This page describes how Cloud SQL works with SQL Server users and roles. SQL Server roles enable you to control the access and capabilities of users who access a SQL Server instance.
For information about creating and managing Cloud SQL users, see Creating and Managing Users.
SQL Server roles and users
SQL Server roles can be a single role, or they can function as a group of roles.
A user is a role with the ability to log in (the role has the
permission). All roles created by Cloud SQL have the
permission, so Cloud SQL uses the terms "role" and "user" interchangeably.
However, if you create a role with the client, it does not necessarily
All SQL Server users must have a password. You cannot login with a user that does not have a password.
Because Cloud SQL for SQL Server is a managed service, it restricts access to certain system procedures and tables that require advanced privileges. In Cloud SQL, customers cannot create or have access to users with superuser permissions.
Default SQL Server users
When you create a new Cloud SQL for SQL Server instance, the default
sqlserver user is already created for you, although you must set its password.
sqlserver user is part of the
CustomerDbRootRole role, and its
permissions (privileges) include the following:
CREATE ANY DATABASE
ALTER ANY LOGIN
ALTER ANY CONNECTION
VIEW ANY DATABASE
VIEW ANY DEFINITION
VIEW SERVER STATE
ALTER SERVER STATE
CREATE SERVER ROLE
ALTER ANY SERVER ROLE
Granting server permissions
When you grant privileges using any
you must pass
CustomerDbRootRole as, for example, the value of
GRANT ALTER ANY LOGIN example is valid:
GRANT ALTER ANY LOGIN TO [Account] AS CustomerDbRootRole
GRANT ALTER ANY LOGIN example is invalid:
GRANT ALTER ANY LOGIN TO [Account]
Other SQL Server users
You can create other SQL Server users or roles. All users you
create using Cloud SQL are created as part of the
role, and have the same set of permissions as the
You can change the permissions of any user by using the
If you create a new user with the client, you can choose to associate it with a different role, or give it different permissions.