Be our guest, be our guest, put our database to the test.

3

June 25, 2018 by Kenneth Fisher

When I think of the public role I often think of the guest database principal (user) at the same time. They aren’t really the same though. For one thing while you can’t remove either one, you can disable the guest and in fact for user databases this is recommended.

Best Practice

Let me stop here and emphasise this. Disabling guest in the user databases is recommended. Not the system databases. Guest is used for a number of things in master, msdb and tempdb. model I’m not so sure about since while this is the template for new user databases, it’s also the template for tempdb so it could cause problems, I’m just not sure.

How do you disable guest

Simply enough you remove the CONNECT permission.

REVOKE CONNECT FROM guest;
What is guest?

So what exactly is guest? It’s the default user. If you don’t have a database principal in a given database you can still connect using guest. Once there you have any permissions granted to guest, public, and any other AD groups you may belong to. Note: Even though they don’t have CONNECT (meaning you can’t connect to the database) you can still belong to an AD group with other permissions in the database. In fact that AD group could be an orphan (no associated server-level principal) and you’ll still be able to use its permissions.

Interesting point here, guest is only if you don’t have another user in the database. As soon as you have another user you no longer have access to any permissions associated with guest.

Demos

Generally using guest

-- Make sure guest is enabled.
GRANT CONNECT TO guest;
-- Grant read access to guest to make this a bit more obvious
ALTER ROLE db_datareader ADD MEMBER guest;
GO
-- Confirm that SQLTest doesn't have permissions.
exec sp_DBPermissions 'Test', 'SQLTest';

USE master;
GO
-- You have to impersonate as the login, not the user.
-- The user doesn't exist.
EXECUTE AS LOGIN = 'SQLTest';
GO
USE Test;
GO
SELECT * FROM sys.user_token;
GO

If you have a user you aren’t a guest.

exec sp_DBPermissions 'Test', 'Kenneth_Test', @UseLikeSearch=0;

USE Test;
GO
-- I can execute as the user this time because the user exists
EXECUTE AS USER = 'Kenneth_Test';
GO
SELECT * FROM sys.user_token;
GO

Uses

So when might you use guest? Well, similar to when you might use public. When you want everyone to be able to connect to a database. For example an audit database or something.

3 thoughts on “Be our guest, be our guest, put our database to the test.

  1. Toby Ovod-Everett says:

    Enabling CONNECT for the guest user can be useful when using cross-database chaining – see https://www.mssqltips.com/sqlservertip/1782/understanding-cross-database-ownership-chaining-in-sql-server/ for more information on this scenario.

  2. Poornima says:

    Good post Ken. We are all used to disabling guest in user databases all the time.. But good to know the uses. I wonder if some third party applications are utilizing this feature to get user access. Not the recommended choice by DBAs. Interesting feature for sure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,469 other followers

Follow me on Twitter

ToadWorld Pro of the Month November 2013
%d bloggers like this: