larry;

有关计划权限系统的相关提示,请参阅 数据库引擎权限入门For tips on planning a permissions system, see Getting Started with Database Engine Permissions.

权限命名约定Permissions Naming Conventions

下面介绍命名权限时遵循的一般约定:The following describes the general conventions that are followed for naming permissions:

  • CONTROLCONTROL

    为被授权者授予类似所有权的功能。Confers ownership-like capabilities on the grantee. 被授权者实际上对安全对象具有所定义的所有权限。The grantee effectively has all defined permissions on the securable. 也可以为已被授予 CONTROL 权限的主体授予对安全对象的权限。A principal that has been granted CONTROL can also grant permissions on the securable. 因为 SQL ServerSQL Server 安全模型是分层的,所以 CONTROL 权限在特定范围内隐含着对该范围内的所有安全对象的 CONTROL 权限。Because the SQL ServerSQL Server security model is hierarchical, CONTROL at a particular scope implicitly includes CONTROL on all the securables under that scope. 例如,对数据库的 CONTROL 权限隐含着对数据库的所有权限、对数据库中所有组件的所有权限、对数据库中所有架构的所有权限以及对数据库的所有架构中的所有对象的权限。For example, CONTROL on a database implies all permissions on the database, all permissions on all assemblies in the database, all permissions on all schemas in the database, and all permissions on objects within all schemas within the database.

  • ALTERALTER

    授予更改特定安全对象的属性(所有权除外)的权限。Confers the ability to change the properties, except ownership, of a particular securable. 当授予对某个范围的 ALTER 权限时,也授予更改、创建或删除该范围内包含的任何安全对象的权限。When granted on a scope, ALTER also bestows the ability to alter, create, or drop any securable that is contained within that scope. 例如,对架构的 ALTER 权限包括在该架构中创建、更改和删除对象的权限。For example, ALTER permission on a schema includes the ability to create, alter, and drop objects from the schema.

  • ALTER ANY <Server Securable>,其中 Server Securable 可为任何服务器安全对象。ALTER ANY <Server Securable>, where Server Securable can be any server securable.

    授予创建、更改或删除“服务器安全对象” 的各个实例的权限。Confers the ability to create, alter, or drop individual instances of the Server Securable. 例如,ALTER ANY LOGIN 将授予创建、更改或删除实例中的任何登录名的权限。For example, ALTER ANY LOGIN confers the ability to create, alter, or drop any login in the instance.

  • ALTER ANY <Database Securable>,其中 Database Securable 可为数据库级别的任何安全对象。ALTER ANY <Database Securable>, where Database Securable can be any securable at the database level.

    授予创建、更改或删除“数据库安全对象” 的各个实例的权限。Confers the ability to CREATE, ALTER, or DROP individual instances of the Database Securable. 例如,ALTER ANY SCHEMA 将授予创建、更改或删除数据库中的任何架构的权限。For example, ALTER ANY SCHEMA confers the ability to create, alter, or drop any schema in the database.

  • TAKE OWNERSHIPTAKE OWNERSHIP

    允许被授权者获取所授予的安全对象的所有权。Enables the grantee to take ownership of the securable on which it is granted.

  • IMPERSONATE <Login>IMPERSONATE <Login>

    允许被授权者模拟该登录名。Enables the grantee to impersonate the login.

  • IMPERSONATE <User>IMPERSONATE <User>

    允许被授权者模拟该用户。Enables the grantee to impersonate the user.

  • CREATE <服务器安全对象>CREATE <Server Securable>

    授予被授权者创建“服务器安全对象” 的权限。Confers to the grantee the ability to create the Server Securable.

  • CREATE <数据库安全对象>CREATE <Database Securable>

    授予被授权者创建“数据库安全对象” 的权限。Confers to the grantee the ability to create the Database Securable.

  • CREATE <包含架构的安全对象>CREATE <Schema-contained Securable>

    授予创建包含在架构中的安全对象的权限。Confers the ability to create the schema-contained securable. 但是,若要在特定架构中创建安全对象,必须对该架构具有 ALTER 权限。However, ALTER permission on the schema is required to create the securable in a particular schema.

  • VIEW DEFINITIONVIEW DEFINITION

    允许被授权者访问元数据。Enables the grantee to access metadata.

  • REFERENCESREFERENCES

    表的 REFERENCES 权限是创建引用该表的外键约束时所必需的。The REFERENCES permission on a table is needed to create a FOREIGN KEY constraint that references that table.

    对象的 REFERENCES 权限是使用引用该对象的 WITH SCHEMABINDING 子句创建 FUNCTION 或 VIEW 时所必需的。The REFERENCES permission is needed on an object to create a FUNCTION or VIEW with the WITH SCHEMABINDING clause that references that object.

SQL Server 权限图表Chart of SQL Server Permissions

下图显示了权限以及它们彼此之间的关系。The following graphic shows the permissions and their relationships to each other. 多次列出了某些更高级别的权限(如 CONTROL SERVER)。Some of the higher level permissions (such as CONTROL SERVER) are listed many times. 在本文中,海报太小了,因此无法查看。In this article, the poster is far too small to read. 单击图像下载 pdf 格式的数据库引擎权限文章Click the image to download the Database Engine Permissions Poster in pdf format.

数据库引擎权限Database Engine Permissions

适用于特定安全对象的权限Permissions Applicable to Specific Securables

下表列出了主要的权限类别以及可应用这些权限的安全对象的种类。The following table lists major classes of permissions and the kinds of securables to which they may be applied.

