sys.fn_builtin_permissions (Transact-SQL)
Returns a description of the built in permissions hierarchy of the server.
.gif "Topic link icon")
Syntax
sys.fn_builtin_permissions ( [ DEFAULT | NULL ]
| empty_string | '<securable_class>' } )
<securable_class> ::=
APPLICATION ROLE | ASSEMBLY | ASYMMETRIC KEY
| CERTIFICATE | CONTRACT | DATABASE | ENDPOINT | FULLTEXT CATALOG
| LOGIN | MESSAGE TYPE | OBJECT | REMOTE SERVICE BINDING | ROLE
| ROUTE | SCHEMA | SERVER | SERVICE | SYMMETRIC KEY | TYPE
| USER | XML SCHEMA COLLECTION
Arguments
DEFAULT
When it is called with the DEFAULT option, the function will return a complete list of built in permissions.NULL
Equivalent to DEFAULT.empty_string
Equivalent to DEFAULT.'<securable_class>'
When it is called with the name of one securable class, sys.fn_builtin_permissions returns all permissions that apply to the class. <securable_class> is a string literal that requires quotation marks. nvarchar(60)
Tables Returned
Column name |
Data type |
Collation |
Description |
|---|---|---|---|
class_desc |
nvarchar(60) |
Collation of the server |
Description of the securable class. |
permission_name |
sysname |
Collation of the server |
Permission name. |
type |
char(4) |
Collation of the server |
Compact permission type code. See the table that follows. |
covering_permission_name |
sysname |
Collation of the server |
If not NULL, this is the name of the permission on this class that implies the other permissions on this class. |
parent_class_desc |
nvarchar(60) |
Collation of the server |
If not NULL, this is the name of the parent class that contains the current class. |
parent_covering_permission_name |
sysname |
Collation of the server |
If not NULL, this is the name of the permission on the parent class that implies all other permissions on that class. |
Compact Permission Types
Permission type |
Permission name |
Applies to securable or class |
|---|---|---|
ADBO |
ADMINISTER BULK OPERATIONS |
SERVER |
AL |
ALTER |
APPLICATION ROLE |
AL |
ALTER |
ASSEMBLY |
AL |
ALTER |
ASYMMETRIC KEY |
AL |
ALTER |
CERTIFICATE |
AL |
ALTER |
CONTRACT |
AL |
ALTER |
DATABASE |
AL |
ALTER |
ENDPOINT |
AL |
ALTER |
FULLTEXT CATALOG |
AL |
ALTER |
FULLTEXT STOPLIST |
AL |
ALTER |
LOGIN |
AL |
ALTER |
MESSAGE TYPE |
AL |
ALTER |
OBJECT |
AL |
ALTER |
REMOTE SERVICE BINDING |
AL |
ALTER |
ROLE |
AL |
ALTER |
ROUTE |
AL |
ALTER |
SCHEMA |
AL |
ALTER |
SERVICE |
AL |
ALTER |
SYMMETRIC KEY |
AL |
ALTER |
USER |
AL |
ALTER |
XML SCHEMA COLLECTION |
ALAA |
ALTER ANY SERVER AUDIT |
SERVER |
ALAK |
ALTER ANY ASYMMETRIC KEY |
DATABASE |
ALAR |
ALTER ANY APPLICATION ROLE |
DATABASE |
ALAS |
ALTER ANY ASSEMBLY |
DATABASE |
ALCD |
ALTER ANY CREDENTIAL |
SERVER |
ALCF |
ALTER ANY CERTIFICATE |
DATABASE |
ALCO |
ALTER ANY CONNECTION |
SERVER |
ALDA |
ALTER ANY DATABASE AUDIT |
DATABASE |
ALDB |
ALTER ANY DATABASE |
SERVER |
ALDS |
ALTER ANY DATASPACE |
DATABASE |
ALED |
ALTER ANY DATABASE EVENT NOTIFICATION |
DATABASE |
ALES |
ALTER ANY EVENT NOTIFICATION |
SERVER |
ALFT |
ALTER ANY FULLTEXT CATALOG |
DATABASE |
ALHE |
ALTER ANY ENDPOINT |
SERVER |
ALLG |
ALTER ANY LOGIN |
SERVER |
