Fixed database roles are defined at the database level and exist in each database. Members of the db_owner and db_securityadmin database roles can manage fixed database role membership; however, only members of the db_owner database role can add members to the db_owner fixed database role.
The fixed database roles are the following:
- db_accessadmin
- db_backupoperator
- db_datareader
- db_datawriter
- db_ddladmin
- db_denydatareader
- db_denydatawriter
- db_owner
- db_securityadmin
public Database Role
Every database user belongs to the public database role. When a user has not been granted or denied specific permissions on a securable, the user inherits the permissions granted to public on that securable.
Members of the db_accessadmin fixed database role can add or remove access for Windows logins, Windows groups, and SQL Server logins.
Members of the db_backupoperator fixed database role can backup the database.
Members of the db_datareader fixed database role can read all data from all user tables.
Members of the db_datawriter fixed database role can add, delete, or change data in all user tables.
Members of the db_ddladmin fixed database role can run any Data Definition Language (DDL) command in a database.
Members of the db_denydatareader fixed database role cannot read any data in the user tables within a database.
embers of the db_denydatawriter fixed database role cannot add, modify, or delete any data in the user tables within a database.
Members of the db_owner fixed database role can perform all configuration and maintenance activities on the database.
Members of the db_securityadmin fixed database role can modify role membership and manage permissions.