权限Permission 适用于Applies to
ALTERALTER 除 TYPE 外的所有对象类。All classes of objects except TYPE.
CONTROLCONTROL 所有对象类:All classes of objects:
AGGREGATE、AGGREGATE,
APPLICATION ROLE、APPLICATION ROLE,
ASSEMBLY、ASSEMBLY,
ASYMMETRIC KEY、ASYMMETRIC KEY,
AVAILABILITY GROUP、AVAILABILITY GROUP,
CERTIFICATE、CERTIFICATE,
CONTRACT、CONTRACT,
CREDENTIALS、DATABASE、CREDENTIALS, DATABASE,
DATABASE SCOPED CREDENTIAL、DATABASE SCOPED CREDENTIAL,
DEFAULT、DEFAULT,
ENDPOINT、ENDPOINT,
FULLTEXT CATALOG、FULLTEXT CATALOG,
FULLTEXT STOPLIST、FULLTEXT STOPLIST,
FUNCTION、FUNCTION,
LOGIN、LOGIN,
MESSAGE TYPE、MESSAGE TYPE,
PROCEDURE、PROCEDURE,
QUEUE、QUEUE,
REMOTE SERVICE BINDING、REMOTE SERVICE BINDING,
ROLE、ROLE,
ROUTE、ROUTE,
RULE、RULE,
SCHEMA、SCHEMA,
SEARCH PROPERTY LIST、SEARCH PROPERTY LIST,
SERVER、SERVER,
SERVER ROLE、SERVER ROLE,
SERVICE、SERVICE,
SYMMETRIC KEY、SYMMETRIC KEY,
SYNONYM、SYNONYM,
TABLE、TABLE,
TYPE、USER、TYPE, USER,
VIEW 和VIEW, and
XML SCHEMA COLLECTIONXML SCHEMA COLLECTION
删除DELETE 除 DATABASE SCOPED CONFIGURATION 和 SERVER 外的所有对象类。All classes of objects except DATABASE SCOPED CONFIGURATION, and SERVER.
在运行 CREATE 语句前执行EXECUTE CLR 类型、外部脚本、过程(Transact-SQLTransact-SQL 和 CLR)、标量和聚合函数(Transact-SQLTransact-SQL 和 CLR)以及同义词CLR types, external scripts, procedures (Transact-SQLTransact-SQL and CLR), scalar and aggregate functions (Transact-SQLTransact-SQL and CLR), and synonyms
IMPERSONATEIMPERSONATE 登录名和用户Logins and users
InsertINSERT 同义词、表和列、视图和列。Synonyms, tables and columns, views and columns. 可以在数据库、架构或对象级别授予权限。Permission can be granted at the database, schema, or object level.
RECEIVERECEIVE Service BrokerService Broker 队列queues
REFERENCESREFERENCES AGGREGATE、AGGREGATE,
ASSEMBLY、ASSEMBLY,
ASYMMETRIC KEY、ASYMMETRIC KEY,
CERTIFICATE、CERTIFICATE,
CONTRACT、CONTRACT,
DATABASE、DATABASE,
DATABASE SCOPED CREDENTIAL、DATABASE SCOPED CREDENTIAL,
FULLTEXT CATALOG、FULLTEXT CATALOG,
FULLTEXT STOPLIST、FULLTEXT STOPLIST,
FUNCTION、FUNCTION,
MESSAGE TYPE、MESSAGE TYPE,
PROCEDURE、PROCEDURE,
QUEUE、QUEUE,
RULE、RULE,
SCHEMA、SCHEMA,
SEARCH PROPERTY LIST、SEARCH PROPERTY LIST,
SEQUENCE OBJECT、SEQUENCE OBJECT,
SYMMETRIC KEY、SYMMETRIC KEY,
TABLE、TABLE,
TYPE、TYPE,
VIEW 和VIEW, and
XML SCHEMA COLLECTIONXML SCHEMA COLLECTION
SELECTSELECT 同义词、表和列、视图和列。Synonyms, tables and columns, views and columns. 可以在数据库、架构或对象级别授予权限。Permission can be granted at the database, schema, or object level.
TAKE OWNERSHIPTAKE OWNERSHIP 除 DATABASE SCOPED CONFIGURATION、LOGIN、SERVER 和 USER 外的所有对象类。All classes of objects except DATABASE SCOPED CONFIGURATION, LOGIN, SERVER, and USER.
UPDATEUPDATE 同义词、表和列、视图和列。Synonyms, tables and columns, views and columns. 可以在数据库、架构或对象级别授予权限。Permission can be granted at the database, schema, or object level.
VIEW CHANGE TRACKINGVIEW CHANGE TRACKING 架构和表Schemas and tables
VIEW DEFINITIONVIEW DEFINITION 除 DATABASE SCOPED CONFIGURATION 和 SERVER 外的所有对象类。All classes of objects except DATABASE SCOPED CONFIGURATION, and SERVER.

注意

安装期间授予系统对象的默认权限已针对可能的威胁进行了仔细评估,并且作为强化 SQL ServerSQL Server 安装的一部分,无需进行更改。The default permissions that are granted to system objects at the time of setup are carefully evaluated against possible threats and need not be altered as part of hardening the SQL ServerSQL Server installation. 对系统对象权限的任何更改都可能限制或破坏功能,并且可能让你的 SQL ServerSQL Server 安装处于不受支持的状态。Any changes to the permissions on the system objects could limit or break the functionality and could potentially leave your SQL ServerSQL Server installation in an unsupported state.

SQL Server 权限SQL Server Permissions

下表提供了 SQL ServerSQL Server 权限的完整列表。The following table provides a complete list of SQL ServerSQL Server permissions. Azure SQL 数据库Azure SQL Database 权限仅适用于受支持的基本安全对象。permissions are only available for base securables that are supported. 不能在 Azure SQL 数据库Azure SQL Database中授予服务器级别权限,但是在某些情况下,可改为授予数据库权限。Server level permissions cannot be granted in Azure SQL 数据库Azure SQL Database, however in some cases database permissions are available instead.

