You are here:
Geodatabases and ArcSDE
>
Administering ArcSDE geodatabases
>
Creating and administering user accounts
This topic contains the following information. Use the links below to navigate to the sections in which you are interested.
What are user permissions?
A user's permissions determine what he or she is authorized to do with the data and the geodatabase and should be assigned based on the type of work the person does within the organization. Is the user involved with administration of the geodatabase? Does the user need to edit or create data? Would the user only need to query the data?
Users or groups of users are given permissions that affect what they can do in the geodatabase. Some users can only connect to the geodatabase. These are read-only users. Other users can connect to the geodatabase and create datasets. Others can connect to the database and edit datasets but not create or delete them. Some can perform administrative tasks, such as creating backup files or performing a compress operation.
Top of page
Types of users based on permissions
Common categories or groups of geodatabase users are
- Data viewers (read-only users)
- Data editors (read/write users)
- Data creators (read/write users with privileges in the database that allow them to create database objects)
- Geodatabase and/or database instance administrators
If you are using ArcSDE Personal or Workgroup geodatabases, all users added to the database server who have access to data will fall into one of these groups. They are described in the "ArcSDE Personal and Workgroup geodatabase permissions" section below.
For ArcSDE Enterprise geodatabases, these groupings are not mandatory, but many organizations find their workflows usually include these categories of users. The section below, "ArcSDE Enterprise geodatabase permissions" describes the permissions needed for data viewers, editors, and creators.
Top of page
Types of permissions
User permissions are set for the database itself and for the datasets in the database.
- Database permissions
These permissions determine what a user or group of users can do in or to the geodatabase; for example, whether users can create new datasets or administer the geodatabase.
- Version permissions
Permissions can also be set to control user access to a geodatabase version. This is a special type of database permission that is not set through the DBMS. Instead, when a new geodatabase version is created, the creator of the version decides what type of access other users will have to the version. If the version is created as Public, all users can access and modify it. If it is created as a Private version, only the creator of the version can access it. If the version is Protected, other users can view the version but only the creator can modify it.
See Creating versions and setting permissions for more information on setting permissions to geodatabase versions.
- Dataset permissions
Dataset permissions determine what a user can do with a particular dataset—can the user edit the dataset or only select data from it?
Permission to work with specific datasets is controlled by the user who owns the data (the one who created or imported the data to the geodatabase). Users are granted either read-only (SELECT) permission or read/write (UPDATE, INSERT, and DELETE) permissions. These dataset permissions determine whether or not a user is an editor; if a user has no UPDATE, INSERT, or DELETE permissions on any datasets, he is not an editor.
See Granting and revoking privileges on datasets for information on assigning user rights to datasets.
Top of page
ArcSDE Personal and Workgroup geodatabase permissions
ArcSDE Personal and Workgroup geodatabases utilize ArcSDE database servers. Users are added to the database server, then permission to work with geodatabases and datasets is controlled by assigning users and groups to predefined roles. The user or group in this case is a Windows-authenticated login that identifies who you are; a role defines the operations you will be able to perform.
The predefined roles and possible permissions given to users and groups are
- None—No specific access to the geodatabase or the datasets in the geodatabase
- Read Only—Can read data
- Read/Write—Can read, write to, and create new datasets in a geodatabase
- Admin—Can administer a specific geodatabase
- Server administrator—Administers the database server; can create, control access to, back up, restore, compress, attach, and detach geodatabases on an ArcSDE database server
To learn how to grant or revoke these permissions, see
Administering user permissions for ArcSDE database servers.
Only database server administrators can add or remove users. Users or groups must be valid Windows logins. When a new user or group is added to an ArcSDE database server, that user or group will automatically be available in all current and future geodatabases within that ArcSDE database server. In other words, once a user has been added to the database server, that user name will appear in the Permissions dialog box for all geodatabases and datasets on the database server.
Learn more about adding a user or group to an ArcSDE database server
Top of page
ArcSDE Enterprise geodatabase permissions
The tables below list the minimum required database privileges, by DBMS, for common types of users: data viewers, data editors, data creators, and ArcSDE administrators.
Most DBMSs provide a graphical user interface (GUI) you can use to administer user database privileges. However, you can use SQL statements to grant and revoke privileges as well.
In most cases, owners of individual datasets should use ArcCatalog to set other users' permissions on these datasets.
Learn about setting user privileges on datasets
Note that for all DBMSs, to perform an upgrade, the ArcSDE administrator must have write permission to either the SDEHOME/geocode directory on the server or the directory to which the TEMP environment variable is set. This is because, during an upgrade, ArcSDE attempts to make backups of the locator files in the geocode directory. If that fails, ArcSDE attempts to write the backups to the TEMP directory. If the ArcSDE administrator does not have write permission to either of these directories, a warning is generated and new locators are loaded.
