SQL Server Privileges for ArcGIS Server Service Account

ACrateau · ‎11-28-2022

I'm setting up a geodatabase using SQL Server to be a registered data store with an ArcGIS Enterprise site.

What privileges does the ArcGIS Server service account need to be granted on the database in order to host data from this database?

I've seen from other posts that the server acct needs read/write access to data being referenced. Can we utilize the built-in roles db_datareader and db_datawriter to accomplish this for all datasets in the GDB? Are there any other considerations when publishing branch-versioned data?

BillFox · ‎11-28-2022

yes, that will work to be able to view and edit with editor tracking using regular versioning

Scott_Tansley · ‎11-28-2022

Personally, I'm a bit of a security zealot. If you assign db_datawriter on the 'database' then all feature classes are editable by the ArcGIS Server user. You may have 100 feature classes in the database, but only 'say' 5 are intended to be editable via Feature Services. That potentially leaves 95 feature classes that are potentially editable from the web. That makes me uncomfortable.

Oftentimes, to ease administration I'll use db_datareader for the ArcGIS Server account. Then for editable services, I'll use a SQL user and specifically set the permissions layer by layer in the Change Privileges tool.

Obviously, it all depends on how risk-averse you are and the types of datasets you hold, but I tend to steer toward the side of caution. I also prefer to explicitly set view permissions in the same way, rather than using in buildt roles, but its often a compromise on what the clients needs are.

Just a thought.

Scott Tansley
https://www.linkedin.com/in/scotttansley/