How to create a login, a user, and grant permissions in SQL Server (GRANT)
Access in SQL Server has two levels: the login lives on the server and the user lives in the database. Here you create both and grant least-privilege permissions.
- 1
Create the login at the server level
It can be SQL authentication (with a password) or Windows/Azure AD. Prefer integrated authentication whenever possible.
-- Autenticacion SQL CREATE LOGIN [app_user] WITH PASSWORD = N'UnaClaveFuerte#2026', CHECK_POLICY = ON; -- Autenticacion de Windows -- CREATE LOGIN [DOMINIO\usuario] FROM WINDOWS; - 2
Create the user inside the database
The user maps the login into a specific database. Without this step, the login cannot touch the database.
USE [MiBase]; GO CREATE USER [app_user] FOR LOGIN [app_user]; - 3
Grant least-privilege permissions (principle of least privilege)
Grant only what is needed. Avoid adding to db_owner for convenience. GRANT on objects or schemas is safer than broad roles.
-- Permisos de lectura/escritura por rol ALTER ROLE db_datareader ADD MEMBER [app_user]; ALTER ROLE db_datawriter ADD MEMBER [app_user]; -- O permisos granulares GRANT SELECT, INSERT, UPDATE ON SCHEMA::dbo TO [app_user]; GRANT EXECUTE ON OBJECT::dbo.usp_MiProc TO [app_user]; - 4
Verify the granted permissions
Query the user's effective permissions to confirm everything ended up the way you expected.
SELECT dp.name AS principal, p.permission_name, p.state_desc FROM sys.database_permissions p JOIN sys.database_principals dp ON p.grantee_principal_id = dp.principal_id WHERE dp.name = 'app_user';
// common mistake
A user with no mapped login becomes 'orphaned' after restoring on another server. Fix it with ALTER USER [app_user] WITH LOGIN = [app_user]. Never use the sa account for applications and never grant db_owner by default: it is the number-one cause of privilege escalation.
// when it's worth an expert
If you handle many accounts, audits, or compliance (PCI, ISO), defining a clean permission model is delicate. At dba.mx we design least-privilege security schemes with auditing, at a fixed price.
Book an assessment — from USD $550This guide is for reference and uses example commands. In production, adapt to your version and test in a safe environment first.