Each user in a database can be in one or more roles
can perform all configuration and maintenance activities on the database, and can also drop the database.
db_securityadmin can modify role membership and manage permissions. Adding principals to this role could enable unintended privilege escalation.
can add or remove access to the database for Windows logins, Windows groups, and SQL Server logins.
can back up the database.
can run any Data Definition Language (DDL) command in a database.
can add, delete, or change data in all user tables.
can read all data from all user tables.
cannot add, modify, or delete any data in the user tables within a database.
cannot read any data in the user tables within a database.