Permissions for @turbot/azure-sql
Taking a look at permissions and associated grant levels for each permission for SQL:
| Permission | Grant Level | Help |
|---|---|---|
| microsoft.resources/deployments/cancel/action | operator | |
| microsoft.resources/deployments/delete | operator | |
| microsoft.resources/deployments/operations/read | metadata | |
| microsoft.resources/deployments/read | metadata | |
| microsoft.resources/deployments/validate/action | operator | |
| microsoft.resources/deployments/write | operator | |
| microsoft.resources/subscriptions/read | metadata | gets the list of subscriptions. |
| microsoft.resources/subscriptions/resourcegroups/read | metadata | |
| microsoft.resources/subscriptions/resources/read | metadata | lists resources of a subscription. |
| microsoft.sql/locations/auditingsettingsazureasyncoperation/read | metadata | retrieve result of the extended server blob auditing policy set operation. |
| microsoft.sql/locations/auditingsettingsoperationresults/read | metadata | retrieve result of the server blob auditing policy set operation. |
| microsoft.sql/locations/capabilities/read | metadata | gets the capabilities for this subscription |
| microsoft.sql/locations/databaseazureasyncoperation/read | metadata | gets the status of a database operation. |
| microsoft.sql/locations/databaseoperationresults/read | metadata | gets the status of a database operation. |
| microsoft.sql/locations/deletevirtualnetworkorsubnets/action | admin | deletes virtual network rules associated to a virtual network or subnet |
| microsoft.sql/locations/deletedserverasyncoperation/read | metadata | gets in-progress operations on deleted server. |
| microsoft.sql/locations/deletedserveroperationresults/read | metadata | gets in-progress operations on deleted server. |
| microsoft.sql/locations/deletedservers/read | metadata | return the list of deleted servers or gets the properties for the specified deleted server. |
| microsoft.sql/locations/deletedservers/recover/action | admin | recover a deleted server. |
| microsoft.sql/locations/elasticpoolazureasyncoperation/read | metadata | gets the azure async operation for an elastic pool async operation. |
| microsoft.sql/locations/elasticpooloperationresults/read | metadata | gets the result of an elastic pool operation. |
| microsoft.sql/locations/extendedauditingsettingsazureasyncoperation/read | metadata | retrieve result of the extended server blob auditing policy set operation. |
| microsoft.sql/locations/extendedauditingsettingsoperationresults/read | metadata | retrieve result of the extended server blob auditing policy set operation. |
| microsoft.sql/locations/instancefailovergroups/delete | admin | deletes an existing instance failover group. |
| microsoft.sql/locations/instancefailovergroups/failover/action | admin | executes planned failover in an existing instance failover group. |
| microsoft.sql/locations/instancefailovergroups/forcefailoverallowdataloss/action | admin | executes forced failover in an existing instance failover group. |
| microsoft.sql/locations/instancefailovergroups/read | metadata | returns the list of instance failover groups or gets the properties for the specified instance failover group. |
| microsoft.sql/locations/instancefailovergroups/write | admin | creates a instance failover group with the specified parameters or updates the properties or tags for the specified instance failover group. |
| microsoft.sql/locations/interfaceendpointprofileazureasyncoperation/read | metadata | returns the details of a specific network interface azure async operation. |
| microsoft.sql/locations/interfaceendpointprofileoperationresults/read | metadata | returns the details of the specified network interface operation. |
| microsoft.sql/locations/longtermretentionbackups/read | metadata | lists the long term retention backups for every database on every server in a location. |
| microsoft.sql/locations/longtermretentionservers/longtermretentionbackups/read | metadata | lists the long term retention backups for every database on a server. |
| microsoft.sql/locations/longtermretentionservers/longtermretentiondatabases/longtermretentionbackups/delete | admin | admins can delete a long term retention backup. |
| microsoft.sql/locations/longtermretentionservers/longtermretentiondatabases/longtermretentionbackups/read | metadata | |
| microsoft.sql/locations/manageddatabaserestoreazureasyncoperation/completerestore/action | admin | completes managed database restore operation. |
| microsoft.sql/locations/managedtransparentdataencryptionazureasyncoperation/read | metadata | gets in-progress operations on managed database transparent data encryption. |
