You are here:
About privileges on geodatabase datasets
Geodatabases and ArcSDE
Administering ArcSDE geodatabases
Creating and administering user accounts
This topic was updated for 9.3.1.
If you want to let other database users view or modify the contents of any datasets in an ArcSDE geodatabase, you must grant them the privilege to do so.
The steps you take to grant or revoke privileges on datasets vary depending on how you connect to your ArcSDE geodatabase.
When you access datasets in a geodatabase through a database server connection, the permissions you can grant to nonadministrative users on a dataset are read-only, read/write, or none. Read only permission means the user can select the dataset but not alter it. Read/write permission allows the user to edit the dataset. If a user's permission to a dataset is none, the user will not be able to view or access the dataset at all.
As indicated in the topic Administering user permissions for ArcSDE database servers, you can also set user permissions at the database server and geodatabase levels. Doing so will have an impact on what types of permissions you can grant at the dataset level.
- If the user is a database server administrator or geodatabase administrator, he or she automatically has read/write permissions on all the datasets in the geodatabase; you cannot grant lesser permissions on a dataset—such as read-only—to this user.
- If a user was granted read/write permission at the geodatabase level, he or she automatically has read/write permission on the datasets in that geodatabase. Again, you cannot change that user's dataset permissions to read-only or none.
- If a user has read-only geodatabase permission, you can grant that user read/write permission to specific datasets.
- If a user's geodatabase-level permission is none, you can grant that user read-only or read/write permission to any dataset in the geodatabase.
For datasets accessed through a spatial database connection in ArcCatalog, you have several options when granting privileges. You can specify that a user has no privileges by not checking any of the options on the Privileges dialog box. You can grant SELECT privileges, meaning the user can read but not modify the contents of a dataset. You can also grant a user read/write privileges (SELECT, UPDATE, INSERT, and DELETE), which allows the user to both view and modify the contents of a dataset.
The privileges that allow a user to modify a dataset (UPDATE, INSERT, and DELETE) are granted and revoked as a group; for example, if you grant the UPDATE privilege, INSERT and DELETE are also granted. For geodatabases stored on ArcSDE database servers, this is the equivalent of choosing Read/Write on the dataset Permission dialog box accessed through the ArcSDE database server connection.
When you create a spatial database connection to a geodatabase that is stored on a database server and use the Privileges dialog box to alter a user's access to a dataset, the same rules described above about overriding permissions apply. For example, if the user is a geodatabase administrator, you cannot use the Privileges dialog box to change the user's dataset access to SELECT.
NOTE: Granting or revoking privileges on a feature dataset causes all of its contents to have the same privilege changes; for example, you cannot grant a user different permissions on a feature class inside a feature dataset. However, if you add a feature class to a feature dataset, you must reset privileges on the feature dataset so it includes the new feature class.
How to grant and revoke privileges
On datasets in geodatabases accessed through a database server connection
- In the Catalog tree, connect to the database server and the geodatabase that contains the dataset for which you want to alter permissions.
- Right-click the dataset for which you want to give specific permission.
- Click Permissions.
- Choose the user or group from the list on the Permissions dialog box.
- Click the permission you want to grant for this dataset to this user (None, Read Only, or Read/Write).
- Click Apply.
On datasets in geodatabases accessed through a spatial database connection
- Only the owner of the dataset can alter permissions on it.
- If you choose a user from the list who already has geodatabase-wide read/write or administrative permissions, a message appears indicating the user has higher-level permissions, and all role options are deactivated. Since you cannot deny a user access to specific objects but only grant permission to specific objects, if you do not want the user to have read/write access to all objects in the geodatabase, you need to change his or her rights on the geodatabase to read-only and grant read/write permissions to only those datasets to which you want him or her to have read/write access.
- You can only alter a user's permissions on one dataset at a time.
- It is not possible to grant a user different permissions to feature classes within a feature dataset.
- Only the owner of a dataset can drop the dataset or alter its definition; therefore, even if the owner of the dataset grants read/write privileges on a dataset to another user, that user cannot alter the schema of the datasets.
- In the Catalog tree, connect to the geodatabase in the Database Connections folder.
- Right-click the dataset for which you want to alter a user's privileges.
- Click Privileges.
- Type the name of the user whose privileges you want to change.
- Click the privileges you want this user to have. UPDATE, INSERT, and DELETE are only active when SELECT is clicked, and these work as a unit. If you leave all options unchecked, all user access privileges are revoked.
- Click Apply or OK to change the privileges.
- The user name you type on the Privileges dialog box may require you to provide the domain or machine name with the user name, depending on the type of database management system you use to store your geodatabase in which the dataset is stored and the type of authentication the user will utilize to connect to that geodatabase. For example, if the operating system login was created in Oracle to include the prefix of the domain or machine, you need to provide the domain or machine name with a backslash before the user name.
If you are altering the privileges of a user for a dataset in a geodatabase stored on an ArcSDE database server, you always need to include the domain or machine name prefix.
It is not possible to grant a user different permissions to feature classes within a feature dataset.
Only the owner of the dataset can alter permissions on it.
Only the owner of a dataset can drop the dataset or alter its definition; therefore, even if the owner of the dataset grants INSERT, UPDATE, and DELETE privileges on a dataset to another user, that user cannot alter the schema of the datasets.
You can only alter a user's permissions on one dataset at a time.