Configure permissions by using custom roles
In this we will learn how to configure permissions by using custom roles.
Create a new database role in the current database.
Syntax
syntaxsql
CREATE ROLE role_name [ AUTHORIZATION owner_name ]
Arguments
role_name
Is the name of the role to be created.
AUTHORIZATION owner_name
Is the database user or role that is to own the new role. However, if no user is specified. Then, the user that executes CREATE ROLE owns the role. Further, the owner of the role, or any member of an owning role can add or remove members of the role.
Remarks
Roles are database-level securables. After you create a role, configure the database-level permissions of the role by using GRANT, DENY, and REVOKE. However, to add members to a database role, use ALTER ROLE (Transact-SQL). Further, database roles are visible in the sys.database_role_members and sys.database_principals catalog views.
Permissions
Requires CREATE ROLE permission on the database or membership in the db_securityadmin fixed database role. However, when you use the AUTHORIZATION option, the following permissions are also necessary:
- Firstly, to assign ownership of a role to another user, requires IMPERSONATE permission on that user.
- Secondly, to assign ownership of a role to another role, requires membership in the recipient role or ALTER permission on that role.
- Lastly, to assign ownership of a role to an application role, requires ALTER permission on the application role.
Examples
The following examples all use the AdventureWorks database.
A. Creating a database role that database user owns
The following example creates the database role buyers that is owned by user BenMiller.
SQL
CREATE ROLE buyers AUTHORIZATION BenMiller;
GO
B. Creating a database role that fixed database role owns
The following example creates the database role auditors that is owned the db_securityadmin fixed database role.
SQL
CREATE ROLE auditors AUTHORIZATION db_securityadmin;
GO
Reference: Microsoft Documentation