Merge pull request #23706 from AndreasWolter/patch-22

Court72 · web-flow · commit 6008311109da · 2022-08-15T11:52:39.000-06:00
some clarifications
diff --git a/docs/relational-databases/security/authentication-access/server-level-roles.md b/docs/relational-databases/security/authentication-access/server-level-roles.md
@@ -31,11 +31,11 @@ monikerRange: ">=aps-pdw-2016||>=sql-server-2016||>=sql-server-linux-2017||=azur
 
   [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] provides server-level roles to help you manage the permissions on a server. These roles are security principals that group other principals. Server-level roles are server-wide in their permissions scope. (*Roles* are like *groups* in the Windows operating system.)
   
- SQL Server 2019 and previous versions provided nine fixed server roles. SQL Server 2022 comes with 10 additional server roles, which have the prefix `##MS_` and the suffix `##` to distinguish from other regular user-created principals and custom server roles. The permissions that are granted to the fixed server roles (except **public**) can't be changed. Beginning with [!INCLUDE[ssSQL11](../../../includes/sssql11-md.md)], you can create user-defined server roles and add server-level permissions to the user-defined server roles.  
+SQL Server 2019 and previous versions provided nine fixed server roles. The permissions that are granted to the fixed server roles (except **public**) can't be changed. Beginning with [!INCLUDE[ssSQL11](../../../includes/sssql11-md.md)], you can create user-defined server roles and add server-level permissions to the user-defined server roles.
+SQL Server 2022 comes with 10 additional server roles that have been designed specifically with the [*Principle of Least Privilege*](https://techcommunity.microsoft.com/t5/azure-sql-blog/security-the-principle-of-least-privilege-polp/ba-p/2067390) in mind, which have the prefix `##MS_` and the suffix `##` to distinguish them from other regular user-created principals and custom server roles. Those new roles contain privileges that apply on server scope but also can inherit down to individual databases (with the exception of the **##MS_LoginManager##** server role.)
   
- The fixed server roles that don't start with the `##MS_` prefix are provided for convenience and backward compatibility. Assign more specific permissions whenever possible or use the new server roles.
-
- Like SQL Server on-premises, server permissions are organized hierarchically. The permissions that are held by these server-level roles can propagate to database permissions. For the permissions to be effectively useful at the database level, a login needs to either be a member of the server-level role **##MS_DatabaseConnector##**, which grants **CONNECT** permission to all databases, or have a user account in individual databases. This also applies to the `master` database. For example, the server-level role **##MS_ServerStateReader##** holds the permission **VIEW SERVER STATE**. If a login who is member of this role has a user account in the databases, `master` and `WideWorldImporters`, this user will have the permission, **VIEW DATABASE STATE** in those two databases.
+Like SQL Server on-premises, server permissions are organized hierarchically. The permissions that are held by these server-level roles can propagate to database permissions. For the permissions to be effectively useful at the database level, a login needs to either be a member of the server-level role **##MS_DatabaseConnector##** (starting with SQL Server 2022), which grants the **CONNECT** permission to all databases, or have a user account in individual databases. This also applies to the `master` database.
+Consider the following example: The server-level role **##MS_ServerStateReader##** holds the permission **VIEW SERVER STATE**. A login who is member of this role has a user account in the databases, `master` and `WideWorldImporters`. This user will then also have the permission, **VIEW DATABASE STATE** in those two databases by inheritance.
 
  You can add server-level principals ([!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] logins, Windows accounts, and Windows groups) into server-level roles. Each member of a fixed server role can add other logins to that same role. Members of user-defined server roles can't add other server principals to the role.
   
