Securables Permissions

The database user can be granted granular permission to specific securable objects using the Securables page of the Database Role Properties form, as shown in Figure 33.1.

Figure 33.1 The Securables page is used to grant specific permission to individual objects.

The permissions that can be granted depend on the type of object. Even databases and servers are included as a securable object, which presents several database-specific permissions.

Here is why servers need to be a securable themselves. Having server control is effectively the same as being a member of sysadmin. But if you're auditing only for membership in the sysadmin role and you're not auditing for server-level permissions, you'll never catch when a login is granted such rights. As a result, this is a prime way that attackers would seek to secure elevated access to SQL Server and attempt to keep their tracks a bit more hidden.

Unless you have a compelling reason to manage the permissions on an individual-statement level as with CREATE LOGIN or CREATE USER, it's easier to manage the database administrative tasks using the fixed database roles.

The grant, revoke, and deny commands are detailed in the next section.