ALLS |
ALTER ANY LINKED SERVER |
SERVER |
ALMT |
ALTER ANY MESSAGE TYPE |
DATABASE |
ALRL |
ALTER ANY ROLE |
DATABASE |
ALRS |
ALTER RESOURCES |
SERVER |
ALRT |
ALTER ANY ROUTE |
DATABASE |
ALSB |
ALTER ANY REMOTE SERVICE BINDING |
DATABASE |
ALSC |
ALTER ANY CONTRACT |
DATABASE |
ALSK |
ALTER ANY SYMMETRIC KEY |
DATABASE |
ALSM |
ALTER ANY SCHEMA |
DATABASE |
ALSS |
ALTER SERVER STATE |
SERVER |
ALST |
ALTER SETTINGS |
SERVER |
ALSV |
ALTER ANY SERVICE |
DATABASE |
ALTG |
ALTER ANY DATABASE DDL TRIGGER |
DATABASE |
ALTR |
ALTER TRACE |
SERVER |
ALUS |
ALTER ANY USER |
DATABASE |
AUTH |
AUTHENTICATE |
DATABASE |
AUTH |
AUTHENTICATE SERVER |
SERVER |
BADB |
BACKUP DATABASE |
DATABASE |
BALO |
BACKUP LOG |
DATABASE |
CL |
CONTROL |
APPLICATION ROLE |
CL |
CONTROL |
ASSEMBLY |
CL |
CONTROL |
ASYMMETRIC KEY |
CL |
CONTROL |
CERTIFICATE |
CL |
CONTROL |
CONTRACT |
CL |
CONTROL |
DATABASE |
CL |
CONTROL |
ENDPOINT |
CL |
CONTROL |
FULLTEXT CATALOG |
CL |
CONTROL |
FULLTEXT STOPLIST |
CL |
CONTROL |
LOGIN |
CL |
CONTROL |
MESSAGE TYPE |
CL |
CONTROL |
OBJECT |
CL |
CONTROL |
REMOTE SERVICE BINDING |
CL |
CONTROL |
ROLE |
CL |
CONTROL |
ROUTE |
CL |
CONTROL |
SCHEMA |
CL |
CONTROL |
SERVICE |
CL |
CONTROL |
SYMMETRIC KEY |
CL |
CONTROL |
TYPE |
CL |
CONTROL |
USER |
CL |
CONTROL |
XML SCHEMA COLLECTION |
CL |
CONTROL SERVER |
SERVER |
CO |
CONNECT |
DATABASE |
CO |
CONNECT |
ENDPOINT |
CORP |
CONNECT REPLICATION |
DATABASE |
COSQ |
CONNECT SQL |
SERVER |
CP |
CHECKPOINT |
DATABASE |
CRAG |
CREATE AGGREGATE |
DATABASE |
CRAK |
CREATE ASYMMETRIC KEY |
DATABASE |
CRAS |
CREATE ASSEMBLY |
DATABASE |
CRCF |
CREATE CERTIFICATE |
DATABASE |
CRDB |
CREATE ANY DATABASE |
SERVER |
CRDB |
CREATE DATABASE |
DATABASE |
CRDE |
CREATE DDL EVENT NOTIFICATION |
SERVER |
CRDF |
CREATE DEFAULT |
DATABASE |
CRED |
CREATE DATABASE DDL EVENT NOTIFICATION |
DATABASE |
CRFN |
CREATE FUNCTION |
DATABASE |
CRFT |
CREATE FULLTEXT CATALOG |
DATABASE |
CRHE |
CREATE ENDPOINT |
SERVER |
CRMT |
CREATE MESSAGE TYPE |
DATABASE |
CRPR |
CREATE PROCEDURE |
DATABASE |
CRQU |
CREATE QUEUE |
DATABASE |
CRRL |
CREATE ROLE |
DATABASE |
CRRT |
CREATE ROUTE |
DATABASE |
CRRU |
CREATE RULE |
DATABASE |
CRSB |
CREATE REMOTE SERVICE BINDING |
DATABASE |
CRSC |
CREATE CONTRACT |
DATABASE |
CRSK |
CREATE SYMMETRIC KEY |
DATABASE |
CRSM |
CREATE SCHEMA |
DATABASE |
CRSN |
CREATE SYNONYM |
DATABASE |
CRSV |
CREATE SERVICE |
DATABASE |
CRTB |
CREATE TABLE |
DATABASE |
CRTE |
CREATE TRACE EVENT NOTIFICATION |
SERVER |
CRTY |
CREATE TYPE |
DATABASE |
CRVW |
CREATE VIEW |
DATABASE |
CRXS |
CREATE XML SCHEMA COLLECTION |
DATABASE |
DL |
DELETE |
DATABASE |
DL |
DELETE |
OBJECT |
DL |
DELETE |
SCHEMA |
EX |
EXECUTE |
DATABASE |
EX |
EXECUTE |
OBJECT |
EX |
EXECUTE |
SCHEMA |
EX |
EXECUTE |
TYPE |
EX |
EXECUTE |
XML SCHEMA COLLECTION |
IM |
IMPERSONATE |
LOGIN |
IM |
IMPERSONATE |
USER |
IN |
INSERT |
DATABASE |
IN |
INSERT |
OBJECT |
IN |
INSERT |
SCHEMA |
RC |
RECEIVE |
OBJECT |
RF |
REFERENCES |
ASSEMBLY |
RF |
REFERENCES |
ASYMMETRIC KEY |
RF |
REFERENCES |
CERTIFICATE |
RF |
REFERENCES |
CONTRACT |
RF |
REFERENCES |
DATABASE |
RF |