@@ -50,7 +50,7 @@ The following table shows the fixed server-level roles and their capabilities.
 |------------------------------|-----------------|  
 |**sysadmin**|Members of the **sysadmin** fixed server role can perform any activity in the server.|
 |**serveradmin**|Members of the **serveradmin** fixed server role can change server-wide configuration options and shut down the server.|
-|**securityadmin**|Members of the **securityadmin** fixed server role manage logins and their properties. They can `GRANT`, `DENY`, and `REVOKE` server-level permissions. They can also `GRANT`, `DENY`, and `REVOKE` database-level permissions if they have access to a database. Additionally, they can reset passwords for [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] logins.<br /><br /> **IMPORTANT:** The ability to grant access to the [!INCLUDE[ssDE](../../../includes/ssde-md.md)] and to configure user permissions allows the security admin to assign most server permissions. The **securityadmin** role should be treated as equivalent to the **sysadmin** role.|
+|**securityadmin**|Members of the **securityadmin** fixed server role manage logins and their properties. They can `GRANT`, `DENY`, and `REVOKE` server-level permissions. They can also `GRANT`, `DENY`, and `REVOKE` database-level permissions if they have access to a database. Additionally, they can reset passwords for [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] logins.<br /><br /> **IMPORTANT:** The ability to grant access to the [!INCLUDE[ssDE](../../../includes/ssde-md.md)] and to configure user permissions allows the security admin to assign most server permissions. The **securityadmin** role should be treated as equivalent to the **sysadmin** role. As an alternative, starting with SQL Server 2022, consider using the new fixed server role **##MS_LoginManager##**.|
 |**processadmin**|Members of the **processadmin** fixed server role can end processes that are running in an instance of [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)].|
 |**setupadmin**|Members of the **setupadmin** fixed server role can add and remove linked servers by using [!INCLUDE[tsql](../../../includes/tsql-md.md)] statements. (**sysadmin** membership is needed when using [!INCLUDE[ssManStudio](../../../includes/ssmanstudio-md.md)].)|
 |**bulkadmin**|Members of the **bulkadmin** fixed server role can run the `BULK INSERT` statement.<br /><br /> The **bulkadmin** role or ADMINISTER BULK OPERATIONS permissions isn't supported for SQL Server on Linux. Only the **sysadmin** can perform bulk inserts for SQL Server on Linux. |
@@ -71,15 +71,15 @@ The following table shows additional fixed server-level roles that are introduce
 |Fixed server-level role |Description |
 |------------------------------|-----------------|  
 |**##MS_DatabaseConnector##**|Members of the **##MS_DatabaseConnector##** fixed server role can connect to any database without requiring a User-account in the database to connect to. <br /><br />To deny the **CONNECT** permission to a specific database, users can create a matching user account for this login in the database and then **DENY** the **CONNECT** permission to the database-user. This **DENY** permission will overrule the **GRANT CONNECT** permission coming from this role.|
+|**##MS_LoginManager##**|Members of the **##MS_LoginManager##** fixed server role can create, delete and modify logins. Contrary to the old fixed server role **securityadmin**, this role does not allow members to `GRANT` privileges. It is a more limited role that helps to comply with the *Principle of least Privilege*.|
 |**##MS_DatabaseManager##**|Members of the **##MS_DatabaseManager##** fixed server role can create and delete databases. A member of the **##MS_DatabaseManager##** role that creates a database, becomes the owner of that database, which allows that user to connect to that database as the `dbo` user. The `dbo` user has all database permissions in the database. Members of the **##MS_DatabaseManager##** role don't necessarily have permission to access databases that they don't own.|
-|**##MS_PerformanceDefinitionReader##**|Members of the **##MS_PerformanceDefinitionReader##** fixed server role can read all catalog views that are covered by **VIEW ANY PERFORMANCE DEFINITION**, and respectively has **VIEW PERFORMANCE DEFINITION** permission on any database on which the member of this role has a user account. This is a subset of what the **##MS_DefinitionReader##** server role has access to.|
-|**##MS_SecurityDefinitionReader##**|Members of the **##MS_SecurityDefinitionReader##** fixed server role can read all catalog views that are covered by **VIEW ANY SECURITY DEFINITION**, and respectively has **VIEW SECURITY DEFINITION** permission on any database on which the member of this role has a user account. This is a small subset of what the **##MS_DefinitionReader##** server role has access to.|
