The public role

Kenneth Fisher, 2018-05-23

A common misunderstanding is that the CONNECT permission lets you do more than just connect to a database. It doesn’t. Connection only. So how come there are some things that everyone can do once they are connected to a database? Well, it’s the public role. Everyone is a member and that can’t be changed. In fact, you can’t even disable it. Oh, and I should point out that every database has one.

So what does that mean? If you have a table that you want everyone to have read access to you could grant the permission in public.

-- Create test login.
CREATE LOGIN Public_Only WITH PASSWORD = 'Public_Only', 
USE Test;
-- Create a test table and grant read access to the public role.
CREATE TABLE Public_Read (Col1 INT);
INSERT INTO Public_Read VALUES (1), (2), (3);
GRANT SELECT ON Public_Read TO public;
-- Create test user.
CREATE USER Public_Only FROM LOGIN Public_Only;
-- Confirm that the user only has CONNECT permissions to the 
-- database Test.
EXEC sp_DBPermissions 'Test','Public_Only', @Output = 'Report';

-- Login as Public_Only user
USE Test;
SELECT * FROM Public_Read;

And there you go. A user with only connect access can read from the table. You can, of course, do the exact opposite and DENY read to a table. That would make it so that only the database owner (dbo, not members of the db_owner role), sa, and members of the sysadmin role would be able to read from the table.

This type of technique can be particularly handy if you are building a logging table of some type that you want everyone to have write access regardless of their other permissions. You do want to be careful though because, again, anything you do affects everyone





Related content

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.

Robert Davis


1,567 reads

Networking – Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I’d like to talk about social networking. We’ll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let…

Andy Warren


1,530 reads

Speaking at Community Events – More Thoughts

Last week I posted Speaking at Community Events – Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I’ve got a few more thoughts on the topic this week, and I look forward to your comments.

Andy Warren


360 reads