| microsoft.sql/locations/managedtransparentdataencryptionoperationresults/read | metadata | gets in-progress operations on managed database transparent data encryption. |
| microsoft.sql/locations/read | metadata | gets the available locations for a given subscription |
| microsoft.sql/locations/syncagentoperationresults/read | readonly | get sync agent resource operation results |
| microsoft.sql/locations/syncdatabaseids/read | readonly | get the sync database ids |
| microsoft.sql/locations/syncgroupoperationresults/read | readonly | get sync group resource operation results |
| microsoft.sql/locations/syncmemberoperationresults/read | readonly | get sync member resource operation results |
| microsoft.sql/locations/usages/read | metadata | gets a collection of usage metrics for the subscription in a location. |
| microsoft.sql/locations/virtualnetworkrulesazureasyncoperation/read | readonly | get azure sql server virtual network rules azure async operation |
| microsoft.sql/locations/virtualnetworkrulesoperationresults/read | readonly | get azure sql server virtual network rules operation results. |
| microsoft.sql/managedinstances/administrators/delete | admin | deletes an existing administrator of managed instance. |
| microsoft.sql/managedinstances/administrators/read | metadata | gets a list of managed instance administrators. |
| microsoft.sql/managedinstances/administrators/write | admin | creates or updates managed instance administrator with the specified parameters. |
| microsoft.sql/managedinstances/databases/delete | admin | deletes an existing managed database. |
| microsoft.sql/managedinstances/databases/providers/microsoft.insights/diagnosticsettings/read | metadata | gets the diagnostic setting for the resource. |
| microsoft.sql/managedinstances/databases/providers/microsoft.insights/diagnosticsettings/write | admin | admins can create or update the diagnostic setting for the resource. |
| microsoft.sql/managedinstances/databases/providers/microsoft.insights/logdefinitions/read | metadata | gets the available logs for managed instance databases. |
| microsoft.sql/managedinstances/databases/read | metadata | gets existing managed database. |
| microsoft.sql/managedinstances/databases/securityalertpolicies/read | metadata | retrieve details of the database threat detection policy configured on a given managed database. |
| microsoft.sql/managedinstances/databases/securityalertpolicies/write | admin | change the database threat detection policy for a given managed database. |
| microsoft.sql/managedinstances/databases/securityevents/read | metadata | retrieves the managed database security events. |
| microsoft.sql/managedinstances/databases/transparentdataencryption/read | metadata | retrieve details of the database transparent data encryption on a given managed database. |
| microsoft.sql/managedinstances/databases/transparentdataencryption/write | admin | change the database transparent data encryption for a given managed database. |
| microsoft.sql/managedinstances/databases/vulnerabilityassessments/delete | admin | |
| microsoft.sql/managedinstances/databases/vulnerabilityassessments/read | metadata | |
| microsoft.sql/managedinstances/databases/vulnerabilityassessments/rules/baselines/delete | admin | |
| microsoft.sql/managedinstances/databases/vulnerabilityassessments/rules/baselines/read | metadata | |
| microsoft.sql/managedinstances/databases/vulnerabilityassessments/rules/baselines/write | admin | admins can change the vulnerability assessment rule baseline for a given database. |
| microsoft.sql/managedinstances/databases/vulnerabilityassessments/scans/export/action | operator | operators can convert an existing scan result to a human readable format. if already exists nothing happens. |
| microsoft.sql/managedinstances/databases/vulnerabilityassessments/scans/initiatescan/action | metadata | |
| microsoft.sql/managedinstances/databases/vulnerabilityassessments/scans/read | metadata | |
| microsoft.sql/managedinstances/databases/vulnerabilityassessments/write | admin | admins can change the vulnerability assessment for a given database. |
| microsoft.sql/managedinstances/databases/write | admin | creates a new database or updates an existing database. |
| microsoft.sql/managedinstances/delete | admin | delete azure sql managed instance |
| microsoft.sql/managedinstances/encryptionprotector/read | metadata | returns a list of server encryption protectors or gets the properties for the specified server encryption protector. |
| microsoft.sql/managedinstances/encryptionprotector/write | admin | admins can update the properties for the specified server encryption protector. |
| microsoft.sql/managedinstances/keys/delete | admin | admins can delete an existing azure sql managed instance key. |
