SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

The public role

A common misunderstanding is that the CONNECT permission lets you do more than just connect to a database. It doesn’t. Connection only. So how come there are some things that everyone can do once they are connected to a database? Well, it’s the public role. Everyone is a member and that can’t be changed. In fact, you can’t even disable it. Oh, and I should point out that every database has one.

So what does that mean? If you have a table that you want everyone to have read access to you could grant the permission in public.

-- Create test login.
CREATE LOGIN Public_Only WITH PASSWORD = 'Public_Only', 
USE Test;
-- Create a test table and grant read access to the public role.
CREATE TABLE Public_Read (Col1 INT);
INSERT INTO Public_Read VALUES (1), (2), (3);
GRANT SELECT ON Public_Read TO public;

-- Create test user.
CREATE USER Public_Only FROM LOGIN Public_Only;
-- Confirm that the user only has CONNECT permissions to the 
-- database Test.
EXEC sp_DBPermissions 'Test','Public_Only', @Output = 'Report';

-- Login as Public_Only user
USE Test;
SELECT * FROM Public_Read;

And there you go. A user with only connect access can read from the table. You can, of course, do the exact opposite and DENY read to a table. That would make it so that only the database owner (dbo, not members of the db_owner role), sa, and members of the sysadmin role would be able to read from the table.

This type of technique can be particularly handy if you are building a logging table of some type that you want everyone to have write access regardless of their other permissions. You do want to be careful though because, again, anything you do affects everyone


My name is Kenneth Fisher and I am Senior DBA for a large (multi-national) insurance company. I have been working with databases for over 20 years starting with Clarion and Foxpro. I’ve been working with SQL Server for 12 years but have only really started “studying” the subject for the last 3. I don’t have any real "specialities" but I enjoy trouble shooting and teaching. Thus far I’ve earned by MCITP Database Administrator 2008, MCTS Database Administrator 2005, and MCTS Database Developer 2008. I’m currently studying for my MCITP Database Developer 2008 and should start in on the 2012 exams next year. My blog is at www.sqlstudies.com.


Leave a comment on the original post [sqlstudies.com, opens in a new window]

Loading comments...