topic Re: Protected default still allows edits/posting in Data Management Questions

Protected default still allows edits/posting

SamSzotkowski — Mon, 23 Oct 2023 18:59:04 GMT

We are using Enterprise 11.1, and ArcGIS Pro 3.1.2. This issue seems to come and go, but it's reared its head again.

When creating an enterprise geodatabase (SQL Server), we are using branch versioning, and set the default access level to "protected". Despite this, portal user roles without the "Manage All" capability are allowed to edit the default directly and post to it. @EvaTTA mentioned this fairly recently, and in that post it was said to be linked to bugs BUG-000135099 and BUG-000150561, but I cannot find any information on these.

I'll note something especially strange, that "protected" was working as expected last time I checked on Oct 3, but today on the same dataset I dusted off my test account that is not a "Version Administrator", and that account was able to edit the protected default directly. I think the only thing that's changed since then schema-wise is adding a couple of values to one of the domains.

Has anybody encountered this? I'm stumped because as far as I can tell I'm doing everything by the book with respect to creating the enterprise geodatabases, managing portal users, and publishing the feature services.

Re: Protected default still allows edits/posting

Asrujit_SenGupta — Tue, 31 Oct 2023 17:17:02 GMT

The Bugs you referred:

BUG-000136400 When posting edits from child versions in branch versioning, the following error message is returned, "Error: Insufficient permission"

BUG-000150561 Portal for ArcGIS users with an editor role can edit the default branch version although the access is set to be protected.

BUG-000150561 seems related to you issue, but I don't see much info available on the link. Probably contact Esri Tech Support and get an update on the Bug.

Re: Protected default still allows edits/posting

George_Thompson — Tue, 31 Oct 2023 17:34:16 GMT

Re: Protected default still allows edits/posting

MelissaJarman — Wed, 01 Nov 2023 13:05:36 GMT

@SamSzotkowski - I sent you a direct message with some questions and I also recommend you reach out to technical support so we can isolate the issue for you and get to the root of the problem.

Please feel free to reach out to me directly.

Re: Protected default still allows edits/posting

CBD — Wed, 31 Jan 2024 16:45:44 GMT

Hello! Did you ever reconcile this issue? No pun intended 😁. I am dealing with the same exact issue right now. Non version admins can edit default, reconcile and post to default, reconcile and post each others versions as well. The default version is set to protected and we are in Postgres.

Re: Protected default still allows edits/posting

SamSzotkowski — Wed, 31 Jan 2024 17:11:48 GMT

No, we kind of ignored it for a bit because there were bigger fish to fry, but I'm meeting with Esri on Monday about this so I'll be sure to update this post once we figure out what's wrong and/or get it resolved.

I think it's notable that you're using postgres and we're using SQL server, possibly rules out an issue with the database itself.

Re: Protected default still allows edits/posting

MarceloMarques — Wed, 31 Jan 2024 17:30:15 GMT

SUMMARY:

BUG-000136400 When posting edits from child versions in branch versioning, the following error messa...

BUG-000150561 Portal for ArcGIS users with an editor role can edit the default branch version althou...

For BUG-000150561, it is closed and a duplicate of another issue (BUG-000135099) which is showing as fixed in Pro 3.1; https://www.esri.com/content/dam/esrisites/en-us/media/products/arcgis-pro-issues-addressed/arcgis-p...

-------------------------------------------------------------------------------------------------------------------------------
BUG-000136400 - When posting edits from child versions in branch versioning, the following error message is returned, "Error: Insufficient permission". Duplicate Record #BUG-000135099

This is a duplicate of BUG-000135099: The SDE/DBO is the owner of the default version, the security model is bypassed. Therefore, in future releases, the ability to register datasets owned by SDE/DBO as versioned (branch) is to be blocked.

-------------------------------------------------------------------------------------------------------------------------------
BUG-000150561 - Portal for ArcGIS users with an editor role can edit the default branch version although the access is set to be protected. Duplicate Record #BUG-000135099
-------------------------------------------------------------------------------------------------------------------------------
BUG-000135099 - Branch versioned data owned by the DBO or SDE users allows standard portal users access to view and manage all versions via the service.

From Workaround: Branch versioned data must not be owned by the SDE or DBO users. Do not register data owned by SDE or DBO users as branch versioned.

The ArcGIS Server 10.9.1 Utility Network and Data Management Patch 6 is now live on the support site. The URL is:
https://support.esri.com/en-us/patches-updates/2023/arcgis-server-10-9-1-utility-network-and-data-management-patch-6

The ArcGIS Server 10.8.1 Utility Network Patch 11 is now live on the support site. The URL is:
https://support.esri.com/en-us/patches-updates/2023/arcgis-server-10-8-1-utility-network-patch-11\
-------------------------------------------------------------------------------------------------------------------------------
Note: always install the latest patches that were released!!!

Esri Support Search Results - ArcGIS Pro

Esri Support Search Results - ArcGIS Enterprise: Portal + Server + Datastore + WebAdaptor + Utility Network
-------------------------------------------------------------------------------------------------------------------------------

Re: Protected default still allows edits/posting

SamSzotkowski — Wed, 31 Jan 2024 17:29:48 GMT

I've read about some of those bugs and mentioned in my original post, yet I'm seeing this issue in Pro 3.1 and 3.2.

Anyhow, I'm not sure what this means: "Branch versioned data must not be owned by the SDE or DBO users." When you're sharing a branch versioned dataset, the docs say "You must own the data you're publishing. That means the credentials you use in the database connection that accesses the data must be those of the data owner." You can't even publish if you're not connected as a user with db_owner or sysadmin. Plus when you create an enterprise database, you have to choose either a dbo- or sde-owned schema.

So I wholeheartedly accept that I'm misunderstanding something, what are these workarounds telling me to do exactly?

Re: Protected default still allows edits/posting

SamSzotkowski — Wed, 31 Jan 2024 17:34:06 GMT

My probably wrong understanding of the workaround led me to creating an enterprise gdb as a sysadmin, then creating a new user and giving them db_owner privilege on that database, then connecting as them. So all the feature classes show up as "TEST_ACCOUNT.fc_name" in Pro. I published while connected as TEST_ACCOUNT, protected the default, and so on, and the issue persists.

Re: Protected default still allows edits/posting

MarceloMarques — Wed, 31 Jan 2024 17:47:39 GMT

@SamSzotkowski "Branch versioned data must not be owned by the SDE or DBO users."

This means the data, e.g. featureclasses, tables, feature datasets, geodatabase domains, etc. must not be owned by the sde user which is the arcsde repository owner nor by DBO.

In SQL Server there are 2 options to create the ArcSDE repository, 1) dbo owned or 2) sde user owned.

Create a geodatabase in SQL Server—ArcGIS Pro | Documentation

I tell all my customers to not use DBO, it does not provide the level of security for your data that is necessary, and instead always use the ArcSDE Repository with the sde user owner.

Now, that you created the ArcSDE Repository with the sde user owner, next you shall not use the sde user to load the data, the sde user is the geodatabase repository owner and must be used only for geodatabase administration tasks, then you must create a data owner users to load the data.

Example:

SQL Server Geodatabase Name: waterdb

ArcSDE Geodatabase Repository Owner: sde

Data Owner User Water Data Model: water

For more best practices please visit my community.esri.com blog below. There you will find the ArcGIS Pro database guide books for SQL Server, and you can also download my database template scripts for SQL Server to assist to setup the SQL Server Geodatabase. You can use the Production Mapping database guidebooks, the best practices can be applied to any industry.

Mapping and Charting Solutions (MCS) Enterprise Databases Best Practices

I hope this helps.