| microsoft.sql/managedinstances/keys/read | metadata | |
| microsoft.sql/managedinstances/keys/write | admin | admins can create a key with the specified parameters or update the properties or tags for the specified managed instance key. |
| microsoft.sql/managedinstances/metricdefinitions/read | metadata | get managed instance metric definitions. |
| microsoft.sql/managedinstances/metrics/read | metadata | get managed instance metrics. |
| microsoft.sql/managedinstances/providers/microsoft.insights/diagnosticsettings/read | metadata | gets the diagnostic setting for the resource. |
| microsoft.sql/managedinstances/providers/microsoft.insights/diagnosticsettings/write | admin | admins can create or update the diagnostic setting for the resource. |
| microsoft.sql/managedinstances/providers/microsoft.insights/logdefinitions/read | metadata | gets the available logs for managed instances. |
| microsoft.sql/managedinstances/providers/microsoft.insights/metricdefinitions/read | metadata | return types of metrics that are available for managed instances. |
| microsoft.sql/managedinstances/read | readonly | list/get azure sql managed instances(s) |
| microsoft.sql/managedinstances/securityalertpolicies/read | metadata | retrieve details of the managed server threat detection policy configured on a given managed server. |
| microsoft.sql/managedinstances/securityalertpolicies/write | admin | change the managed server threat detection policy for a given managed server. |
| microsoft.sql/managedinstances/tdecertificates/action | admin | admins can create/update tde certificate. |
| microsoft.sql/managedinstances/vulnerabilityassessments/delete | admin | |
| microsoft.sql/managedinstances/vulnerabilityassessments/read | metadata | retrieve details of the vulnerability assessment configured on a given managed instance. |
| microsoft.sql/managedinstances/vulnerabilityassessments/write | admin | admins can change the vulnerability assessment for a given managed instance. |
| microsoft.sql/managedinstances/write | admin | create/update azure sql managed instance |
| microsoft.sql/operations/read | metadata | gets available rest operations |
| microsoft.sql/servers/administrators/delete | admin | delete server administrator from the server |
| microsoft.sql/servers/administrators/read | readonly | get server administrator |
| microsoft.sql/servers/administrators/write | admin | create new or update existing server administrator |
| microsoft.sql/servers/advisors/read | metadata | get advisors for a server |
| microsoft.sql/servers/advisors/recommendedactions/read | metadata | returns list of recommended actions of specified advisor for the server |
| microsoft.sql/servers/advisors/recommendedactions/write | admin | admin can apply the recommended action on the server. |
| microsoft.sql/servers/advisors/write | admin | admin can update auto-execute status of an advisor on server level. |
| microsoft.sql/servers/auditingpolicies/read | readonly | get default server table auditing policy |
| microsoft.sql/servers/auditingpolicies/write | admin | set default server table auditing policy |
| microsoft.sql/servers/auditingsettings/operationresults/read | metadata | get server blob auditing operation results |
| microsoft.sql/servers/auditingsettings/read | metadata | retrieve details of the server blob auditing policy configured on a given server |
| microsoft.sql/servers/auditingsettings/write | admin | change the server blob auditing for a given server |
| microsoft.sql/servers/automatictuning/read | metadata | returns automatic tuning settings for the server. |
| microsoft.sql/servers/automatictuning/write | admin | updates automatic tuning settings for the server and returns updated settings. |
| microsoft.sql/servers/communicationlinks/delete | admin | delete communication link of a server |
| microsoft.sql/servers/communicationlinks/read | metadata | list/get communication links of a server |
| microsoft.sql/servers/communicationlinks/write | admin | create/update server communication link |
| microsoft.sql/servers/connectionpolicies/read | readonly | list/get server connection policies of a server |
| microsoft.sql/servers/connectionpolicies/write | admin | create/update server connection policy |
| microsoft.sql/servers/databases/advisors/read | metadata | returns list of advisors available for the database |
| microsoft.sql/servers/databases/advisors/recommendedactions/read | metadata | returns list of recommended actions of specified advisor for the database |
| microsoft.sql/servers/databases/advisors/recommendedactions/write | admin | apply the recommended action on the database |
| microsoft.sql/servers/databases/advisors/write | admin | update auto-execute status of an advisor on database level. |