基础安全对象Base securable 对基础安全对象的粒度权限Granular permissions on base securable 权限类型代码Permission type code 包含基础安全对象的安全对象Securable that contains base securable 对容器安全对象的权限隐含着对基础安全对象的粒度权限Permission on container securable that implies granular permission on base securable
APPLICATION ROLEAPPLICATION ROLE ALTERALTER ALAL DATABASEDATABASE ALTER ANY APPLICATION ROLEALTER ANY APPLICATION ROLE
APPLICATION ROLEAPPLICATION ROLE CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
APPLICATION ROLEAPPLICATION ROLE VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
ASSEMBLYASSEMBLY ALTERALTER ALAL DATABASEDATABASE ALTER ANY ASSEMBLYALTER ANY ASSEMBLY
ASSEMBLYASSEMBLY CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
ASSEMBLYASSEMBLY REFERENCESREFERENCES RFRF DATABASEDATABASE REFERENCESREFERENCES
ASSEMBLYASSEMBLY TAKE OWNERSHIPTAKE OWNERSHIP TOTO DATABASEDATABASE CONTROLCONTROL
ASSEMBLYASSEMBLY VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
ASYMMETRIC KEYASYMMETRIC KEY ALTERALTER ALAL DATABASEDATABASE ALTER ANY ASYMMETRIC KEYALTER ANY ASYMMETRIC KEY
ASYMMETRIC KEYASYMMETRIC KEY CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
ASYMMETRIC KEYASYMMETRIC KEY REFERENCESREFERENCES RFRF DATABASEDATABASE REFERENCESREFERENCES
ASYMMETRIC KEYASYMMETRIC KEY TAKE OWNERSHIPTAKE OWNERSHIP TOTO DATABASEDATABASE CONTROLCONTROL
ASYMMETRIC KEYASYMMETRIC KEY VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
AVAILABILITY GROUPAVAILABILITY GROUP ALTERALTER ALAL SERVERSERVER ALTER ANY AVAILABILITY GROUPALTER ANY AVAILABILITY GROUP
AVAILABILITY GROUPAVAILABILITY GROUP CONTROLCONTROL CLCL SERVERSERVER CONTROL SERVERCONTROL SERVER
AVAILABILITY GROUPAVAILABILITY GROUP TAKE OWNERSHIPTAKE OWNERSHIP TOTO SERVERSERVER CONTROL SERVERCONTROL SERVER
AVAILABILITY GROUPAVAILABILITY GROUP VIEW DEFINITIONVIEW DEFINITION VWVW SERVERSERVER VIEW ANY DEFINITIONVIEW ANY DEFINITION
CERTIFICATECERTIFICATE ALTERALTER ALAL DATABASEDATABASE ALTER ANY CERTIFICATEALTER ANY CERTIFICATE
CERTIFICATECERTIFICATE CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
CERTIFICATECERTIFICATE REFERENCESREFERENCES RFRF DATABASEDATABASE REFERENCESREFERENCES
CERTIFICATECERTIFICATE TAKE OWNERSHIPTAKE OWNERSHIP TOTO DATABASEDATABASE CONTROLCONTROL
CERTIFICATECERTIFICATE VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
CONTRACTCONTRACT ALTERALTER ALAL DATABASEDATABASE ALTER ANY CONTRACTALTER ANY CONTRACT
CONTRACTCONTRACT CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
CONTRACTCONTRACT REFERENCESREFERENCES RFRF DATABASEDATABASE REFERENCESREFERENCES
CONTRACTCONTRACT TAKE OWNERSHIPTAKE OWNERSHIP TOTO DATABASEDATABASE CONTROLCONTROL
CONTRACTCONTRACT VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
DATABASEDATABASE ADMINISTER DATABASE BULK OPERATIONSADMINISTER DATABASE BULK OPERATIONS DABODABO SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTERALTER ALAL SERVERSERVER ALTER ANY DATABASEALTER ANY DATABASE
DATABASEDATABASE ALTER ANY APPLICATION ROLEALTER ANY APPLICATION ROLE ALARALAR SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY ASSEMBLYALTER ANY ASSEMBLY ALASALAS SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY ASYMMETRIC KEYALTER ANY ASYMMETRIC KEY ALAKALAK SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY CERTIFICATEALTER ANY CERTIFICATE ALCFALCF SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY COLUMN ENCRYPTION KEYALTER ANY COLUMN ENCRYPTION KEY ALCKALCK

适用于 SQL ServerSQL Server (至SQL Server 2016 (13.x)SQL Server 2016 (13.x) 当前版本)和 Azure SQL 数据库Azure SQL DatabaseApplies to SQL ServerSQL Server (SQL Server 2016 (13.x)SQL Server 2016 (13.x) through current), Azure SQL 数据库Azure SQL Database.
SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY COLUMN MASTER KEYALTER ANY COLUMN MASTER KEY ALCMALCM

适用于 SQL ServerSQL Server (至SQL Server 2016 (13.x)SQL Server 2016 (13.x) 当前版本)和 Azure SQL 数据库Azure SQL DatabaseApplies to SQL ServerSQL Server (SQL Server 2016 (13.x)SQL Server 2016 (13.x) through current), Azure SQL 数据库Azure SQL Database.
SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY CONTRACTALTER ANY CONTRACT ALSCALSC SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY DATABASE AUDITALTER ANY DATABASE AUDIT ALDAALDA SERVERSERVER ALTER ANY SERVER AUDITALTER ANY SERVER AUDIT
DATABASEDATABASE ALTER ANY DATABASE DDL TRIGGERALTER ANY DATABASE DDL TRIGGER ALTGALTG SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY DATABASE EVENT NOTIFICATIONALTER ANY DATABASE EVENT NOTIFICATION ALEDALED SERVERSERVER ALTER ANY EVENT NOTIFICATIONALTER ANY EVENT NOTIFICATION
DATABASEDATABASE ALTER ANY DATABASE EVENT SESSIONALTER ANY DATABASE EVENT SESSION AADSAADS

适用于 Azure SQL 数据库Azure SQL DatabaseApplies to Azure SQL 数据库Azure SQL Database.
SERVERSERVER ALTER ANY EVENT SESSIONALTER ANY EVENT SESSION
DATABASEDATABASE ALTER ANY DATABASE SCOPED CONFIGURATIONALTER ANY DATABASE SCOPED CONFIGURATION ALDCALDC

适用于 SQL ServerSQL Server (至SQL Server 2016 (13.x)SQL Server 2016 (13.x) 当前版本)和 Azure SQL 数据库Azure SQL DatabaseApplies to SQL ServerSQL Server (SQL Server 2016 (13.x)SQL Server 2016 (13.x) through current), Azure SQL 数据库Azure SQL Database.
SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY DATASPACEALTER ANY DATASPACE ALDSALDS SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY EXTERNAL DATA SOURCEALTER ANY EXTERNAL DATA SOURCE AEDSAEDS SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY EXTERNAL FILE FORMATALTER ANY EXTERNAL FILE FORMAT AEFFAEFF SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY FULLTEXT CATALOGALTER ANY FULLTEXT CATALOG ALFTALFT SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY MASKALTER ANY MASK AAMKAAMK

适用于 SQL ServerSQL Server (至SQL Server 2016 (13.x)SQL Server 2016 (13.x) 当前版本)和 Azure SQL 数据库Azure SQL DatabaseApplies to SQL ServerSQL Server (SQL Server 2016 (13.x)SQL Server 2016 (13.x) through current), Azure SQL 数据库Azure SQL Database.
SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY MESSAGE TYPEALTER ANY MESSAGE TYPE ALMTALMT SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY REMOTE SERVICE BINDINGALTER ANY REMOTE SERVICE BINDING ALSBALSB SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY ROLEALTER ANY ROLE ALRLALRL SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY ROUTEALTER ANY ROUTE ALRTALRT SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY SCHEMAALTER ANY SCHEMA ALSMALSM SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE 更改任何安全策略ALTER ANY SECURITY POLICY ALSPALSP