REFERENCES |
FULLTEXT CATALOG |
RF |
REFERENCES |
FULLTEXT STOPLIST |
RF |
REFERENCES |
MESSAGE TYPE |
RF |
REFERENCES |
OBJECT |
RF |
REFERENCES |
SCHEMA |
RF |
REFERENCES |
SYMMETRIC KEY |
RF |
REFERENCES |
TYPE |
RF |
REFERENCES |
XML SCHEMA COLLECTION |
SHDN |
SHUTDOWN |
SERVER |
SL |
SELECT |
DATABASE |
SL |
SELECT |
OBJECT |
SL |
SELECT |
SCHEMA |
SN |
SEND |
SERVICE |
SPLN |
SHOWPLAN |
DATABASE |
SUQN |
SUBSCRIBE QUERY NOTIFICATIONS |
DATABASE |
TO |
TAKE OWNERSHIP |
ASSEMBLY |
TO |
TAKE OWNERSHIP |
ASYMMETRIC KEY |
TO |
TAKE OWNERSHIP |
CERTIFICATE |
TO |
TAKE OWNERSHIP |
CONTRACT |
TO |
TAKE OWNERSHIP |
DATABASE |
TO |
TAKE OWNERSHIP |
ENDPOINT |
TO |
TAKE OWNERSHIP |
FULLTEXT CATALOG |
TO |
TAKE OWNERSHIP |
FULLTEXT STOPLIST |
TO |
TAKE OWNERSHIP |
MESSAGE TYPE |
TO |
TAKE OWNERSHIP |
OBJECT |
TO |
TAKE OWNERSHIP |
REMOTE SERVICE BINDING |
TO |
TAKE OWNERSHIP |
ROLE |
TO |
TAKE OWNERSHIP |
ROUTE |
TO |
TAKE OWNERSHIP |
SCHEMA |
TO |
TAKE OWNERSHIP |
SERVICE |
TO |
TAKE OWNERSHIP |
SYMMETRIC KEY |
TO |
TAKE OWNERSHIP |
TYPE |
TO |
TAKE OWNERSHIP |
XML SCHEMA COLLECTION |
UP |
UPDATE |
DATABASE |
UP |
UPDATE |
OBJECT |
UP |
UPDATE |
SCHEMA |
VW |
VIEW DEFINITION |
APPLICATION ROLE |
VW |
VIEW DEFINITION |
ASSEMBLY |
VW |
VIEW DEFINITION |
ASYMMETRIC KEY |
VW |
VIEW DEFINITION |
CERTIFICATE |
VW |
VIEW DEFINITION |
CONTRACT |
VW |
VIEW DEFINITION |
DATABASE |
VW |
VIEW DEFINITION |
ENDPOINT |
VW |
VIEW DEFINITION |
FULLTEXT CATALOG |
VW |
VIEW DEFINITION |
FULLTEXT STOPLIST |
VW |
VIEW DEFINITION |
LOGIN |
VW |
VIEW DEFINITION |
MESSAGE TYPE |
VW |
VIEW DEFINITION |
OBJECT |
VW |
VIEW DEFINITION |
REMOTE SERVICE BINDING |
VW |
VIEW DEFINITION |
ROLE |
VW |
VIEW DEFINITION |
ROUTE |
VW |
VIEW DEFINITION |
SCHEMA |
VW |
VIEW DEFINITION |
SERVICE |
VW |
VIEW DEFINITION |
SYMMETRIC KEY |
VW |
VIEW DEFINITION |
TYPE |
VW |
VIEW DEFINITION |
USER |
VW |
VIEW DEFINITION |
XML SCHEMA COLLECTION |
VWCT |
VIEW CHANGE TRACKING |
OBJECT |
VWCT |
VIEW CHANGE TRACKING |
SCHEMA |
VWAD |
VIEW ANY DEFINITION |
SERVER |
VWDB |
VIEW ANY DATABASE |
SERVER |
VWDS |
VIEW DATABASE STATE |
DATABASE |
VWSS |
VIEW SERVER STATE |
SERVER |
XA |
EXTERNAL ACCESS ASSEMBLY |
SERVER |
XU |
UNSAFE ASSEMBLY |
SERVER |
Remarks
sys.fn_builtin_permissions is a table-valued function that emits a copy of the predefined permission hierarchy. This hierarchy includes covering permissions. The DEFAULT result set describes a directed, acyclic graph of the permissions hierarchy, of which the root is (class = SERVER, permission = CONTROL SERVER).
sys.fn_builtin_permissions does not accept correlated parameters.
sys.fn_builtin_permissions will return an empty set when it is called with a class name that is not valid.
Permissions
Requires membership in the public role.
Examples
A. Listing all built in permissions
SELECT * FROM sys.fn_builtin_permissions(DEFAULT)
B. Listing permissions that can be set on a symmetric key
SELECT * FROM sys.fn_builtin_permissions(N'SYMMETRIC KEY')
C. Listing classes on which there is a SELECT permission
SELECT * FROM sys.fn_builtin_permissions(DEFAULT)
WHERE permission_name = 'SELECT';