| microsoft.sql/servers/databases/auditrecords/read | metadata | retrieve the database blob audit records |
| microsoft.sql/servers/databases/auditingpolicies/read | metadata | retrieve details of the table auditing policy configured on a given database |
| microsoft.sql/servers/databases/auditingpolicies/write | admin | change the table auditing policy for a given database |
| microsoft.sql/servers/databases/auditingsettings/read | metadata | retrieve details of the blob auditing policy configured on a given database |
| microsoft.sql/servers/databases/auditingsettings/write | admin | change the blob auditing policy for a given database |
| microsoft.sql/servers/databases/automatictuning/read | metadata | returns automatic tuning settings for a database |
| microsoft.sql/servers/databases/automatictuning/write | admin | updates automatic tuning settings for a database and returns updated settings |
| microsoft.sql/servers/databases/azureasyncoperation/read | metadata | gets the status of a database operation. |
| microsoft.sql/servers/databases/backuplongtermretentionpolicies/read | metadata | return the list of backup archival policies of a specified database. |
| microsoft.sql/servers/databases/backuplongtermretentionpolicies/write | admin | create or update a database backup archival policy. |
| microsoft.sql/servers/databases/connectionpolicies/read | metadata | retrieve details of the connection policy configured on a given database |
| microsoft.sql/servers/databases/connectionpolicies/write | admin | change connection policy for a given database |
| microsoft.sql/servers/databases/datamaskingpolicies/read | metadata | return the list of database data masking policies. |
| microsoft.sql/servers/databases/datamaskingpolicies/rules/delete | admin | delete data masking policy rule for a given database |
| microsoft.sql/servers/databases/datamaskingpolicies/rules/read | metadata | retrieve details of the data masking policy rule configured on a given database |
| microsoft.sql/servers/databases/datamaskingpolicies/rules/write | admin | change data masking policy rule for a given database |
| microsoft.sql/servers/databases/datamaskingpolicies/write | admin | change data masking policy for a given database |
| microsoft.sql/servers/databases/datawarehousequeries/datawarehousequerysteps/read | metadata | returns the distributed query step information of data warehouse query for selected step id |
| microsoft.sql/servers/databases/datawarehousequeries/read | metadata | returns the data warehouse distribution query information for selected query id |
| microsoft.sql/servers/databases/datawarehouseuseractivities/read | metadata | retrieves the user activities of a sql data warehouse instance which includes running and suspended queries. |
| microsoft.sql/servers/databases/delete | admin | deletes an existing database. |
| microsoft.sql/servers/databases/export/action | admin | create a new database on the server and deploy schema and data from a dacpac package |
| microsoft.sql/servers/databases/extendedauditingsettings/read | metadata | retrieve details of the extended blob auditing policy configured on a given database. |
| microsoft.sql/servers/databases/extendedauditingsettings/write | admin | change the extended blob auditing policy for a given database. |
| microsoft.sql/servers/databases/extensions/read | metadata | gets a collection of extensions for the database. |
| microsoft.sql/servers/databases/extensions/write | admin | change the extension for a given database |
| microsoft.sql/servers/databases/geobackuppolicies/read | metadata | retrieve geo backup policies for a given database |
| microsoft.sql/servers/databases/geobackuppolicies/write | admin | create or update a database geobackup policy |
| microsoft.sql/servers/databases/importexportoperationresults/read | metadata | gets in-progress import/export operations |
| microsoft.sql/servers/databases/maintenancewindowoptions/read | metadata | gets a list of available maintenance windows for a selected database. |
| microsoft.sql/servers/databases/maintenancewindows/read | metadata | gets maintenance windows settings for a selected database. |
| microsoft.sql/servers/databases/maintenancewindows/write | admin | admins can set maintenance windows settings for a selected database. |
| microsoft.sql/servers/databases/metricdefinitions/read | metadata | return types of metrics that are available for databases |
| microsoft.sql/servers/databases/metrics/read | metadata | return metrics for databases |
| microsoft.sql/servers/databases/move/action | admin | rename azure sql database |
| microsoft.sql/servers/databases/operationresults/read | metadata | gets the status of a database operation. |