适用于 SQL ServerSQL Server (至SQL Server 2016 (13.x)SQL Server 2016 (13.x) 当前版本)和 Azure SQL 数据库Azure SQL DatabaseApplies to SQL ServerSQL Server (SQL Server 2016 (13.x)SQL Server 2016 (13.x) through current), Azure SQL 数据库Azure SQL Database.
SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE 更改任何敏感度分类ALTER ANY SENSITIVITY CLASSIFICATION ALSPALSP
适用于 SQL ServerSQL Server(SQL Server 2019 (15.x) 至当前版本)、Azure SQL 数据库Azure SQL DatabaseApplies to SQL ServerSQL Server (SQL Server 2019 (15.x) through current), Azure SQL 数据库Azure SQL Database.
DATABASEDATABASE CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY SERVICEALTER ANY SERVICE ALSVALSV SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY SYMMETRIC KEYALTER ANY SYMMETRIC KEY ALSKALSK SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE ALTER ANY USERALTER ANY USER ALUSALUS SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE AUTHENTICATEAUTHENTICATE AUTHAUTH SERVERSERVER AUTHENTICATE SERVERAUTHENTICATE SERVER
DATABASEDATABASE BACKUP DATABASEBACKUP DATABASE BADBBADB SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE BACKUP LOGBACKUP LOG BALOBALO SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CHECKPOINTCHECKPOINT CPCP SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CONNECTCONNECT COCO SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CONNECT REPLICATIONCONNECT REPLICATION CORPCORP SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CONTROLCONTROL CLCL SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE AGGREGATECREATE AGGREGATE CRAGCRAG SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE ASSEMBLYCREATE ASSEMBLY CRASCRAS SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE ASYMMETRIC KEYCREATE ASYMMETRIC KEY CRAKCRAK SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE CERTIFICATECREATE CERTIFICATE CRCFCRCF SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE CONTRACTCREATE CONTRACT CRSCCRSC SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE DATABASECREATE DATABASE CRDBCRDB SERVERSERVER CREATE ANY DATABASECREATE ANY DATABASE
DATABASEDATABASE CREATE DATABASE DDL EVENT NOTIFICATIONCREATE DATABASE DDL EVENT NOTIFICATION CREDCRED SERVERSERVER CREATE DDL EVENT NOTIFICATIONCREATE DDL EVENT NOTIFICATION
DATABASEDATABASE CREATE DEFAULTCREATE DEFAULT CRDFCRDF SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE FULLTEXT CATALOGCREATE FULLTEXT CATALOG CRFTCRFT SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE FUNCTIONCREATE FUNCTION CRFNCRFN SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE MESSAGE TYPECREATE MESSAGE TYPE CRMTCRMT SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE PROCEDURECREATE PROCEDURE CRPRCRPR SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE QUEUECREATE QUEUE CRQUCRQU SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE REMOTE SERVICE BINDINGCREATE REMOTE SERVICE BINDING CRSBCRSB SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE ROLECREATE ROLE CRRLCRRL SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE ROUTECREATE ROUTE CRRTCRRT SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE RULECREATE RULE CRRUCRRU SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE SCHEMACREATE SCHEMA CRSMCRSM SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE SERVICECREATE SERVICE CRSVCRSV SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE SYMMETRIC KEYCREATE SYMMETRIC KEY CRSKCRSK SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE SYNONYMCREATE SYNONYM CRSNCRSN SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE TABLECREATE TABLE CRTBCRTB SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE TYPECREATE TYPE CRTYCRTY SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE VIEWCREATE VIEW CRVWCRVW SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE CREATE XML SCHEMA COLLECTIONCREATE XML SCHEMA COLLECTION CRXSCRXS SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE 删除DELETE DLDL SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE 在运行 CREATE 语句前执行EXECUTE EXEX SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE EXECUTE ANY EXTERNAL SCRIPTEXECUTE ANY EXTERNAL SCRIPT EAESEAES

适用于 SQL ServerSQL Server (至SQL Server 2016 (13.x)SQL Server 2016 (13.x) 当前版本)。Applies to SQL ServerSQL Server (SQL Server 2016 (13.x)SQL Server 2016 (13.x) through current).
SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE InsertINSERT ININ SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE KILL DATABASE CONNECTIONKILL DATABASE CONNECTION KIDCKIDC

仅适用于 Azure SQL 数据库Azure SQL DatabaseOnly applies to Azure SQL 数据库Azure SQL Database. SQL ServerSQL Server中使用 ALTER ANY CONNECTION。Use ALTER ANY CONNECTION in SQL ServerSQL Server.
SERVERSERVER ALTER ANY CONNECTIONALTER ANY CONNECTION
DATABASEDATABASE REFERENCESREFERENCES RFRF SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE SELECTSELECT SLSL SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE SHOWPLANSHOWPLAN SPLNSPLN SERVERSERVER ALTER TRACEALTER TRACE
DATABASEDATABASE SUBSCRIBE QUERY NOTIFICATIONSSUBSCRIBE QUERY NOTIFICATIONS SUQNSUQN SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE TAKE OWNERSHIPTAKE OWNERSHIP TOTO SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE UNMASKUNMASK UMSKUMSK

适用于 SQL ServerSQL Server (至SQL Server 2016 (13.x)SQL Server 2016 (13.x) 当前版本)和 Azure SQL 数据库Azure SQL DatabaseApplies to SQL ServerSQL Server (SQL Server 2016 (13.x)SQL Server 2016 (13.x) through current), Azure SQL 数据库Azure SQL Database.
SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE UPDATEUPDATE UPUP SERVERSERVER CONTROL SERVERCONTROL SERVER
DATABASEDATABASE VIEW ANY COLUMN ENCRYPTION KEY DEFINITIONVIEW ANY COLUMN ENCRYPTION KEY DEFINITION VWCKVWCK

适用于 SQL ServerSQL Server (至SQL Server 2016 (13.x)SQL Server 2016 (13.x) 当前版本)和 Azure SQL 数据库Azure SQL DatabaseApplies to SQL ServerSQL Server (SQL Server 2016 (13.x)SQL Server 2016 (13.x) through current), Azure SQL 数据库Azure SQL Database.
SERVERSERVER VIEW SERVER STATEVIEW SERVER STATE
DATABASEDATABASE VIEW ANY COLUMN MASTER KEY DEFINITIONVIEW ANY COLUMN MASTER KEY DEFINITION vWCMvWCM