-|**##MS_DefinitionReader##**|Members of the **##MS_DefinitionReader##** fixed server role can read all catalog views that are covered by **VIEW ANY DEFINITION**, and respectively has **VIEW DEFINITION** permission on any database on which the member of this role has a user account.|
-|**##MS_LoginManager##**|Members of the **##MS_LoginManager##** fixed server role can create and delete logins.|
-|**##MS_ServerPerformanceStateReader##**|Members of the **##MS_ServerPerformanceStateReader##** fixed server role can read all dynamic management views (DMVs) and functions that are covered by **VIEW SERVER PERFORMANCE STATE**, and respectively has **VIEW DATABASE PERFORMANCE STATE** permission on any database on which the member of this role has a user account. This is a subset of what the **##MS_ServerStateReader##** server role has access to.|
-|**##MS_ServerSecurityStateReader##**|Members of the **##MS_ServerSecurityStateReader##** fixed server role can read all dynamic management views (DMVs) and functions that are covered by **VIEW SERVER SECURITY STATE**, and respectively has **VIEW DATABASE SECURITY STATE** permission on any database on which the member of this role has a user account. This is a small subset of what the **##MS_ServerStateReader##** server role has access to.|
-|**##MS_ServerStateReader##**|Members of the **##MS_ServerStateReader##** fixed server role can read all dynamic management views (DMVs) and functions that are covered by **VIEW SERVER STATE**, and respectively has **VIEW DATABASE STATE** permission on any database on which the member of this role has a user account.|
 |**##MS_ServerStateManager##**|Members of the **##MS_ServerStateManager##** fixed server role have the same permissions as the **##MS_ServerStateReader##** role. Also, it holds the **ALTER SERVER STATE** permission, which allows access to several management operations, such as: `DBCC FREEPROCCACHE`, `DBCC FREESYSTEMCACHE ('ALL')`, `DBCC SQLPERF()`|
+|**##MS_ServerStateReader##**|Members of the **##MS_ServerStateReader##** fixed server role can read all dynamic management views (DMVs) and functions that are covered by **VIEW SERVER STATE**, and respectively has **VIEW DATABASE STATE** permission on any database on which the member of this role has a user account.|
+|**##MS_ServerPerformanceStateReader##**|Members of the **##MS_ServerPerformanceStateReader##** fixed server role can read all dynamic management views (DMVs) and functions that are covered by **VIEW SERVER PERFORMANCE STATE**, and respectively has **VIEW DATABASE PERFORMANCE STATE** permission on any database on which the member of this role has a user account. This is a subset of what the **##MS_ServerStateReader##** server role has access to which helps to comply with the *Principle of least Privilege*.|
+|**##MS_ServerSecurityStateReader##**|Members of the **##MS_ServerSecurityStateReader##** fixed server role can read all dynamic management views (DMVs) and functions that are covered by **VIEW SERVER SECURITY STATE**, and respectively has **VIEW DATABASE SECURITY STATE** permission on any database on which the member of this role has a user account. This is a small subset of what the **##MS_ServerStateReader##** server role has access to, which helps to comply with the *Principle of least Privilege*.|
+|**##MS_DefinitionReader##**|Members of the **##MS_DefinitionReader##** fixed server role can read all catalog views that are covered by **VIEW ANY DEFINITION**, and respectively has **VIEW DEFINITION** permission on any database on which the member of this role has a user account.|
+|**##MS_PerformanceDefinitionReader##**|Members of the **##MS_PerformanceDefinitionReader##** fixed server role can read all catalog views that are covered by **VIEW ANY PERFORMANCE DEFINITION**, and respectively has **VIEW PERFORMANCE DEFINITION** permission on any database on which the member of this role has a user account. This is a subset of what the **##MS_DefinitionReader##** server role has access to.|
+|**##MS_SecurityDefinitionReader##**|Members of the **##MS_SecurityDefinitionReader##** fixed server role can read all catalog views that are covered by **VIEW ANY SECURITY DEFINITION**, and respectively has **VIEW SECURITY DEFINITION** permission on any database on which the member of this role has a user account. This is a small subset of what the **##MS_DefinitionReader##** server role has access to which helps to comply with the *Principle of least Privilege*.|
 
 ## Permissions of fixed server roles  
  Each fixed server role has certain permissions assigned to it.
