Actually, I'm already using a Server Group (which uses external servers) on that page (Management > Administration) that sets the Default Role for anyone who's able to authenticate using this server group to "root". I'm afraid if I make the controller's internal database part of this server group, the current guest users in the internal database will gain "root" access!
How's this for an idea: I add the guest management accounts in the external servers linked with the Server Group that I'm currently using and then use "Server Rules" on this page to give these specific users a role of "guest-provisioning"? That should work, right?