Update alter-database-transact-sql-set-options.md

[sommarskog]

Changed the required permission for DB_CHAINING based on observation:

USE master
go
CREATE LOGIN alteranydb WITH PASSWORD = '))"?`?323Jdk' GRANT ALTER ANY DATABASE TO alteranydb
go
CREATE DATABASE chainer
ALTER AUTHORIZATION ON DATABASE::chainer TO sa
go
EXECUTE AS LOGIN = 'alteranydb'
go
ALTER DATABASE chainer SET DB_CHAINING ON
go
REVERT
go
DROP LOGIN alteranydb
DROP DATABASE chainer

Also modified the language as such. It sounds funny to talk about a server permission "on the database".

[prmerger-automator]

@sommarskog : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change.

[learn-build-service-prod]

Learn Build status updates of commit cb07487:

✅ Validation status: passed

File	Status	Preview URL	Details
docs/t-sql/statements/alter-database-transact-sql-set-options.md	✅Succeeded

For more details, please refer to the build report.

[v-dirichards]

@markingmyname

Can you review the proposed changes?

Important: When the changes are ready for publication, adding a #sign-off comment is the best way to signal that the PR is ready for the review team to merge.

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team

[Copilot]

Pull request overview

This PR updates the ALTER DATABASE ... SET DB_CHAINING documentation to reflect a different required permission and adjusts the wording to avoid implying a server permission is granted “on the database.”

Changes:

• Updated the stated permission required to set DB_CHAINING.
• Reworded the permission statement to refer to server-level permissions.

[learn-build-service-prod]

Learn Build status updates of commit 2079e40:

✅ Validation status: passed

File	Status	Preview URL	Details
docs/t-sql/statements/alter-database-transact-sql-set-options.md	✅Succeeded

For more details, please refer to the build report.

[sommarskog]

Copilot makes a point about CREATE DATABASE and notes an inconsistency. Turns out that there is an inconsistency not only in the documentation, but also in reality. When you are creating a database, you need no particular permission to enable DB_CHAINING:

USE master
go
CREATE LOGIN munter WITH PASSWORD = '))"?`?323Jdk'
ALTER SERVER ROLE dbcreator ADD MEMBER munter
go
EXECUTE AS LOGIN = 'munter'
go
CREATE DATABASE munter WITH TRUSTWORTHY ON, DB_CHAINING ON
go
REVERT
go
SELECT * FROM sys.databases
DROP DATABASE munter
DROP LOGIN munter

So this paragraph in CREATE DATABASE should be removed:

To set this option, requires membership in the sysadmin fixed server role. The DB_CHAINING option can't be set on these system databases: master, model, tempdb.

The second sentence should be removed, since it does not apply to CREATE DATABASE.

You may also note that TRUSTWORTHY also works here, whereas ALTER DATABASE SET TRUSTWORTHY requires CONTROL SERVER. But this agrees with the documentation for CREATE DATABASE which does not say anything about permissions. However, this paragraph is out of place for CREATE:

By default, all system databases except the msdb database have TRUSTWORTHY set to OFF. The value can't be changed for the model and tempdb databases. We recommend that you never set the TRUSTWORTHY option to ON for the master database

I don't really know how to get a different topic into an existing pull request, but maybe someone else can pick up?

(Note: This got me a little scared, until I remembered that for TRUSTWORTHY to be dangerous, the database owner also needs to have AUTHENTICATE SERVER.)

[rwestMSFT]

@sommarskog Thanks, that's definitely worth investigating internally. I'll chat to @uc-msft.

[rwestMSFT]

#reassign:rwestMSFT