ArcGIS Server Banner

Administering user permissions for ArcSDE database servers

Administering user permissions for ArcSDE database servers

Release 9.3 E-mail This TopicPrintable VersionGive Us feedback

About administering user accounts

ArcSDE database servers are SQL Server Express instances that store ArcSDE geodatabases. There are three types of user permissions for ArcSDE database servers: database server permissions, geodatabase permissions, and dataset permissions. Each of these, plus how to alter these permissions, is described in this topic.

Database server permissions—The only permission that can be set at the database server level is the ArcSDE database server administrator; you either are one or you are not. The ArcSDE database server administrator can do the following:

During postinstallation setup, a database server administrator user is added. This original database server administrator can assign other users to the Server administrator role from the database server Permissions dialog box. Typically, you won't have more than one or two database server administrators.

Any data created by a database server administrator will be created in the database owner (dbo) schema. This has implications for naming data and administering permissions on specific database objects.

Being a database server administrator automatically gives you administrative rights to all geodatabases on the database server as well as read/write permission on all objects in each geodatabase.

Below is an example of the Permissions dialog box for database servers:

Database server permissions

NOTE: When installing on Windows 2000, Server 2003, or XP, users who are active directory administrators or are local Windows administrators on the computer on which the SQL Server Express instance is installed will automatically have access to all instances on that machine without you having to add them and will automatically be database server administrators. This is a SQL Server feature. This is not true, however, when installing on Windows Vista or Windows Server 2008. Please consult the SQL Server books online if you would like details on this.

Geodatabase-wide permissions—Users who are not administrators at the database server level can be granted permissions to specific geodatabases. Geodatabase-wide permissions are granted by a database server administrator and are managed using roles. Possible roles to which a user can be assigned are

The other option for user roles is None. In this case, the user has no geodatabase-wide permissions; however, you may still grant this user Read Only or Read/Write permissions to specific datasets, as discussed below. None is the default level of geodatabase permission granted when users are added to the database server.

In the sample geodatabase Permissions dialog box below, user pllama is granted Read/Write permissions on geodatabase historical.

Geodatabase-level permission dialog box

Dataset permissions—Possible dataset permissions available through the Permissions dialog box at the dataset level are Read Only, Read/Write, and None. For example, you might want to give users in an analyst group read-only permissions to a geodatabase but grant them read/write permissions to one specific feature class in the geodatabase. Or a user may have no geodatabase-wide permissions (None) but can still be granted read or read/write permission to specific feature datasets in the geodatabase.

When a user creates a dataset, such as a table, it is owned by that user and considered part of that user's schema. User permissions on datasets within a geodatabase can only be set by the owner of the dataset.

In the case of a database server administrator, the datasets he or she creates are owned by dbo and stored in the dbo's schema. The database server administrator, therefore, can grant permissions on any datasets in the dbo schema, but only on objects in the dbo schema. In other words, a database server administrator cannot grant permission to data owned by nonadministrative users.

The following is an example of the dataset Permissions dialog box:

Dataset permission dialog box

If you create a connection to the geodatabase in the Database Connections folder of the Catalog tree, you also have access to the Privileges dialog box for datasets. To learn more about administering dataset permissions in the Privileges dialog box, see Granting and revoking privileges on datasets.

How to change permissions for user accounts

Make a user a database server administrator

  1. In ArcCatalog, connect to the database server for which you want to add an administrative user and right-click it.
  2. Click Permissions.
  3. Choose the user from the list.
  4. Check the Server administrator check box.
  5. Click Apply.

Tips

  • You can do this for groups as well, but it is generally not recommended because of the increased security risk of having many users with administrative privileges for the database server.
  • In most cases, you will only need one or two database server administrators.
  • All database server administrators are placed in a database role, dbo, in every database. Any data created by an administrator will be created in the dbo schema. Therefore, two or more administrators cannot create feature classes with the same name, because they do not have their own unique schemas.

Administer geodatabase permissions

  1. Connect to the database server in ArcCatalog.
  2. Right-click the geodatabase for which you want to grant user permissions.
  3. Click Administration and click Permissions.
  4. Choose the desired user or group from the list on the Permissions dialog box.
  5. Click the appropriate role and click Apply. For instance, if you want to grant a user read-only permissions to the geodatabase, click Read Only.

Tip

  • If you choose a user from the list who is a database server administrator, a message will appear indicating the user has higher-level permissions, and all role options will be deactivated. This is because administrators already have these as well as additional permissions on the geodatabase and, therefore, should not be added to one of the roles on this dialog box.

See Also

  • The ArcSDE administrative account
  • User permissions
  • Granting and revoking privileges on datasets
  • Adding and removing users or groups for ArcSDE database servers