Author | Ben Miller (@DBAduck) |
Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Add-DbaDbRoleMember on GitHub.
Want to see the Bill Of Health for this command? Check out Add-DbaDbRoleMember.
Adds database users or roles as members to database roles across SQL Server instances
Manages database security by adding users or roles as members to database roles, automating what would otherwise require manual T-SQL commands or SQL Server Management Studio clicks. This function handles membership validation to ensure the user or role exists in the database before attempting to add them, and checks existing membership to prevent duplicate assignments. You can add multiple users to multiple roles across multiple databases and instances in a single operation, making it ideal for bulk security configuration or automated permission management workflows.
Add-DbaDbRoleMember
[[-SqlInstance] <DbaInstanceParameter[]>]
[[-SqlCredential] <PSCredential>]
[[-Database] <String[]>]
[[-Role] <String[]>]
[-Member] <String[]>
[[-InputObject] <Object[]>]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
PS C:\> Add-DbaDbRoleMember -SqlInstance localhost -Database mydb -Role db_owner -Member user1
Adds user1 to the role db_owner in the database mydb on the local default SQL Server instance
PS C:\> Add-DbaDbRoleMember -SqlInstance localhost, sql2016 -Role SqlAgentOperatorRole -Member user1 -Database msdb
Adds user1 in servers localhost and sql2016 in the msdb database to the SqlAgentOperatorRole
PS C:\> $servers = Get-Content C:\servers.txt
PS C:\> $servers | Add-DbaDbRoleMember -Role SqlAgentOperatorRole -Member user1 -Database msdb
Adds user1 to the SqlAgentOperatorROle in the msdb database in every server in C:\servers.txt
PS C:\> Add-DbaDbRoleMember -SqlInstance localhost -Role "db_datareader","db_datawriter" -Member user1 -Database DEMODB
Adds user1 in the database DEMODB on the server localhost to the roles db_datareader and db_datawriter
PS C:\> $roles = Get-DbaDbRole -SqlInstance localhost -Role "db_datareader","db_datawriter" -Database DEMODB
PS C:\> $roles | Add-DbaDbRoleMember -Member user1
Adds user1 in the database DEMODB on the server localhost to the roles db_datareader and db_datawriter
Specifies the database user(s) or role(s) to add as members to the target roles. Can be individual users, Windows groups, or other database roles.
The function validates that each member exists in the database before attempting to add them, preventing errors from typos or missing objects.
Alias | User |
Required | True |
Pipeline | false |
Default Value |
The target SQL Server instance or instances. This can be a collection and receive pipeline input to allow the function to be executed against multiple SQL Server instances.
Alias | |
Required | False |
Pipeline | true (ByValue) |
Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Specifies which databases to process for role membership changes. Accepts multiple database names and supports wildcards.
When omitted, the function processes all databases on the target instances, making it useful for organization-wide security standardization.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Specifies the database role(s) to add members to. Accepts multiple role names including built-in roles like db_datareader, db_datawriter, db_owner, or custom database roles.
Use this when you need to grant specific database permissions by adding users or roles to appropriate database roles.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Accepts piped input from Get-DbaDbRole, Get-DbaDatabase, or SQL Server instances for streamlined workflows.
Use this when chaining commands together, such as filtering specific roles first then adding members to those filtered results.
Alias | |
Required | False |
Pipeline | true (ByValue) |
Default Value |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |
Shows what would happen if the command were to run. No actions are actually performed.
Alias | wi |
Required | False |
Pipeline | false |
Default Value |
Prompts you for confirmation before executing any changing operations within the command.
Alias | cf |
Required | False |
Pipeline | false |
Default Value |