适用于 SQL ServerSQL Server (至SQL Server 2016 (13.x)SQL Server 2016 (13.x) 当前版本)和 Azure SQL 数据库Azure SQL DatabaseApplies to SQL ServerSQL Server (SQL Server 2016 (13.x)SQL Server 2016 (13.x) through current), Azure SQL 数据库Azure SQL Database.
SERVERSERVER VIEW SERVER STATEVIEW SERVER STATE
DATABASEDATABASE VIEW DATABASE STATEVIEW DATABASE STATE VWDSVWDS SERVERSERVER VIEW SERVER STATEVIEW SERVER STATE
DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION VWVW SERVERSERVER VIEW ANY DEFINITIONVIEW ANY DEFINITION
DATABASE SCOPED CREDENTIALDATABASE SCOPED CREDENTIAL ALTERALTER ALAL DATABASEDATABASE CONTROLCONTROL
DATABASE SCOPED CREDENTIALDATABASE SCOPED CREDENTIAL CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
DATABASE SCOPED CREDENTIALDATABASE SCOPED CREDENTIAL REFERENCESREFERENCES RFRF DATABASEDATABASE REFERENCESREFERENCES
DATABASE SCOPED CREDENTIALDATABASE SCOPED CREDENTIAL TAKE OWNERSHIPTAKE OWNERSHIP TOTO DATABASEDATABASE CONTROLCONTROL
DATABASE SCOPED CREDENTIALDATABASE SCOPED CREDENTIAL VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
ENDPOINTENDPOINT ALTERALTER ALAL SERVERSERVER ALTER ANY ENDPOINTALTER ANY ENDPOINT
ENDPOINTENDPOINT CONNECTCONNECT COCO SERVERSERVER CONTROL SERVERCONTROL SERVER
ENDPOINTENDPOINT CONTROLCONTROL CLCL SERVERSERVER CONTROL SERVERCONTROL SERVER
ENDPOINTENDPOINT TAKE OWNERSHIPTAKE OWNERSHIP TOTO SERVERSERVER CONTROL SERVERCONTROL SERVER
ENDPOINTENDPOINT VIEW DEFINITIONVIEW DEFINITION VWVW SERVERSERVER VIEW ANY DEFINITIONVIEW ANY DEFINITION
FULLTEXT CATALOGFULLTEXT CATALOG ALTERALTER ALAL DATABASEDATABASE ALTER ANY FULLTEXT CATALOGALTER ANY FULLTEXT CATALOG
FULLTEXT CATALOGFULLTEXT CATALOG CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
FULLTEXT CATALOGFULLTEXT CATALOG REFERENCESREFERENCES RFRF DATABASEDATABASE REFERENCESREFERENCES
FULLTEXT CATALOGFULLTEXT CATALOG TAKE OWNERSHIPTAKE OWNERSHIP TOTO DATABASEDATABASE CONTROLCONTROL
FULLTEXT CATALOGFULLTEXT CATALOG VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
FULLTEXT STOPLISTFULLTEXT STOPLIST ALTERALTER ALAL DATABASEDATABASE ALTER ANY FULLTEXT CATALOGALTER ANY FULLTEXT CATALOG
FULLTEXT STOPLISTFULLTEXT STOPLIST CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
FULLTEXT STOPLISTFULLTEXT STOPLIST REFERENCESREFERENCES RFRF DATABASEDATABASE REFERENCESREFERENCES
FULLTEXT STOPLISTFULLTEXT STOPLIST TAKE OWNERSHIPTAKE OWNERSHIP TOTO DATABASEDATABASE CONTROLCONTROL
FULLTEXT STOPLISTFULLTEXT STOPLIST VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
LoginLOGIN ALTERALTER ALAL SERVERSERVER ALTER ANY LOGINALTER ANY LOGIN
LoginLOGIN CONTROLCONTROL CLCL SERVERSERVER CONTROL SERVERCONTROL SERVER
LoginLOGIN IMPERSONATEIMPERSONATE IMIM SERVERSERVER CONTROL SERVERCONTROL SERVER
LoginLOGIN VIEW DEFINITIONVIEW DEFINITION VWVW SERVERSERVER VIEW ANY DEFINITIONVIEW ANY DEFINITION
MESSAGE TYPEMESSAGE TYPE ALTERALTER ALAL DATABASEDATABASE ALTER ANY MESSAGE TYPEALTER ANY MESSAGE TYPE
MESSAGE TYPEMESSAGE TYPE CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
MESSAGE TYPEMESSAGE TYPE REFERENCESREFERENCES RFRF DATABASEDATABASE REFERENCESREFERENCES
MESSAGE TYPEMESSAGE TYPE TAKE OWNERSHIPTAKE OWNERSHIP TOTO DATABASEDATABASE CONTROLCONTROL
MESSAGE TYPEMESSAGE TYPE VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
OBJECTOBJECT ALTERALTER ALAL SCHEMASCHEMA ALTERALTER
OBJECTOBJECT CONTROLCONTROL CLCL SCHEMASCHEMA CONTROLCONTROL
OBJECTOBJECT 删除DELETE DLDL SCHEMASCHEMA 删除DELETE
OBJECTOBJECT 在运行 CREATE 语句前执行EXECUTE EXEX SCHEMASCHEMA 在运行 CREATE 语句前执行EXECUTE
OBJECTOBJECT InsertINSERT ININ SCHEMASCHEMA InsertINSERT
OBJECTOBJECT RECEIVERECEIVE RCRC SCHEMASCHEMA CONTROLCONTROL
OBJECTOBJECT REFERENCESREFERENCES RFRF SCHEMASCHEMA REFERENCESREFERENCES
OBJECTOBJECT SELECTSELECT SLSL SCHEMASCHEMA SELECTSELECT
OBJECTOBJECT TAKE OWNERSHIPTAKE OWNERSHIP TOTO SCHEMASCHEMA CONTROLCONTROL
OBJECTOBJECT UPDATEUPDATE UPUP SCHEMASCHEMA UPDATEUPDATE
OBJECTOBJECT VIEW CHANGE TRACKINGVIEW CHANGE TRACKING VWCTVWCT SCHEMASCHEMA VIEW CHANGE TRACKINGVIEW CHANGE TRACKING
OBJECTOBJECT VIEW DEFINITIONVIEW DEFINITION VWVW SCHEMASCHEMA VIEW DEFINITIONVIEW DEFINITION
REMOTE SERVICE BINDINGREMOTE SERVICE BINDING ALTERALTER ALAL DATABASEDATABASE ALTER ANY REMOTE SERVICE BINDINGALTER ANY REMOTE SERVICE BINDING
REMOTE SERVICE BINDINGREMOTE SERVICE BINDING CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
REMOTE SERVICE BINDINGREMOTE SERVICE BINDING TAKE OWNERSHIPTAKE OWNERSHIP TOTO DATABASEDATABASE CONTROLCONTROL
REMOTE SERVICE BINDINGREMOTE SERVICE BINDING VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
ROLEROLE ALTERALTER ALAL DATABASEDATABASE ALTER ANY ROLEALTER ANY ROLE
ROLEROLE CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
ROLEROLE TAKE OWNERSHIPTAKE OWNERSHIP TOTO DATABASEDATABASE CONTROLCONTROL
ROLEROLE VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
ROUTEROUTE ALTERALTER ALAL DATABASEDATABASE ALTER ANY ROUTEALTER ANY ROUTE
ROUTEROUTE CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
ROUTEROUTE TAKE OWNERSHIPTAKE OWNERSHIP TOTO DATABASEDATABASE CONTROLCONTROL
ROUTEROUTE VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
SEARCH PROPERTY LISTSEARCH PROPERTY LIST ALTERALTER ALAL SERVERSERVER ALTER ANY FULLTEXT CATALOGALTER ANY FULLTEXT CATALOG
SEARCH PROPERTY LISTSEARCH PROPERTY LIST CONTROLCONTROL CLCL SERVERSERVER CONTROLCONTROL
SEARCH PROPERTY LISTSEARCH PROPERTY LIST REFERENCESREFERENCES RFRF SERVERSERVER REFERENCESREFERENCES
SEARCH PROPERTY LISTSEARCH PROPERTY LIST TAKE OWNERSHIPTAKE OWNERSHIP TOTO SERVERSERVER CONTROLCONTROL
SEARCH PROPERTY LISTSEARCH PROPERTY LIST VIEW DEFINITIONVIEW DEFINITION VWVW SERVERSERVER VIEW DEFINITIONVIEW DEFINITION
SCHEMASCHEMA ALTERALTER ALAL DATABASEDATABASE ALTER ANY SCHEMAALTER ANY SCHEMA
SCHEMASCHEMA CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
SCHEMASCHEMA CREATE SEQUENCECREATE SEQUENCE CRSOCRSO DATABASEDATABASE CONTROLCONTROL
SCHEMASCHEMA 删除DELETE DLDL DATABASEDATABASE 删除DELETE
SCHEMASCHEMA 在运行 CREATE 语句前执行EXECUTE EXEX DATABASEDATABASE 在运行 CREATE 语句前执行EXECUTE
SCHEMASCHEMA InsertINSERT ININ DATABASEDATABASE InsertINSERT
SCHEMASCHEMA REFERENCESREFERENCES RFRF DATABASEDATABASE REFERENCESREFERENCES
