Stay organized with collections Save and categorize content based on your preferences.
This page describes how Cloud SQL works with SQL Server users and roles. SQL Server roles enable you to control the access and capabilities of users who access a SQL Server instance.
For information about creating and managing Cloud SQL users, see Creating and managing users.
Note: See Other SQL Server users for additional information about users you create using Cloud SQL. SQL Server roles and usersSQL Server roles can be a single role, or they can function as a group of roles.
A user is a role with the ability to log in (the role has the LOGIN permission). All roles created by Cloud SQL have the LOGIN permission, so Cloud SQL uses the terms "role" and "user" interchangeably. However, if you create a role with any client tool that is compatible with SQL Server, then the role doesn't necessarily receive the LOGIN permission.
Cloud SQL for SQL Server restricts access to certain server roles that provide advanced privileges. Examples of these roles are DbRootRole, serveradmin, securityadmin, setupadmin, diskadmin, and dbcreator.
All SQL Server users must have a password. Thus, you can't log in with a user that lacks a password.
Superusers and system stored proceduresCloud SQL for SQL Server is a managed service, so it restricts access to certain system stored procedures and tables that require advanced privileges. In Cloud SQL, you cannot create or have access to users with superuser permissions.
Note: Thesysadmin role is not supported. Therefore, you cannot run system stored procedures that require the sysadmin role. As one of the many examples, you cannot run the sp_OADestroy stored procedure because it requires the sysadmin role. Default SQL Server users
When you create a new Cloud SQL for SQL Server instance, the default sqlserver user is already created for you, although you must set its password.
The sqlserver user is part of the CustomerDbRootRole role, and its permissions (privileges) include the following:
ALTER ANY CONNECTIONALTER ANY LOGINALTER ANY SERVER ROLEALTER SERVER STATEALTER TRACECONNECT SQLCREATE ANY DATABASECREATE SERVER ROLEVIEW ANY DATABASEVIEW ANY DEFINITIONVIEW SERVER STATEYou can also add cloudsql enable linked servers to your instance if you want to use it with linked servers. This flag grants the following permission to your server:
ALTER ANY LINKED SERVERsysadmin and dbcreator roles. Therefore, due to unavailable permissions, automated schema deployment using a DACPAC isn't supported. Granting server permissions
When you grant privileges using any GRANT command, you must pass CustomerDbRootRole as, for example, the value of grantor_principal.
The following GRANT ALTER ANY LOGIN example is valid:
GRANT ALTER ANY LOGIN TO [Account] AS CustomerDbRootRole
The following GRANT ALTER ANY LOGIN example is invalid:
GRANT ALTER ANY LOGIN TO [Account]Other SQL Server users
You can create other SQL Server users or roles. All users you create using Cloud SQL are granted the same database permissions as the sqlserver login. However, if you use a different process to create a user (rather than creating it using Cloud SQL), the user won't have the same permissions as the customer administrator accounts or the sqlserver user. For example, if you use the create login process, and add the login to the CustomerDbRootRole server role, the user won't have the same permissions as the customer administrator accounts or the sqlserver user. Therefore, you can use Cloud SQL to create a user if you intend the user to have the same database permissions as the sqlserver login. To validate the difference in permissions between any two accounts, you can use the following function: sys.fn_my_permissions.
sqlserver login, and that user can grant those permissions to other users. See Creating server audits. Database imports: owner permissions
When you import a database, the treatment of the owner varies as follows, based on the type of owner:
sa: Cloud SQL keeps that owner and creates a user called sqlserver that maps to the login sqlserver. Cloud SQL grants the CONTROL and ALTER ANY USER permissions to that sqlserver user.sqlserver login.The ALTER ROLE command is available for changing user permissions. If you create a new user with a client, you can associate it with a different role or provide different permissions.
Troubleshooting Error accessing databaseWhen trying to access to a database you created, as a user you created, you get the following error:
The server principal USERNAME is not able to access the database DATABASE_NAME under the current security context.The issue might be
The user is not a member of the database.
Things to tryConnect to the database as the sqlserver user and add the new user, then give the new user the db_owner role for the database. For example:
EXEC sp_adduser 'user'; EXEC sp_addrolemember 'db_owner', 'user'What's next
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-14 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-14 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4