| microsoft.sql/servers/databases/operations/cancel/action | admin | cancels azure sql database pending asynchronous operation that is not finished yet. |
| microsoft.sql/servers/databases/operations/read | metadata | return the list of operations performed on the database |
| microsoft.sql/servers/databases/pause/action | admin | admin resume a database |
| microsoft.sql/servers/databases/providers/microsoft.insights/diagnosticsettings/read | metadata | gets the diagnostic setting for the resource |
| microsoft.sql/servers/databases/providers/microsoft.insights/diagnosticsettings/write | admin | creates or updates the diagnostic setting for the resource |
| microsoft.sql/servers/databases/providers/microsoft.insights/logdefinitions/read | metadata | gets the available logs for databases |
| microsoft.sql/servers/databases/providers/microsoft.insights/metricdefinitions/read | metadata | return types of metrics that are available for databases |
| microsoft.sql/servers/databases/querystore/querytexts/read | metadata | returns the collection of query texts that correspond to the specified parameters. |
| microsoft.sql/servers/databases/querystore/read | metadata | returns current values of query store settings for the database. |
| microsoft.sql/servers/databases/querystore/write | admin | updates query store setting for the database |
| microsoft.sql/servers/databases/read | metadata | return the list of databases or gets the properties for the specified database. |
| microsoft.sql/servers/databases/replicationlinks/delete | admin | terminate the replication relationship forcefully and with potential data loss |
| microsoft.sql/servers/databases/replicationlinks/failover/action | admin | failover replication relationship after synchronizing |
| microsoft.sql/servers/databases/replicationlinks/forcefailoverallowdataloss/action | admin | failover immediately with potential data loss making this database into the replication relationship\u0027s primary and making the remote primary into a secondary |
| microsoft.sql/servers/databases/replicationlinks/read | metadata | return details about replication links established for a particular database |
| microsoft.sql/servers/databases/replicationlinks/unlink/action | admin | terminate the replication relationship forcefully or after synchronizing with the partner |
| microsoft.sql/servers/databases/replicationlinks/updatereplicationmode/action | admin | update replication mode for link to synchronous or asynchronous mode |
| microsoft.sql/servers/databases/restorepoints/action | admin | creates a new restore point. |
| microsoft.sql/servers/databases/restorepoints/delete | admin | deletes a restore point for the database. |
| microsoft.sql/servers/databases/restorepoints/read | metadata | returns restore points for the database. |
| microsoft.sql/servers/databases/resume/action | admin | resume a database |
| microsoft.sql/servers/databases/schemas/read | metadata | retrieve list of schemas of a database |
| microsoft.sql/servers/databases/schemas/tables/columns/read | metadata | retrieve list of columns of a table |
| microsoft.sql/servers/databases/schemas/tables/columns/sensitivitylabels/delete | admin | delete the sensitivity label of a given column. |
| microsoft.sql/servers/databases/schemas/tables/columns/sensitivitylabels/read | metadata | get the sensitivity label of a given column. |
| microsoft.sql/servers/databases/schemas/tables/columns/sensitivitylabels/write | admin | create or update the sensitivity label of a given column. |
| microsoft.sql/servers/databases/schemas/tables/read | metadata | retrieve list of tables of a database |
| microsoft.sql/servers/databases/schemas/tables/recommendedindexes/read | metadata | retrieve list of index recommendations on a database |
| microsoft.sql/servers/databases/schemas/tables/recommendedindexes/write | admin | apply index recommendation. |
| microsoft.sql/servers/databases/securityalertpolicies/read | metadata | retrieve details of the threat detection policy configured on a given database |
| microsoft.sql/servers/databases/securityalertpolicies/write | admin | change the threat detection policy for a given database |
| microsoft.sql/servers/databases/securitymetrics/read | metadata | gets a collection of database security metrics |
| microsoft.sql/servers/databases/sensitivitylabels/read | metadata | list sensitivity labels of a given database. |
| microsoft.sql/servers/databases/servicetieradvisors/read | metadata | return suggestion about scaling database up or down based on query execution statistics to improve performance or reduce cost |
| microsoft.sql/servers/databases/skus/read | metadata | gets a collection of skus available for a database. |