SCHEMASCHEMA SELECTSELECT SLSL DATABASEDATABASE SELECTSELECT
SCHEMASCHEMA TAKE OWNERSHIPTAKE OWNERSHIP TOTO DATABASEDATABASE CONTROLCONTROL
SCHEMASCHEMA UPDATEUPDATE UPUP DATABASEDATABASE UPDATEUPDATE
SCHEMASCHEMA VIEW CHANGE TRACKINGVIEW CHANGE TRACKING VWCTVWCT DATABASEDATABASE VIEW CHANGE TRACKINGVIEW CHANGE TRACKING
SCHEMASCHEMA VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
SERVERSERVER ADMINISTER BULK OPERATIONSADMINISTER BULK OPERATIONS ADBOADBO 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER ANY AVAILABILITY GROUPALTER ANY AVAILABILITY GROUP ALAGALAG 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER ANY CONNECTIONALTER ANY CONNECTION ALCOALCO 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER ANY CREDENTIALALTER ANY CREDENTIAL ALCDALCD 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER ANY DATABASEALTER ANY DATABASE ALDBALDB 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER ANY ENDPOINTALTER ANY ENDPOINT ALHEALHE 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER ANY EVENT NOTIFICATIONALTER ANY EVENT NOTIFICATION ALESALES 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER ANY EVENT SESSIONALTER ANY EVENT SESSION AAESAAES 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER ANY LINKED SERVERALTER ANY LINKED SERVER ALLSALLS 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER ANY LOGINALTER ANY LOGIN ALLGALLG 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER ANY SERVER AUDITALTER ANY SERVER AUDIT ALAAALAA 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER ANY SERVER ROLEALTER ANY SERVER ROLE ALSRALSR 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER RESOURCESALTER RESOURCES ALRSALRS 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER SERVER STATEALTER SERVER STATE ALSSALSS 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER SETTINGSALTER SETTINGS ALSTALST 不适用Not applicable 不适用Not applicable
SERVERSERVER ALTER TRACEALTER TRACE ALTRALTR 不适用Not applicable 不适用Not applicable
SERVERSERVER AUTHENTICATE SERVERAUTHENTICATE SERVER AUTHAUTH 不适用Not applicable 不适用Not applicable
SERVERSERVER CONNECT ANY DATABASECONNECT ANY DATABASE CADBCADB 不适用Not applicable 不适用Not applicable
SERVERSERVER CONNECT SQLCONNECT SQL COSQCOSQ 不适用Not applicable 不适用Not applicable
SERVERSERVER CONTROL SERVERCONTROL SERVER CLCL 不适用Not applicable 不适用Not applicable
SERVERSERVER CREATE ANY DATABASECREATE ANY DATABASE CRDBCRDB 不适用Not applicable 不适用Not applicable
SERVERSERVER CREATE AVAILABILITY GROUPCREATE AVAILABILITY GROUP CRACCRAC 不适用Not applicable 不适用Not applicable
SERVERSERVER CREATE DDL EVENT NOTIFICATIONCREATE DDL EVENT NOTIFICATION CRDECRDE 不适用Not applicable 不适用Not applicable
SERVERSERVER CREATE ENDPOINTCREATE ENDPOINT CRHECRHE 不适用Not applicable 不适用Not applicable
SERVERSERVER CREATE SERVER ROLECREATE SERVER ROLE CRSRCRSR 不适用Not applicable 不适用Not applicable
SERVERSERVER CREATE TRACE EVENT NOTIFICATIONCREATE TRACE EVENT NOTIFICATION CRTECRTE 不适用Not applicable 不适用Not applicable
SERVERSERVER EXTERNAL ACCESS ASSEMBLYEXTERNAL ACCESS ASSEMBLY XAXA 不适用Not applicable 不适用Not applicable
SERVERSERVER IMPERSONATE ANY LOGINIMPERSONATE ANY LOGIN IALIAL 不适用Not applicable 不适用Not applicable
SERVERSERVER SELECT ALL USER SECURABLESSELECT ALL USER SECURABLES SUSSUS 不适用Not applicable 不适用Not applicable
SERVERSERVER SHUTDOWNSHUTDOWN SHDNSHDN 不适用Not applicable 不适用Not applicable
SERVERSERVER UNSAFE ASSEMBLYUNSAFE ASSEMBLY XUXU 不适用Not applicable 不适用Not applicable
SERVERSERVER VIEW ANY DATABASEVIEW ANY DATABASE VWDBVWDB 不适用Not applicable 不适用Not applicable
SERVERSERVER VIEW ANY DEFINITIONVIEW ANY DEFINITION VWADVWAD 不适用Not applicable 不适用Not applicable
SERVERSERVER VIEW SERVER STATEVIEW SERVER STATE VWSSVWSS 不适用Not applicable 不适用Not applicable
SERVER ROLESERVER ROLE ALTERALTER ALAL SERVERSERVER ALTER ANY SERVER ROLEALTER ANY SERVER ROLE
SERVER ROLESERVER ROLE CONTROLCONTROL CLCL SERVERSERVER CONTROL SERVERCONTROL SERVER
SERVER ROLESERVER ROLE TAKE OWNERSHIPTAKE OWNERSHIP TOTO SERVERSERVER CONTROL SERVERCONTROL SERVER
SERVER ROLESERVER ROLE VIEW DEFINITIONVIEW DEFINITION VWVW SERVERSERVER VIEW ANY DEFINITIONVIEW ANY DEFINITION
SERVICESERVICE ALTERALTER ALAL DATABASEDATABASE ALTER ANY SERVICEALTER ANY SERVICE
SERVICESERVICE CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
SERVICESERVICE SENDSEND SNSN DATABASEDATABASE CONTROLCONTROL
SERVICESERVICE TAKE OWNERSHIPTAKE OWNERSHIP TOTO DATABASEDATABASE CONTROLCONTROL
SERVICESERVICE VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
SYMMETRIC KEYSYMMETRIC KEY ALTERALTER ALAL DATABASEDATABASE ALTER ANY SYMMETRIC KEYALTER ANY SYMMETRIC KEY
SYMMETRIC KEYSYMMETRIC KEY CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
SYMMETRIC KEYSYMMETRIC KEY REFERENCESREFERENCES RFRF DATABASEDATABASE REFERENCESREFERENCES
SYMMETRIC KEYSYMMETRIC KEY TAKE OWNERSHIPTAKE OWNERSHIP TOTO DATABASEDATABASE CONTROLCONTROL
SYMMETRIC KEYSYMMETRIC KEY VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
TYPETYPE CONTROLCONTROL CLCL SCHEMASCHEMA CONTROLCONTROL
TYPETYPE 在运行 CREATE 语句前执行EXECUTE EXEX SCHEMASCHEMA 在运行 CREATE 语句前执行EXECUTE
TYPETYPE REFERENCESREFERENCES RFRF SCHEMASCHEMA REFERENCESREFERENCES
TYPETYPE TAKE OWNERSHIPTAKE OWNERSHIP TOTO SCHEMASCHEMA CONTROLCONTROL
TYPETYPE VIEW DEFINITIONVIEW DEFINITION VWVW SCHEMASCHEMA VIEW DEFINITIONVIEW DEFINITION
UserUSER ALTERALTER ALAL DATABASEDATABASE ALTER ANY USERALTER ANY USER
UserUSER CONTROLCONTROL CLCL DATABASEDATABASE CONTROLCONTROL
UserUSER IMPERSONATEIMPERSONATE IMIM DATABASEDATABASE CONTROLCONTROL
UserUSER VIEW DEFINITIONVIEW DEFINITION VWVW DATABASEDATABASE VIEW DEFINITIONVIEW DEFINITION
XML SCHEMA COLLECTIONXML SCHEMA COLLECTION ALTERALTER ALAL SCHEMASCHEMA ALTERALTER
XML SCHEMA COLLECTIONXML SCHEMA COLLECTION CONTROLCONTROL CLCL SCHEMASCHEMA CONTROLCONTROL
XML SCHEMA COLLECTIONXML SCHEMA COLLECTION 在运行 CREATE 语句前执行EXECUTE EXEX SCHEMASCHEMA 在运行 CREATE 语句前执行EXECUTE
XML SCHEMA COLLECTIONXML SCHEMA COLLECTION REFERENCESREFERENCES RFRF SCHEMASCHEMA REFERENCESREFERENCES
XML SCHEMA COLLECTIONXML SCHEMA COLLECTION TAKE OWNERSHIPTAKE OWNERSHIP TOTO SCHEMASCHEMA CONTROLCONTROL
XML SCHEMA COLLECTIONXML SCHEMA COLLECTION VIEW DEFINITIONVIEW DEFINITION VWVW SCHEMASCHEMA VIEW DEFINITIONVIEW DEFINITION

