SQL Server – Difference Between db_owner and Other Database Roles

permissionssql server

What is the difference between having only the db_owner database role and having all other except db_denydatareader and db_denydatawriter?

db_securityadmin +
db_accessadmin +
db_backupoperator +
db_ddladmin +
db_datareader +
db_datawriter

Versus

db_owner

I've read that when you have db_accessadmin and db_securityadmin roles, you can change database role of another user into the database but I tried and it seems that I don't have the permission to change any permission while logged with this user. But if I give to this user the db_owner role, now I can change permission to any other user.

Best Answer

As per the Docs article, db_owner can perform functions that no other role or combination of roles provides, including but not limited to:

  • Adding users to fixed-database roles
  • Dropping the database
  • The CONTROL DATABASE permission

There is a diagram on the linked article that shows the fixed-role permissions for each role. Any permission not listed in that diagram is granted to the db_owner role only by default.