3.11 Ensure the public role in the msdb database is not granted access to SQL Agent proxies

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


The public database role contains every user in the msdb database. SQL Agent proxies define a security context in which a job step can run.


Granting access to SQL Agent proxies for the public role would allow all users to utilize the proxy which may have high privileges. This would likely break the principle of least privileges.


Before revoking the public role from the proxy, ensure that alternative logins or appropriate user-defined database roles have been added with equivalent permissions. Otherwise, SQL Agent job steps dependent upon this access will fail.


Ensure the required security principals are explicitly granted access to the proxy (use sp_grant_login_to_proxy).

Revoke access to the <proxyname> from the public role.

USE [msdb]
EXEC dbo.sp_revoke_login_from_proxy @name = N'public', @proxy_name = N'<proxyname>';

Default Value:

By default, the msdb public database role does not have access to any proxy.

See Also