Fixed Database Roles Cheat-Sheet

Fixed Database Roles Cheat-Sheet

1. db_owner

Full control of the database (create/alter/drop objects, manage permissions, backup/restore, etc.).

Equivalent to being a “database admin.”

Use when: You want someone to manage everything in just one DB.

—————

2. db_datareader

Can read all tables and views in the database.

Cannot modify data.

Use when: You need read-only/reporting access.

—————

3. db_datawriter

Can insert, update, delete data in all tables and views.

Cannot create or drop schema objects.

Use when: You need someone to edit content but not change structure.

—————

4. db_ddladmin

Can run any DDL (Data Definition Language) commands: create/alter/drop tables, views, stored procs, etc.

Cannot manage permissions or backup/restore.

Use when: A developer needs to change schema but shouldn’t control everything.

—————

5. db_securityadmin

Can manage role membership and permissions inside the database.

Use with caution — they could escalate themselves or others to higher roles.

Use when: You want someone to manage who can do what inside that DB.

—————

6. db_accessadmin

Can add/remove users for the database.

No other permissions by default.

Use when: A team lead should control who has access, without full DBA rights.

—————

7. db_backupoperator

Can run BACKUP commands for the database.

Cannot restore.

Use when: You want delegated backup responsibility without full control.

—————

8. db_denydatareader / db_denydatawriter

Explicitly deny read or write permissions.

Overrides other roles.

Use when: You want to enforce “no read” or “no write” rules for a specific user.

—————

Quick Takeaway

For full DB admin db_owner.

For developers db_ddladmin + db_datareader/db_datawriter.

For reporting db_datareader.

For content editors db_datawriter.

For access management db_accessadmin or db_securityadmin.

—————

📝 T-SQL Commands for Role Management

Add a login to a database and assign role

USE MyDatabase;
CREATE USER [MyUser] FOR LOGIN [MyLogin];
EXEC sp_addrolemember 'db_owner', 'MyUser';

Add to another role (example: db_datareader)

USE MyDatabase;
EXEC sp_addrolemember 'db_datareader', 'MyUser';

Remove from a role

USE MyDatabase;
EXEC sp_droprolemember 'db_datareader', 'MyUser';

View all roles for a user

USE MyDatabase;
EXEC sp_helprolemember;

—————

    • Related Articles

    • Restore a SQL Server Database from a .bak using SSMS (GUI)

      This guide shows how to restore a .bak file into SQL Server 2022 or SQL Server Express using SQL Server Management Studio (SSMS) only. No T-SQL required. Prerequisites • SSMS installed and you can connect as a login with restore rights. • The .bak ...

    • SQL Server Restore Troubleshooting (SSMS GUI)

      This guide lists common restore errors you may see when importing a .bak in SQL Server Management Studio and how to resolve them. Focus is on GUI-based fixes, with small T-SQL snippets where helpful. Quick checklist • Confirm the .bak is on the SQL ...

    • Create a Self-Signed Certificate for an IIS Website on Windows Server 2025

      This guide shows the GUI method in IIS Manager and the PowerShell method. It also covers binding the certificate to a site and optional export. GUI method in IIS Manager 1) Open IIS Manager (inetmgr). 2) In the Connections pane, click your server ...

    • Create a New IIS Website on Windows Server 2025

      This guide covers recommended layout, IIS steps, and a PowerShell script to automate setup. Best practice folder layout • Create one folder per site outside wwwroot. • Example: – C:\inetpub\MyNewSite Step by step in IIS Manager GUI 1) Create the site ...

    • Popular Articles

    • How to add your Microsoft 365 Email on an iPhone using the Outlook app

      How to Set Up Microsoft 365 Email on Your iPhone Using Outlook This guide will walk you through downloading the Outlook app and adding your Microsoft 365 email account on your iPhone. ————— Step 1: Download the Outlook App 1. Open the App Store on ...

    • Outlook Error "5objp" when setting up email on Outlook App

      Follow these steps if you are having trouble signing into Outlook with your Microsoft 365 account: ————— Step 1: Start with the onmicrosoft.com Address • First, try signing in using the @myorg.onmicrosoft.com format email address. – Example: ...

    • How to update your credit card on file

      Do you need to update your credit card on file within the Twilight I.T. Customer Portal? Here is what you need to do... Step 1: Log into the portal at https://portal.twilightit.com Step 2: Click on BILLING in the top menu. Step 3: Click on PAYMENT ...

    • How to view or download invoices on your account

      Here is the process of viewing and/or downloading invoices on your account with Twilight I.T. Step 1: Log into the client portal at https://portal.twilightit.com Step 2: Click on the BILLING menu Step 3: From here you can view all your invoices. If ...

    • How to add your Microsoft 365 Email on an Android phone using the Outlook app

      How to Set Up Microsoft 365 Email on Your Android Phone Using Outlook This guide will walk you through downloading the Outlook app and adding your Microsoft 365 email account on your Android device. ————— Step 1: Download the Outlook App 1. Open the ...