Top of page
SQL Server
The first table below indicates the user permissions needed in a single spatial database model geodatabase. The second table lists the user permissions necessary for a geodatabase stored in the multiple spatial database model.
Single spatial database model permissions
Data viewers |
|
SELECT |
- If allowed to read all tables in the database, you can assign users to the db_datareader database role.
- CREATE TABLE permission is needed if using shared log files
|
Data editors |
|
- SELECT, INSERT, UPDATE, and DELETE on other users' data objects (if they will be editing other users' data objects)
- EXECUTE on the stored procedures associated with the data to be edited
|
CREATE TABLE permission is needed if using shared log files |
Data creators |
- CREATE TABLE
- CREATE PROCEDURE
- CREATE VIEW
|
|
- Before a user can create an XML column with SQL Server 2005, the user must be granted the REFERENCES permission on the fulltext catalog in which the text of the XML documents will be indexed.
- For SQL Server 2005, user names for any user accounts that will own data must have the same name as their default schema. For example, for the user name simon, the default schema name must be simon. If it isn't, the user will not be able to create geodatabase objects such as feature classes.
- CREATE VIEW privilege is only needed if the user will be creating database views, spatial views, or multiversioned views.
|
ArcSDE administrator |
- CREATE TABLE
- CREATE PROCEDURE
- CREATE FUNCTION
- CREATE VIEW
|
|
- For ArcSDE administrators, the CREATE VIEW function is required to create the dbtune view.
- If you use a dbo-schema geodatabase, the database owner (dbo) is in the sysadmin fixed server role and already has these privileges.
|
Multiple spatial database model permissions
All types of users must be added to the SDE database. For all types of users, if you are using
shared log files, users must have CREATE TABLE permissions in the SDE database. If you are using shared log files in a SQL Server 2005 database, you must create a schema for the users when you add them to the SDE database.
Data viewers |
|
SELECT |
|
SELECT |
Data editors |
|
SELECT, INSERT, UPDATE, and DELETE permission on datasets to edit and EXECUTE permission on related stored procedures |
|
SELECT, INSERT, UPDATE, and DELETE permission on datasets to edit and EXECUTE permission on related stored procedures |
Data creators |
CREATE TABLE and CREATE PROCEDURE if creating datasets in the repository database (not recommended) |
|
CREATE TABLE and CREATE PROCEDURE |
|
ArcSDE administrator |
- CREATE TABLE
- CREATE VIEW
- CREATE PROCEDURE
- CREATE FUNCTION
|
|
Add as user to the other databases, but no specific required permissions |
|
For more information on the differences between the single and multiple spatial database models in SQL Server databases, see
Using multiple geodatabases within a DBMS.
Top of page
Oracle
In Oracle databases, the ArcSDE administrator requires additional permissions to install or upgrade ArcSDE. The first table lists the
minimum privileges required by the ArcSDE administrator (the permissions the ArcSDE administrator needs just to perform day-to-day functions) and the permissions needed for other types of users. The second table lists the permissions the ArcSDE administrator requires to be able to install or upgrade ArcSDE.
NOTE: In addition to the privileges listed below, the database administrator must grant EXECUTE privileges on dbms_pipe and dbms_lock to PUBLIC.
Data viewers |
CREATE SESSION |
SELECT on database objects |
If your database is configured to use shared ArcSDE log files (the default), additional privileges may be needed. Learn more about log file configuration options
|
Data editors |
CREATE SESSION |
SELECT, INSERT, UPDATE, and DELETE on other users' datasets |
If your database is configured to use shared ArcSDE log files (the default), additional privileges may be needed. Learn more about log file configuration options
|
Data creators |
- CREATE SEQUENCE
- CREATE SESSION
- CREATE TRIGGER
- CREATE TABLE
- CREATE VIEW
|
|
CREATE VIEW privilege is only needed if the user will be creating database views, spatial views, or multiversioned views. |
ArcSDE administrator |
- CREATE SESSION
- CREATE SEQUENCE
- CREATE TABLE
- CREATE TRIGGER
- CREATE PROCEDURE
|
|
If you use autoregistration with Oracle Spatial, you must also grant SELECT ANY TABLE |
The following table lists the privileges that must be granted to the ArcSDE administrator to install or upgrade ArcSDE and the reason the privilege or group of privileges is needed. Some of these privileges can be revoked after installation or upgrade is completed, as noted in the Purpose field and as indicated in the minimum ArcSDE administrator permissions shown in the previous table.
NOTE: If you use geodatabases created in user schemas in Oracle, the same permissions are needed for the schema owner in which the geodatabase resides to upgrade his/her geodatabase.
ArcSDE administrator install/upgrade required permissions
CREATE SESSION |
Connect to Oracle. |
- CREATE TABLE
- CREATE TRIGGER
|
Create ArcSDE data dictionary. |
CREATE PROCEDURE |
Create packages for maintaining the contents of data dictionary tables. |
- CREATE INDEXTYPE
- CREATE LIBRARY
- CREATE OPERATOR
- CREATE PUBLIC SYNONYM
- CREATE SYNONYM
- CREATE TYPE
- CREATE VIEW
- DROP PUBLIC SYNONYM
|
Create the Spatial Type for Oracle (ST_Geometry) user-defined data type. CREATE OPERATOR and CREATE INDEXTYPE are needed to upgrade ArcSDE.These privileges can be revoked after installation if not using the Spatial Type for Oracle. |
SELECT ANY TABLE |
Autoregistration with the geodatabase of Oracle Spatial layers created by third-party applications and for upgrading geodatabase contents. This privilege can be revoked after installing ArcSDE if not using Oracle Spatial or if manually registering third-party layers. Would have to be granted again to perform upgrade |
- ALTER ANY INDEX
- ALTER ANY TABLE
- ANALYZE ANY
- CREATE ANY INDEX
- CREATE ANY PROCEDURE
- CREATE ANY SEQUENCE
- CREATE ANY TRIGGER
- CREATE ANY VIEW
- DROP ANY INDEX
- DROP ANY PROCEDURE
- DROP ANY SEQUENCE
- DROP ANY TABLE
- DROP ANY VIEW
- EXECUTE ANY PROCEDURE
- SELECT ANY SEQUENCE
|
Create the ArcSDE data dictionary during installation and upgrade geodatabase contents. |
In addition, you may want to grant UNLIMITED TABLESPACE to the ArcSDE administrator for installation and upgrades. This will ensure that there is sufficient storage space in any tablespace in the database, including the internal SYSTEM and SYSAUX tablespaces, to allow the ArcSDE administrator to complete the installation or upgrade. This privilege can be revoked after installing or upgrading ArcSDE if you have set quotas for space management.
See
Recommendations for tuning memory for information on using storage quotas.
Top of page
DB2
DB2 grants full permissions to users by default. (In other words, the PUBLIC group is granted CREATETAB, BINDADD, CONNECT, and IMPLICITSCHEMA database authority plus USE privilege on the USERSPACE1 table space and SELECT privilege on the system catalog views.) Therefore, you need to decide if any users need to have their permissions decreased.
NOTE: To remove any database authority, a database administrator must explicitly revoke the database authority from PUBLIC.
Data viewer |
CONNECT to database |
SELECT on database object |
If your database is configured to use shared ArcSDE log files (the default), additional privileges may be needed. Learn more about log file configuration options
|
Data editor |
- CONNECT to database
- CREATEIN, ALTERIN, and DROPIN for the necessary schema
|
CONTROL, ALTER, DELETE, INSERT, SELECT, UPDATE REFERENCES |
|
Data creator |
- CONNECT to database
- CREATETAB in database
- CREATEIN, ALTERIN, and DROPIN for the necessary schema
|
CONTROL on database objects |
|
ArcSDE administrator |
- DBADM authority
- SYSMON authority (DB2 8.2 and higher)
Add the ArcSDE administrator user to an operating system group then grant SYSMON to the group.
|
|
The DBADM authority gives the ArcSDE administrator all privileges against all objects in the database and allows him or her to grant these privileges to others. (An authority similar to system roles in other DBMS types.) The SYSMON authority is needed to access the DB2 snapshot API, which is required to clean out defunct ArcSDE processes from the PROCESS_INFORMATION system table. |
Top of page
Informix
If your users will be doing anything more than viewing and issuing simple SELECT statements, they will need RESOURCE privileges in the database. Resource-level privileges allow the user to do the following:
- Connect to the database.
- Execute SELECT, INSERT, UPDATE, and DELETE statements, provided the user has the necessary table-level privileges.
- Create views, provided the user has the SELECT privilege on the underlying tables.
- Create synonyms.
- Create temporary tables and indexes on them.
- Alter or drop a table or index, provided the user has the necessary table-level privileges.
- Grant table-level privileges.
- Create new tables.
- Create new indexes.
- Create new routines.
- Create new data types.
You can use the GRANT SQL statement and resource keyword to grant this permission to the ArcSDE administrator.
grant resource to <ArcSDE administrator's user name>
Data viewer |
CONNECT |
|
If your database is configured to use shared ArcSDE log files (the default), additional privileges may be needed. Learn more about log file configuration options
|
Data editor |
RESOURCE |
SELECT, INSERT, UPDATE, and DELETE on other users' datasets |
|
Data creator |
RESOURCE |
|
|
ArcSDE administrator |
RESOURCE |
|
|
If your database is configured to use shared ArcSDE log files, additional privileges may be needed.
Learn more about log file configuration options
Top of page