Re: Protected default still allows edits/posting

MarceloMarques — Wed, 31 Jan 2024 17:57:13 GMT

You can restrict those privileges and avoid granting sysadmin and db_owner to users, the only user you might need to grant db_owner is the sde user and that only temporarily when doing the arcsde repository upgrade. You can learn more on how properly setup the sde user privileges and the data owner user privileges in my database template scripts for SQL Server in the link below.

For more best practices please visit my community.esri.com blog below. There you will find the ArcGIS Pro database guide books for SQL Server, and you can also download my database template scripts for SQL Server to assist to setup the SQL Server Geodatabase. You can use the Production Mapping database guidebooks, the best practices can be applied to any industry.

Mapping and Charting Solutions (MCS) Enterprise Databases Best Practices

Re: Protected default still allows edits/posting

SamSzotkowski — Mon, 05 Feb 2024 16:34:50 GMT

Hello, I tried following the suggestions of @MarceloMarques, essentially having a separate database user with minimal privileges to create the feature classes, and publishing from that connection. I'm not sure how well these translate from SQL Server to postgres, but the privileges I granted this "publisher" user were Connect, Create procedure, Create table, Create view, Delete, Execute, Insert, Select, and Update.

In any case, the issue still persisted. Turns out that what was causing our problem has to do with Portal privileges: it appears any user with Administrative privileges > Content > Update enabled will be able to do anything that a version administrator can do.

Either this is a bug in which case please fix it Esri, or this documentation is inaccurate -- it does not list the apparently crucial "Update" privilege under the definition of users who act as a "Version administrator."

Re: Protected default still allows edits/posting

MarceloMarques — Mon, 05 Feb 2024 20:49:32 GMT

@SamSzotkowski - please open a ticket with Esri Technical Support to log a new bug. Thanks.

Re: Protected default still allows edits/posting

MarlonAmaya — Mon, 05 Feb 2024 21:45:45 GMT

@SamSzotkowski

I am able to confirm that a custom role (set with existing Publisher role) + the addition of 'view all' in admin category allows for editing in Portal Map viewer. The same user however is not allowed to to edit from ArcGIS Pro. In your scenario, where you able to edit default using ArcGIS Pro?

Marlon

Re: Protected default still allows edits/posting

SamSzotkowski — Mon, 05 Feb 2024 22:13:20 GMT

Custom role same as publisher + Admin>Content>Update privilege is what caused user to be able to edit default in Pro, I have not messed with the View All privilege.

Re: Protected default still allows edits/posting

SamSzotkowski — Mon, 05 Feb 2024 23:10:38 GMT

Ok I did some more digging and there's clearly some funny logic going on here. The three privileges I'm testing are these, and I'll refer to them by their numbers later on:

Admin > Members > View All
Admin > Content > View All
Admin > Content > Update

When you enable 3 in the UI, 1 and 2 toggle on automatically. When you enable 2, it enables 1 automatically.

1+2+3, or 1+3 enabled: Can edit in both Pro and Map Viewer
1, 2, 3, 1+2, or 2+3 enabled: Can edit in Map Viewer, not in Pro
None of these three enabled: Can neither edit in Map Viewer nor in Pro (desired behavior)

I have a case open currently so I'll bring up these additional details.

Re: Protected default still allows edits/posting

MarlonAmaya — Tue, 06 Feb 2024 00:25:33 GMT

@SamSzotkowski

Thank you for the further testing. Found your support case and have communicated my findings to the analyst. Something is up for sure.

Marlon

Re: Protected default still allows edits/posting

CBD — Fri, 08 Mar 2024 11:26:19 GMT

We were able to solve our issue with the help of ESRI support. It turned out we were using custom roles in Portal an in the publisher role we allowed for one Admin Privilege to "View All" under groups. This allowed my non version admin to reconcile/post to the protected default.

It was logged as

BUG-000165159 - Branch version editing using a custom portal role that contains at least one administrative privilege allows for editing a Protected Default version.