权限检查算法摘要Summary of the Permission Check Algorithm

检查权限可能很复杂。Checking permissions can be complex. 权限检查算法包括重叠的组成员关系和所有权链接、显式和隐式权限,并且会受包含安全实体的安全类的权限影响。The permission check algorithm includes overlapping group memberships and ownership chaining, both explicit and implicit permission, and can be affected by the permissions on securable classes that contain the securable entity. 该算法的一般过程是收集所有相关权限。The general process of the algorithm is to collect all the relevant permissions. 如果未找到阻止性 DENY,该算法将搜索提供足够访问权限的 GRANT。If no blocking DENY is found, the algorithm searches for a GRANT that provides sufficient access. 该算法包含三个基本元素: 安全上下文权限空间必需的权限The algorithm contains three essential elements, the security context, the permission space, and the required permission.

备注

无法对 sa、dbo、实体所有者、information_schema、sys 或您自己授予、拒绝或撤消权限。You cannot grant, deny, or revoke permissions to sa, dbo, the entity owner, information_schema, sys, or yourself.

  • 安全上下文Security context

    这是提供进行访问权限检查的权限的一组主体。This is the group of principals that contribute permissions to the access check. 这些是与当前登录名或用户有关的权限,除非使用 EXECUTE AS 语句将安全上下文更改为其他登录名或用户。These are permissions that are related to the current login or user, unless the security context was changed to another login or user by using the EXECUTE AS statement. 安全上下文包括以下主体:The security context includes the following principals:

    • 登录名The login

    • 用户The user

    • 角色成员资格Role memberships

    • Windows 组成员身份Windows group memberships

    • 如果使用模块签名,则指证书的任何登录名或用户帐户(该证书用于对用户当前正在执行的模块进行签名),以及该主体的相关角色成员资格。If module signing is being used, any login or user account for the certificate used to sign the module that the user is currently executing, and the associated role memberships of that principal.

  • 权限空间Permission space

    这是安全实体和所有包含安全实体的安全类。This is the securable entity and any securable classes that contain the securable. 例如,表(安全实体)包含在架构安全类和数据库安全类中。For example, a table (a securable entity) is contained by the schema securable class and by the database securable class. 访问权限会受表级、架构级、数据库级和服务器级权限影响。Access can be affected by table-, schema-, database-, and server-level permissions. 有关详细信息,请参阅权限层次结构(数据库引擎)For more information, see Permissions Hierarchy (Database Engine).

