An overview of user accounts
An overview of user accounts
|
Release 9.3 |
|
Note:This topic was updated for 9.3.1.
User accounts are unique names and passwords used to identify a person or client application that connects to your geodatabase. User accounts perform the following functions:
- They provide a way to control what type of access (if any) a person or client application has to a geodatabase and its datasets.
- They determine who owns what data in the database.
Controlling user access
Your geodatabase must be able to "recognize" the users who attempt to connect to it. That means an administrative user—the one who created the database—has to add users to the database. (How users are added depends on which type of database management system [DBMS] you use. See Adding users to an ArcSDE geodatabase for information on adding users to an enterprise database. See Adding and removing users or groups for ArcSDE database servers for information on how to add users to ArcSDE geodatabases in SQL Server Express.) The database checks the list of users to make sure a user is allowed to make a connection. This process is called authentication.
There are two types of authentication used with geodatabases: operating system authentication and database authentication.
Operating system (OS) authentication indicates a user will log in to the computer, and the credentials for authorization will be supplied to the database by the operating system of the user's computer. For the connecting user, that means he or she only has to log in at his or her computer and does not have to log in separately to the database. For the database administrator, this means the existing login must be added to the database and the database must be configured to recognize the user's existing login. Operating system authentication is the only type of authentication used with ArcSDE geodatabases for SQL Server Express (in other words, geodatabases stored on an ArcSDE database server).
For additional information on OS authentication, see Operating system authentication.
If you use database authentication, users log in to the server and then must separately log in to the database using database user names and passwords, which the database administrator must create.
Only Oracle, SQL Server, and PostgreSQL utilize database user accounts; DB2 and Informix do not. For these databases, the user accounts are managed by the operating system.
NOTE: Although DB2 and Informix do not have database user accounts, you can still utilize the Database authentication connection option on the Spatial Database Connection Properties dialog box in ArcCatalog. Doing so will allow you to save the specific user name and password of a user, whereas if you use the operating system authentication option, ArcGIS Desktop will use the credentials of the user logged in to the operating system to connect to the geodatabase.
Once users are added, the administrative user must also grant specific permissions to users to determine what they can and cannot do in the geodatabase. The database checks these permissions when an authenticated user tries to access or alter the geodatabase. This process is called authorization.
The types of permissions granted to a user are based on the type of work the user needs to perform. Some users will only need to view the data in the geodatabase. Others will need to edit some of the datasets in the geodatabase. Certain users will need to create new datasets. One or more users will need to administer the geodatabase. See The ArcSDE administrative account for more information on administrative users. To learn more on other types of users, see User permissions.
Data ownership
The user who creates tables in the DBMS owns those tables. For example, the ArcSDE administrative user creates the geodatabase; therefore, the geodatabase system tables that are created in the DBMS at that time are owned by the ArcSDE administrative user. Similarly, a user who creates a feature class owns that feature class.
Be aware that the user name used to make the connection to the geodatabase at the time the tables are created is the one who owns the data.
For instance, part-time staff members Boris and Basil are allowed to create data in the geodatabase. Boris and Basil use the same computer. If both use Basil's account to connect to the geodatabase in ArcCatalog, all datasets created by either Boris or Basil will be owned by Basil and stored in his schema.
If Boris wants the data he creates to be stored in his schema, he must alter the database connection properties and connect to the database with his own user name before he starts creating data.
Knowing who owns the data is important because you cannot remove a user account from the database if the user owns data, and it is the user who created the dataset who controls the level of access other users have to the dataset. See Granting and revoking privileges on datasets to learn how to alter permissions on datasets.