Guest role

hvdhoevenhvdhoeven Member Posts: 99
edited 2008-03-21 in SQL General
I can remember that I've read that it is advised to use the SQL guest role for regular NAV users.

Now I read something completely different:

"The guest User Account

After a user has been authenticated and allowed to log in to an instance of SQL Server, a separate user account must exist in each database the user has to access. Requiring a user account in each database prevents users from connecting to an instance of SQL Server and accessing all the databases on a server. The existence of a guest user account in the database circumvents this requirement by allowing a login without a database user account to access a database.

The guest account is a built-in account in all versions of SQL Server. By default, it is disabled in new databases. If it is enabled, you can disable it by revoking its CONNECT permission by executing the Transact-SQL REVOKE CONNECT FROM GUEST statement. In SQL Server 2000 you can disable it by executing the Transact-SQL sp_dropuser or sp_revokedbaccess system stored procedures.

Security Note:
Avoid using the guest account; all logins without their own database permissions obtain the database permissions granted to this account. If you must use the guest account, grant it minimum permissions."

My organisation is an University of applied science and we would like our students to work with NAV to understand the concepts of ERP. We would like to give the students access to the SQL Server with a NAV SQL Client, that is installed on the students notebook. Our present idea is that the guest role is a safe solution: this user has very limited rights. In the text above you can read the opposite (or do I misunderstand this text? :? ).
We're planning to use SQL Server 2005 (not 2000).

Can you give me your opinion on this matter?

Comments

  • DenSterDenSter Member Posts: 8,307
    NAV connects to SQL Server using an Application Role, and ALL permissions should be managed from within the NAV client. The only role that any NAV users should have to have is the public role, and db_owner if the user needs to be able to make design changes.

    You can experiment what you want with roles and permissions, and use whatever you think is correct, but the recommended way to set up users in NAV on SQL Server (2005 or 2000, doesn't make a difference for NAV) is to assign the users on SQL Server to the public role, and take care of permissions within the NAV client. Set your NAV database up with 'standard' security model, and those users won't even be able to connect directly to SQL Server, unless you give them that right directly on SQL Server.

    I don't know who told you that it is recommended to use the guest role for regular NAV users, but that is not correct. The guest role, as it states in BOL, comes with those security issues that you will want to avoid. The safest way to manage authentication and permissions is to assign each user with their own used ID. It takes more effort the more users there are, but it will be much easier to manage.
  • ara3nara3n Member Posts: 9,256
    I see so many question related to this. Maybe we should create a FAQ section and have the answers for people to direct to?
    Ahmed Rashed Amini
    Independent Consultant/Developer


    blog: https://dynamicsuser.net/nav/b/ara3n
Sign In or Register to comment.