By default both read-write and read-intent access are allowed to the primary replica and no connections are allowed to secondary replicas of an Always On availability group.
Permissions
| Task | Permissions |
|---|---|
| To configure replicas when creating an availability group | Requires membership in the sysadmin fixed server role and either CREATE AVAILABILITY GROUP server permission, ALTER ANY AVAILABILITY GROUP permission, or CONTROL SERVER permission. |
| To modify an availability replica | Requires ALTER AVAILABILITY GROUP permission on the availability group, CONTROL AVAILABILITY GROUP permission, ALTER ANY AVAILABILITY GROUP permission, or CONTROL SERVER permission. |
Configuration
For the secondary role, select a new value from the Readable secondary drop list, as follows:
- No
- No user connections are allowed to secondary databases of this replica. They are not available for read access. This is the default setting.
- Read-intent only
- Only read-only connections are allowed to secondary databases of this replica. The secondary database(s) are all available for read access.
- Yes
- All connections are allowed to secondary databases of this replica, but only for read access. The secondary database(s) are all available for read access.
For the primary role, select a new value from the Connections in primary role drop list, as follows:
- Allow all connections
- All connections are allowed to the databases in the primary replica. This is the default setting.
- Allow read/write connections
- When the Application Intent property is set to ReadWrite or the Application Intent connection property is not set, the connection is allowed. Connections where the Application Intent connection property is set to ReadOnly are not allowed. This can help prevent customers from connecting a read-intent work load to the primary replica by mistake.
Sources:
Comments