| microsoft.sql/servers/databases/syncgroups/cancelsync/action | admin | cancel azure sql sync group synchronization |
| microsoft.sql/servers/databases/syncgroups/delete | admin | deletes an existing sync group. |
| microsoft.sql/servers/databases/syncgroups/hubschemas/read | metadata | return the list of sync hub database schemas |
| microsoft.sql/servers/databases/syncgroups/logs/read | metadata | return the list of sync group logs. |
| microsoft.sql/servers/databases/syncgroups/read | metadata | return the list of sync groups or gets the properties for the specified sync group. |
| microsoft.sql/servers/databases/syncgroups/refreshhubschema/action | admin | refresh azure sql sync hub database schema |
| microsoft.sql/servers/databases/syncgroups/refreshhubschemaoperationresults/read | metadata | retrieve result of the sync hub schema refresh operation |
| microsoft.sql/servers/databases/syncgroups/syncmembers/delete | admin | delete azure sql sync member |
| microsoft.sql/servers/databases/syncgroups/syncmembers/read | metadata | return the list of sync members or gets the properties for the specified sync member. |
| microsoft.sql/servers/databases/syncgroups/syncmembers/refreshschema/action | admin | refresh azure sql sync member database schema |
| microsoft.sql/servers/databases/syncgroups/syncmembers/refreshschemaoperationresults/read | metadata | retrieve result of the sync member schema refresh operation |
| microsoft.sql/servers/databases/syncgroups/syncmembers/schemas/read | metadata | return the list of sync member database schemas |
| microsoft.sql/servers/databases/syncgroups/syncmembers/write | admin | creates a sync member with the specified parameters or update the properties for the specified sync member. |
| microsoft.sql/servers/databases/syncgroups/triggersync/action | admin | trigger azure sql sync group synchronization |
| microsoft.sql/servers/databases/syncgroups/write | admin | creates a sync group with the specified parameters or update the properties for the specified sync group. |
| microsoft.sql/servers/databases/topqueries/querytext/action | readonly | returns the transact-sql text for selected query id. |
| microsoft.sql/servers/databases/topqueries/read | metadata | returns aggregated runtime statistics for selected query in selected time period |
| microsoft.sql/servers/databases/topqueries/statistics/read | metadata | returns aggregated runtime statistics for selected query in selected time period |
| microsoft.sql/servers/databases/transparentdataencryption/operationresults/read | metadata | gets in-progress operations on transparent data encryption |
| microsoft.sql/servers/databases/transparentdataencryption/read | metadata | retrieve status and details of transparent data encryption security feature for a given database |
| microsoft.sql/servers/databases/transparentdataencryption/write | admin | change transparent data encryption state |
| microsoft.sql/servers/databases/upgradedatawarehouse/action | admin | upgrade azure sql datawarehouse database. |
| microsoft.sql/servers/databases/usages/read | metadata | return database maxiumum size that can be reached and current size occupied by data |
| microsoft.sql/servers/databases/vulnerabilityassessmentscans/action | admin | execute vulnerability assessment database scan. |
| microsoft.sql/servers/databases/vulnerabilityassessmentscans/operationresults/read | metadata | retrieve the result of the database vulnerability assessment scan execute operation |
| microsoft.sql/servers/databases/vulnerabilityassessmentsettings/read | metadata | retrieve details of vulnerability assessment policy configured on a given database |
| microsoft.sql/servers/databases/vulnerabilityassessmentsettings/write | admin | change the vulnerability assessment policy for a given database |
| microsoft.sql/servers/databases/vulnerabilityassessments/delete | admin | remove the vulnerability assessment for a given database. |
| microsoft.sql/servers/databases/vulnerabilityassessments/read | metadata | retrieve details of the vulnerability assessment configured on a given database. |
| microsoft.sql/servers/databases/vulnerabilityassessments/rules/baselines/delete | admin | remove the vulnerability assessment rule baseline for a given database. |
| microsoft.sql/servers/databases/vulnerabilityassessments/rules/baselines/read | metadata | get the vulnerability assessment rule baseline for a given database. |
| microsoft.sql/servers/databases/vulnerabilityassessments/rules/baselines/write | admin | change the vulnerability assessment rule baseline for a given database. |
| microsoft.sql/servers/databases/vulnerabilityassessments/scans/export/action | admin | convert an existing scan result to a human readable format. if already exists nothing happens. |
| microsoft.sql/servers/databases/vulnerabilityassessments/scans/initiatescan/action | metadata | users with metadata can execute vulnerability assessment database scan. |
| microsoft.sql/servers/databases/vulnerabilityassessments/scans/read | metadata | return the list of database vulnerability assessment scan records or get the scan record for the specified scan id. |
| microsoft.sql/servers/databases/vulnerabilityassessments/write | admin | change the vulnerability assessment for a given database. |
| microsoft.sql/servers/databases/write | admin | used to perform all write actions on database. this will be taken off on further permission cleaning. |
| microsoft.sql/servers/delete | admin | admins cab delete azure sql server |
| microsoft.sql/servers/disasterrecoveryconfiguration/delete | admin | deletes an existing disaster recovery configurations for a given server |
| microsoft.sql/servers/disasterrecoveryconfiguration/failover/action | admin | failover a disasterrecoveryconfiguration |
| microsoft.sql/servers/disasterrecoveryconfiguration/forcefailoverallowdataloss/action | admin | force failover a disasterrecoveryconfiguration |
| microsoft.sql/servers/disasterrecoveryconfiguration/read | metadata | gets a collection of disaster recovery configurations that include this server |
| microsoft.sql/servers/disasterrecoveryconfiguration/write | admin | set server disaster recovery configuration |
| microsoft.sql/servers/elasticpoolestimates/read | metadata | returns list of elastic pool estimates already created for this server. |
| microsoft.sql/servers/elasticpoolestimates/write | admin | creates new elastic pool estimate for list of databases provided. |
| microsoft.sql/servers/elasticpools/advisors/read | metadata | returns list of advisors available for the elastic pool |
| microsoft.sql/servers/elasticpools/advisors/recommendedactions/read | metadata | returns list of recommended actions of specified advisor for the elastic pool |
| microsoft.sql/servers/elasticpools/advisors/recommendedactions/write | admin | apply the recommended action on the elastic pool |
| microsoft.sql/servers/elasticpools/advisors/write | admin | update auto-execute status of an advisor on elastic pool level. |
| microsoft.sql/servers/elasticpools/databases/read | metadata | retrieve list and details of databases that are part of elastic database pool on a given server |
| microsoft.sql/servers/elasticpools/delete | admin | delete existing elastic database pool |
| microsoft.sql/servers/elasticpools/elasticpoolactivity/read | metadata | retrieve activities and details on a given elastic database pool |
| microsoft.sql/servers/elasticpools/elasticpooldatabaseactivity/read | metadata | retrieve activities and details on a given database that is part of elastic database pool |
| microsoft.sql/servers/elasticpools/metricdefinitions/read | metadata | return types of metrics that are available for elastic database pools |
| microsoft.sql/servers/elasticpools/metrics/read | metadata | return metrics for elastic database pools |
| microsoft.sql/servers/elasticpools/operations/cancel/action | admin | cancels azure sql elastic pool pending asynchronous operation that is not finished yet. |
| microsoft.sql/servers/elasticpools/operations/read | metadata | return the list of operations performed on the elastic pool. |
| microsoft.sql/servers/elasticpools/providers/microsoft.insights/diagnosticsettings/read | metadata | gets the diagnostic setting for the resource. |
| microsoft.sql/servers/elasticpools/providers/microsoft.insights/diagnosticsettings/write | admin | creates or updates the diagnostic setting for the resource. |
| microsoft.sql/servers/elasticpools/providers/microsoft.insights/metricdefinitions/read | metadata | return types of metrics that are available for elastic database pools |
| microsoft.sql/servers/elasticpools/read | metadata | retrieve details of elastic database pool on a given server |
| microsoft.sql/servers/elasticpools/skus/read | metadata | gets a collection of skus available for this elastic pool |
| microsoft.sql/servers/elasticpools/write | admin | create new or update existing elastic database pool |
| microsoft.sql/servers/encryptionprotector/read | metadata | returns a list of server encryption protectors or gets the properties for the specified server encryption protector. |
| microsoft.sql/servers/encryptionprotector/write | admin | update the properties for the specified server encryption protector. |
| microsoft.sql/servers/extendedauditingsettings/read | metadata | retrieve details of the extended server blob auditing policy configured on a given server. |
| microsoft.sql/servers/extendedauditingsettings/write | admin | change the extended server blob auditing for a given server. |
