Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: 
SQL Server
Azure SQL Managed Instance
Most Service Broker applications that involve more than one instance run in the security context of a database principal created specifically for the application. These database principals should have the minimum permissions required to accomplish the tasks that the application performs.
The following considerations apply to database principals created for Service Broker applications:
Service Broker remote authorization applies when a remote Service Broker application connects to SQL Server and delivers a message to the instance. The database principal specified for remote authorization must have
CONNECTpermission in the database that hosts the initiating service and must haveSENDpermission for the initiating service itself. The user must own the certificate used for authentication. There are no requirements for the user to own other objects, to have other permissions, or to be able to log in with any other mechanism.For a database principal to begin a conversation, that principal must have
RECEIVEpermissions on the queue for the initiating service.The database principal that owns the initiating service must have
SENDpermissions on the target service.For a database principal to send messages to a service, that principal must have
SENDpermissions on the service. For services hosted in a different instance, Service Broker dialog security determines the database principal in the remote instance. For more information, see Service Broker dialog security. Service Broker doesn't consider membership in Windows roles when checkingSENDpermissions.The user specified as the user for an activation stored procedure must have permission to execute the procedure. Frequently, the user specified has the permissions required to execute the statements in the procedure. However, if the stored procedure itself is defined with an
EXECUTE ASclause, the statements in the stored procedure run with the security context defined by the stored procedure. SQL Server first sets the security context to the user specified for the queue. SQL Server then executes the stored procedure and the stored procedure changes the security context to the user specified for the procedure.When Service Broker transport security uses SSPI, the service account for the remote database must have
CONNECTpermission inmaster, and must also correspond to a login. Therefore, the account that the remote SQL Server instance runs as must have permission to sign in to SQL Server using Windows Authentication. There are no requirements for the sign in to have other permissions or to own objects in any database.