Database-level role names
Members of the db_accessadmin fixed database role can add or remove access to the database for Windows logins, Windows groups, and SQL Server logins.
Members of the db_backupoperator fixed database role can back up the database.
Members of the db_datareader fixed database role can read all data from all user tables.
Members of the db_datawriter fixed database role can add, delete, or change data in all user tables.
Members of the db_ddladmin fixed database role can run any Data Definition Language (DDL) command in a database.
Members of the db_denydatareader fixed database role cannot read any data in the user tables within a database.
Members of the db_denydatawriter fixed database role cannot add, modify, or delete any data in the user tables within a database.
Members of the db_owner fixed database role can perform all configuration and maintenance activities on the database, and can also drop the database.
Members of the db_securityadmin fixed database role can modify role membership and manage permissions. Adding principals to this role could enable unintended privilege escalation.
In theory, a user who can do nearly everything but modify access and security permissions: