Appearance
Security Object Scripting
Version-control your database security layer alongside the rest of your schema. When enabled, VersionSQL scripts database users, roles, schemas, and security policies into a Security folder in your repository.
Supported Object Types
| Object Type | Folder | Notes |
|---|---|---|
| Database Users | Security\Users\ | Windows logins, SQL users, and contained users |
| Database Roles | Security\Roles\ | Custom roles only; fixed roles (db_owner, etc.) are excluded by default |
| Schemas | Security\Schemas\ | Database-scoped schemas with AUTHORIZATION |
| Security Policies | Security\Policies\ | Row-level security (RLS) policies; requires SSMS 13+ |
System objects (dbo, guest, INFORMATION_SCHEMA, sys) and fixed database roles are excluded automatically.
Enabling Security Objects
Security object scripting in full-database commits is off by default. To enable it:
- Right-click your database → VersionSQL → Connection Settings.
- Open the Advanced tab, Scripting section.
- Check Include security objects in full-database commit.
- Click Save.
This setting controls whether security objects are included when committing an entire database. You can always commit individual security objects by right-clicking them directly in SSMS Object Explorer (e.g., right-click a user → VersionSQL → Commit).
Permissions
VersionSQL can script GRANT, DENY, and REVOKE statements in two ways, controlled by separate checkboxes in the same Scripting section:
Permissions on Security Principals (Default: On)
When Include permissions on security principal scripts is checked, permission statements directed at a user or role are included in that user's or role's script file. For example, a user script might contain both the CREATE USER statement and a GRANT VIEW DEFINITION TO [username] statement.
Permissions on Database Objects (Default: Off)
When Include permissions on object scripts is checked, object-level permission statements (GRANT SELECT ON dbo.MyTable, etc.) are appended to each object's script file.
Role Memberships
Two additional checkboxes control where ALTER ROLE ... ADD MEMBER statements appear:
- Include role memberships on user scripts (default: on) — adds membership statements to each user's script.
- Include role memberships on role scripts (default: off) — adds membership statements to each role's script. When enabled, fixed roles that have members are also included.
Redgate SQL Source Control Compatibility
If your repository was originally created with Redgate SQL Source Control, VersionSQL can detect the RedGate.ssc file and automatically enable compatibility mode for new connections. The preset adjusts several path and scripting options to match Redgate's folder layout, including:
- Enabling permissions on object scripts
- Enabling role memberships on role scripts
- Placing security policies in a top-level
Security Policiesfolder instead ofSecurity\Policies - Adjusting path settings (schema-in-filename, folder pluralization, etc.)
You can also enable these options individually without the full preset.
Folder Structure
The default layout places security objects under a Security subfolder within your database path:
VersionSQL/
server_name/
database_name/
dbo/
Stored Procedures/
Tables/
...
Security/
Users/
MyUser.sql
Roles/
MyRole.sql
Schemas/
MySchema.sql
Policies/
dbo.MyPolicy.sqlWhen Redgate compatibility is enabled, security policies move to a top-level Security Policies folder instead.
Configure
Connection Settings → Advanced → Scripting
| Setting | Default | Description |
|---|---|---|
| Include security objects | Off | Master toggle for security object scripting |
| Permissions on principal scripts | On | GRANT/DENY/REVOKE statements on user and role scripts |
| Permissions on object scripts | Off | Object-level permissions appended to each object's script (Redgate compat.) |
| Role memberships on user scripts | On | ALTER ROLE ... ADD MEMBER on user scripts |
| Role memberships on role scripts | Off | ALTER ROLE ... ADD MEMBER on role scripts (Redgate compat.) |
| Security policies top-level folder | Off | Place policies in Security Policies\ instead of Security\Policies\ (Redgate compat.) |