| title | Permissions Hierarchy (Database Engine) | ||||||
|---|---|---|---|---|---|---|---|
| description | Learn about the hierarchy of entities that can be secured with permissions, known as securables, in SQL Server Database Engine. | ||||||
| author | VanMSFT | ||||||
| ms.author | vanto | ||||||
| ms.date | 02/27/2026 | ||||||
| ms.service | sql | ||||||
| ms.subservice | security | ||||||
| ms.topic | concept-article | ||||||
| ms.custom |
|
||||||
| f1_keywords |
|
||||||
| helpviewer_keywords |
|
||||||
| monikerRange | >=aps-pdw-2016 || =azuresqldb-current || =azure-sqldw-latest || >=sql-server-2016 || >=sql-server-linux-2017 || =azuresqldb-mi-current || =fabric-sqldb |
[!INCLUDE SQL Server Azure SQL Database Synapse Analytics PDW FabricSQLDB]
The [!INCLUDEssDE] manages a hierarchical collection of entities that can be secured with permissions. These entities are known as securables. The most prominent securables are servers and databases, but discrete permissions can be set at a much finer level. [!INCLUDEssNoVersion] regulates the actions of principals on securables by verifying that they've been granted appropriate permissions.
The following illustration shows the relationships among the [!INCLUDEssDE] permissions hierarchies.
The permissions system works the same in all versions of [!INCLUDEssNoVersion], [!INCLUDEssSDS], [!INCLUDE fabric-sqldb], [!INCLUDEssazuresynapse-md], [!INCLUDEssAPS], however some features aren't available in all versions. For example, server-level permission can't be configured in Azure products.
For a poster sized chart of all [!INCLUDE ssDE] permissions in PDF format, see https://aka.ms/sql-permissions-poster.
You can manipulate permissions with the familiar [!INCLUDEtsql] queries GRANT, DENY, and REVOKE. Information about permissions is visible in the sys.server_permissions and sys.database_permissions catalog views. There's also support for querying permissions information by using built-in functions.
For information about designing a permissions system, see Getting Started with Database Engine Permissions.
- Securing SQL Server
- Permissions (Database Engine)
- Securables
- Principals (Database Engine)
- GRANT (Transact-SQL)
- REVOKE (Transact-SQL)
- DENY (Transact-SQL)
- HAS_PERMS_BY_NAME (Transact-SQL)
- sys.fn_builtin_permissions (Transact-SQL)
- sys.server_permissions (Transact-SQL)
- sys.database_permissions (Transact-SQL)