  • 必需的权限Required permission

    必需的权限种类。The kind of permission that is required. 例如,INSERT、UPDATE、DELETE、SELECT、EXECUTE、ALTER、CONTROL 等等。For example, INSERT, UPDATE, DELETE, SELECT, EXECUTE, ALTER, CONTROL, and so on.

    访问可能需要多个权限,如下面的示例中所示:Access can require multiple permissions, as in the following examples:

    • 存储过程可能既需要针对存储过程的 EXECUTE 权限,也需要针对该存储过程引用的每个表的 INSERT 权限。A stored procedure can require both EXECUTE permission on the stored procedure and INSERT permission on several tables that are referenced by the stored procedure.

    • 动态管理视图可能同时需要针对该视图的 VIEW SERVER STATE 和 SELECT 权限。A dynamic management view can require both VIEW SERVER STATE and SELECT permission on the view.

算法的通用步骤General Steps of the Algorithm

算法确定是否允许访问某个安全对象时,使用的具体步骤可能会变化,这取决于涉及的主体和安全对象。When the algorithm is determining whether to allow access to a securable, the precise steps that it uses can vary, depending on the principals and the securables that are involved. 但是,算法会执行以下通用步骤:However, the algorithm performs the following general steps:

  1. 如果登录名是 sysadmin 固定服务器角色的成员或用户是当前数据库中的 dbo 用户,则绕过权限检查。Bypass the permission check if the login is a member of the sysadmin fixed server role or if the user is the dbo user in the current database.

  2. 如果所有权链接适用且以前针对链中对象的访问权限检查通过了安全检查,则允许访问。Allow access if ownership chaining is applicable and the access check on the object earlier in the chain passed the security check.

  3. 聚合与调用方关联的服务器级、数据库级和已签名模块的标识,以创建 安全上下文Aggregate the server-level, database-level, and signed-module identities that are associated with the caller to create the security context.

  4. 对于该 安全上下文,收集为 权限空间授予或拒绝的所有权限。For that security context, collect all the permissions that are granted or denied for the permission space. 权限可以明确表述为 GRANT、GRANT WITH GRANT 或 DENY,也可以是隐含或涵盖的权限 GRANT 或 DENY。The permission can be explicitly stated as a GRANT, GRANT WITH GRANT, or DENY; or the permissions can be an implied or covering permission GRANT or DENY. 例如,针对架构的 CONTROL 权限隐含对表的 CONTROL,For example, CONTROL permission on a schema implies CONTROL on a table. 对表的 CONTROL 则隐含 SELECT。And CONTROL on a table implies SELECT. 因此,如果授予了针对架构的 CONTROL 权限,也就授予了对表的 SELECT 权限。Therefore, if CONTROL on the schema was granted, SELECT on the table is granted. 如果拒绝了对表的 CONTROL 权限,也就拒绝了对表的 SELECT 权限。If CONTROL was denied on the table, SELECT on the table is denied.

    备注

    列级权限的 GRANT 覆盖对象级的 DENY。A GRANT of a column-level permission overrides a DENY at the object level.

  5. 标识 必需的权限Identify the required permission.

  6. 如果对于 权限空间 中的对象,直接或隐式拒绝授予 安全上下文 中任何标识 必需的权限,则权限检查失败。Fail the permission check if the required permission is directly or implicitly denied to any of the identities in the security context for the objects in the permission space.

  7. 如果对于 权限空间 中的任何对象,没有拒绝 必需的权限必需的权限 包含对 安全上下文中任何标识直接或隐式的 GRANT 或 GRANT WITH GRANT 权限,则通过权限检查。Pass the permission check if the required permission was not denied and the required permission contains a GRANT or a GRANT WITH GRANT permission either directly or implicitly to any of the identities in the security context for any object in the permission space.

列级权限的特殊注意事项Special considerations for column level permissions

授予列级权限语法 <table_name>(<column _name>)Column level permissions are granted with the syntax <table_name>(<column _name>). 例如:For example:

GRANT SELECT ON OBJECT::Customer(CustomerName) TO UserJoe;

表上的 DENY 被列中的 GRANT 替代。A DENY on the table is overridden by a GRANT on a column. 但是,表上的后续 DENY 将删除 GRANT 列。However, a subsequent DENY on the table will remove the column GRANT.

示例Examples

本节中的以下示例说明如何检索权限信息。The examples in this section show how to retrieve permissions information.

A.A. 返回可授予权限的完整列表Returning the complete list of grantable permissions

下列语句使用 数据库引擎Database Engine 函数返回所有 fn_builtin_permissions 权限。The following statement returns all 数据库引擎Database Engine permission by using the fn_builtin_permissions function. 有关详细信息,请参阅 sys.fn_builtin_permissions (Transact-SQL)For more information, see sys.fn_builtin_permissions (Transact-SQL).

SELECT * FROM fn_builtin_permissions(default);  
GO  

B.B. 返回针对某类对象的权限Returning the permissions on a particular class of objects

下面的示例使用 fn_builtin_permissions 查看可用于安全对象类别的所有权限。The following example uses fn_builtin_permissions to view all the permissions that are available for a category of securable. 此示例将返回对程序集的权限。The example returns permissions on assemblies.

SELECT * FROM fn_builtin_permissions('assembly');  
GO    

C.C. 返回授予对象的执行主体的权限Returning the permissions granted to the executing principal on an object

以下示例使用 fn_my_permissions 返回指定安全对象的调用主体所具有的有效权限列表。The following example uses fn_my_permissions to return a list of the effective permissions that are held by the calling principal on a specified securable. 此示例将返回对名为 Orders55 的对象的权限。The example returns permissions on an object named Orders55. 有关详细信息,请参阅 sys.fn_my_permissions (Transact-SQL)For more information, see sys.fn_my_permissions (Transact-SQL).

SELECT * FROM fn_my_permissions('Orders55', 'object');  
GO  

D.D. 返回适用于指定对象的权限Returning the permissions applicable to a specified object

以下示例将返回适用于名为 Yttrium的对象的权限。The following example returns permissions applicable to an object called Yttrium. 请注意,使用了内置函数 OBJECT_ID 来检索对象 Yttrium的 ID。Notice that the built-in function OBJECT_ID is used to retrieve the ID of object Yttrium.

SELECT * FROM sys.database_permissions   
    WHERE major_id = OBJECT_ID('Yttrium');  
GO  

另请参阅See Also

权限层次结构(数据库引擎) Permissions Hierarchy (Database Engine)
sys.database_permissions (Transact-SQL)sys.database_permissions (Transact-SQL)