| microsoft.sql/servers/failovergroups/delete | admin | delete azure sql database failover group |
| microsoft.sql/servers/failovergroups/failover/action | admin | executes planned failover in an existing failover group. |
| microsoft.sql/servers/failovergroups/forcefailoverallowdataloss/action | admin | executes forced failover in an existing failover group. |
| microsoft.sql/servers/failovergroups/read | metadata | list/get azure sql database failover group |
| microsoft.sql/servers/failovergroups/write | admin | create/update azure sql database failover group |
| microsoft.sql/servers/firewallrules/delete | admin | deletes an existing server firewall rule. |
| microsoft.sql/servers/firewallrules/read | readonly | list/get server firewall rule(s) |
| microsoft.sql/servers/firewallrules/write | admin | create/update server firewall rule. |
| microsoft.sql/servers/import/action | admin | admin can create new database from dacpac |
| microsoft.sql/servers/importexportoperationresults/read | readonly | get import/export operations |
| microsoft.sql/servers/interfaceendpointprofiles/delete | admin | admins can delete the specified interface endpoint profile. |
| microsoft.sql/servers/interfaceendpointprofiles/read | metadata | |
| microsoft.sql/servers/interfaceendpointprofiles/write | admin | admins can create a network interface with the specified parameters or updates the properties or tags for the specified network interface. |
| microsoft.sql/servers/keys/delete | admin | delete azure sql server key |
| microsoft.sql/servers/keys/read | readonly | list/get azure sql server key(s) |
| microsoft.sql/servers/keys/write | admin | create/update azure sql server keys |
| microsoft.sql/servers/operationresults/read | readonly | get server operations |
| microsoft.sql/servers/providers/microsoft.insights/metricdefinitions/read | metadata | get server metric definitions |
| microsoft.sql/servers/read | metadata | list/get azure sql server(s) |
| microsoft.sql/servers/recommendedelasticpools/databases/read | metadata | get recommended elastic pools databases |
| microsoft.sql/servers/recommendedelasticpools/read | metadata | get recommended elastic database pools |
| microsoft.sql/servers/recoverabledatabases/read | metadata | get the last known database recovery point |
| microsoft.sql/servers/replicationlinks/read | metadata | |
| microsoft.sql/servers/restorabledroppeddatabases/read | metadata | get list of restorable dropped databases |
| microsoft.sql/servers/securityalertpolicies/operationresults/read | readonly | get server threat detection operation results |
| microsoft.sql/servers/securityalertpolicies/read | readonly | get server threat detection policy |
| microsoft.sql/servers/securityalertpolicies/write | admin | update server threat detection policy |
| microsoft.sql/servers/serviceobjectives/read | metadata | get service level objectives |
| microsoft.sql/servers/syncagents/delete | admin | delete azure sql sync agent |
| microsoft.sql/servers/syncagents/generatekey/action | admin | generate azure sql sync agent registration key |
| microsoft.sql/servers/syncagents/linkeddatabases/read | metadata | list azure sql sync agent linked databases |
| microsoft.sql/servers/syncagents/read | metadata | list/get azure sql sync agent(s) |
| microsoft.sql/servers/syncagents/write | admin | create/update azure sql sync agent |
| microsoft.sql/servers/tdecertificates/action | admin | admins can create/update tde certificate for a server. |
| microsoft.sql/servers/usages/read | metadata | get server usage details |
| microsoft.sql/servers/virtualnetworkrules/delete | admin | deletes an existing virtual network rule |
| microsoft.sql/servers/virtualnetworkrules/read | metadata | list/get azure sql server virtual network rule(s) |
| microsoft.sql/servers/virtualnetworkrules/write | admin | creates a virtual network rule with the specified parameters or update the properties or tags for the specified virtual network rule. |
| microsoft.sql/servers/vulnerabilityassessments/delete | admin | |
| microsoft.sql/servers/vulnerabilityassessments/read | metadata | retrieve details of the vulnerability assessment configured on a given server. |
| microsoft.sql/servers/vulnerabilityassessments/write | admin | admins can change the vulnerability assessment for a given server. |
| microsoft.sql/servers/write | admin | admin can create/update azure sql server |
| microsoft.sql/virtualclusters/read | readonly | list/get azure sql virtual cluster(s) |
| microsoft.sql/virtualclusters/write | admin | updates virtual cluster tags. |
| microsoft.storage/storageaccounts/read | metadata | to list the available storage account while provisioning the compute. |