A new feature to SQL Server 2012 is the ability to create user defined server roles and assign server level/scope permissions to these roles. DBA’s have always had the ability to create user defined database roles which act as a security layer at the database level, but we’ve never been able to create roles at the server level until SQL Server 2012.
In this post I will show you how to create user defined server roles using T-SQL and SQL Server Management Studio.
What Permissions Can Be Assigned
First, to view the list of permissions that can be assigned to a user defined server role run the following query:
USE master
GO
SELECT * FROM sys.fn_builtin_permissions(DEFAULT)
WHERE class_desc IN ('ENDPOINT','LOGIN','SERVER','AVAILABILITY GROUP','SERVER ROLE')
ORDER BY class_desc, permission_name
GO
Create a Server Role in T-SQL
To create a server role called “juniordba” use the following:
USE master GO CREATE SERVER ROLE juniordba
Next we will create a login called Brady and then add it to the new juniordba role that was created:
USE master GO ALTER SERVER ROLE juniordba ADD MEMBER Brady
We haven’t added any permissions to the server role, so Brady shouldn’t have access. To test this we can login as Brady and run the following query:
SELECT * FROM sys.dm_exec_connections
As you can see we get the following error message:
Msg 297, Level 16, State 1, Line 1 The user does not have permission to perform this action.