I've granted membership in the db_datareader and db_datawriter roles for some testing being performed by a specific user.
Looking at the names of each role, I know what the roles do. However, I want to see where the permissions were assigned just to better understand.
To my surprise I see a blank slate for the db_datareader schema for that database. I go onto read Understanding SQL Server fixed database roles and from there I know why I cannot see anything in that properties dialog:
The catch with this role is that the permission is implicit. That means if you query sys.database_permissions, you will not see any permission granted, either to the db_datareader role or directly to the user. Therefore, if you need to audit for everyone who has SELECT access to particular tables in a database, you'll have to query the membership of this group via the use of sp_helprolemember
I was aware of querying the roles which obviously works fine. So I thought this was perhaps a limitation of the GUI. I liked the permissions script from this answer and gave that a run. However, upon execution, that returns NULL for permissiontype and permissionstate which is consistent with the above quote.
All that said, are these pre-canned roles infallible? Can I assume that no one can mess around with the implicit nature of their respective permissions i.e you can't remove select rights from db_datareader behind the scenes?
Best Answer
Your question:
According to the documentation on MSDN, fixed database roles, including
db_datareaderanddb_datawritercannot be modified:Therefore, you can rest-assured assignment of rights via these roles are fixed and cannot be modified.
Granting membership in
db_datareaderis the equivalent of doingGRANT SELECT ON DATABASE::[db-name] TO [principal];