SQL Server users

This page describes how Cloud SQL works with SQL Server users and roles. SQL Server roles enable you to control the access and capabilities of users who access a SQL Server instance.

For information about creating and managing Cloud SQL users, see Creating and Managing Users.

SQL Server roles and users

SQL Server roles can be a single role, or they can function as a group of roles. A user is simply a role with the ability to login (the role has the LOGIN attribute). Because all roles created by Cloud SQL have the LOGIN attribute, Cloud SQL uses the terms "role" and "user" interchangeably. However, if you create a role with the client, it does not necessarily have the LOGIN attribute.

All SQL Server users must have a password. You cannot login with a user that does not have a password.

Superuser restrictions

Because Cloud SQL for SQL Server is a managed service, it restricts access to certain system procedures and tables that require advanced privileges. In Cloud SQL, customers cannot create or have access to users with superuser attributes.

Default SQL Server users

When you create a new Cloud SQL for SQL Server instance, the default sqlserver user is already created for you, though you must set its password.

The sqlserver user is part of the cloudsqlsuperuser role, and has the following attributes (privileges): CREATEROLE, CREATEDB, and LOGIN. It does not have the SUPERUSER or REPLICATION attributes.

Other SQL Server users

You can create other SQL Server users or roles. All users you create using Cloud SQL are created as part of the cloudsqlsuperuser role, and have the same set of attributes as the sqlserver user: CREATEROLE, CREATEDB, and LOGIN. You can change the attributes of any user by using the ALTER ROLE command.

If you create a new user with the client, you can choose to associate it with a different role, or give it different attributes.

What's next