Select to view content in your preferred language

The relationship of GeoDatabase and ArcGIS Server

3056
12
Jump to solution
12-02-2013 06:53 AM
LuyangRen
Regular Contributor
Hi All,

I am trying to figure out the architecture of ArcGIS Server. I figured that "copying the data to server" is not copying the data to the geodatabase but to the server directory. Then what the geodatabase used  for in the architecture of ArcGIS server? We use ArcServer Enterprise and SQL server.

Thank you

Luyang
Tags (2)
12 Replies
KimPeter
Esri Contributor
No worries, Luyang. 🙂

Will you load data for faculty and students to use?  Or maybe faculty will load the data that students use? Whoever creates or loads data to the geodatabase will require permission to connect to the database, create table, create procedure, and create view privileges in the database, and will need a schema in the database that has the same name as their user name. If there will be multiple people creating/loading data, create a database role, grant the privileges to the role, and add the necessary users to that role. Each user who creates data will still need a matching schema, but using a role simplifies managing privileges.  

Privileges for different types of geodatabase users can be found in this topic:
http://resources.arcgis.com/en/help/main/10.2/#/User_privileges_for_geodatabases_in_SQL_Server/002q0...

If students are loading the data, publishing it, and editing it, grant them the privileges of a data creator and they'll be able to do what they need with their own data.  If they need access to data someone else loaded, privileges must be granted to them on the individual datasets.  (Again, if a group of students all need the same privileges on a dataset, create a role with those privileges and add the students' users to it.)  Since you said you'll be using versioning and you may well be using other geodatabase functionality that involves system tables or procedures, grant dataset privileges through ArcGIS, not directly in the database. When done through ArcGIS, privileges are granted to all the tables, procedures, and views that make up a versioned geodatabase dataset.   You can use the Privileges dialog box in ArcGIS Desktop to do this - http://resources.arcgis.com/en/help/main/10.2/#/Granting_and_revoking_privileges_on_datasets/002q000... - or the Change Privileges geoprocessing tool, which can be scripted, if you need it: http://resources.arcgis.com/en/help/main/10.2/#/Change_Privileges/0017000000n3000000/.

When publishing data, you have to think about the privileges of the person doing the publishing (they have to have access to the data to publish it) AND the privileges of the user that is specified in the .sde file you registered with ArcGIS Server. All the services will access the geodatabase data as the user in the registered .sde file. 

Therefore, to publish a map service (or any other read-only service), connect permission to the database and select privileges on the datasets are required for:
  -The user making the map (or accessing the data to be published)
  -The user you have in the Database Connection file (.sde) that you registered with ArcGIS Server.
*Be aware that if you use Windows-Authenticated logins, the ArcGIS Server primary site administrator (that's the administrator account created when you set up the ArcGIS Server site) needs the same privileges: in this case, connect permission and select privileges on the datasets.

For services that allow you to edit or load data, such as editable feature services or image services, the privileges you grant to the user in the registered .sde file must be sufficient to perform the editing or data loading (image service) operations that you choose when publishing these services. For example, if you choose Query, Create, and Update operations for your feature service when publishing, the user needs select, create, and update privileges on the data that is in the service. Again, if using Windows Authentication, the ArcGIS Server primary site administrator also needs these privileges on the data.

As you read in the topic Copying data to the server automatically when publishing, you could also register an enterprise geodatabase as your managed database. Then, when feature services are published, the data gets copied from your source to the managed database.  The data is owned by the user in the .sde file that you registered as the managed database. Therefore, that user needs privileges in the managed database sufficient to create data and a matching schema in the database.  The data in the managed database is dependent on the feature service: if you delete the feature service, the data is deleted from the managed database.

Sorry...this is getting crazy long winded...
On the versioning side, as mentioned, granting privileges on the versioned datasets through ArcGIS grants the privileges needed on the delta tables and versioned view.  Separate from that, geodatabase versions have coarse-grained permissions that the version owner can set to determine who has access to the version.  That is described here: http://resources.arcgis.com/en/help/main/10.2/#/Creating_versions_and_setting_permissions/003n000000....  Your students might connect to a different version of the geodatabase and publish that data. The access level they set on that version could impact whether the published data can be edited. For example, if the version is protected but the .sde file registered with ArcGIS Server connects as someone other than the version owner or the geodatabase administrator, you won't be able to edit through the service.

You also mentioned using replication...for an overview of how geodatabase replication and ArcGIS Server are related, see this topic: http://resources.arcgis.com/en/help/main/10.2/#/Geodatabase_replication_and_ArcGIS_Server/003n000000... Basically, it involves using a geodata service, so see the topics in the Geodata services section of the ArcGIS Server help for information on using those: http://resources.arcgis.com/en/help/main/10.2/#/What_is_a_geodata_service/015400000329000000/

Phew.  I hope at least some of this is helpful. 🙂

@Marco: thanks for answering the subsequent post...it took me so long between meetings, etc. to compose the other answer, I missed Michael's question.
0 Kudos
LuyangRen
Regular Contributor
Hi Kimberly,

Thank you so much for writing such a long answer. I actually really appreciate it and it is pretty informative.

But based on my few knowledge, I still have several questions.

  You can use the Privileges dialog box in ArcGIS Desktop to do this

When you talked about using privilege dialog box in ArcGIS Desktop, I think the entire paragraph is talking about dataset level privilege, is that right? If yes, then the owner of the dataset should be the one control the privilege, is that right? Then who should control the privilege of the database? the database administrator?

When publishing data, you have to think about the privileges of the person doing the publishing (they have to have access to the data to publish it) AND the privileges of the user that is specified in the .sde file you registered with ArcGIS Server. All the services will access the geodatabase data as the user in the registered .sde file. 

Therefore, to publish a map service (or any other read-only service), connect permission to the database and select privileges on the datasets are required for:
  -The user making the map (or accessing the data to be published)
  -The user you have in the Database Connection file (.sde) that you registered with ArcGIS Server.
*Be aware that if you use Windows-Authenticated logins, the ArcGIS Server primary site administrator (that's the administrator account created when you set up the ArcGIS Server site) needs the same privileges: in this case, connect permission and select privileges on the datasets.



I don't understand who is "user that is specified in the .sde file you registered with ArcGIS Server."

And if I understand you correctly, if the owner of the data or the user in the .sde file would like the publish a map service, they both need the permission to connect tot he database and some privileges to the datasets. right?

Thank you! This is really helpful!

Luyang
0 Kudos
KimPeter
Esri Contributor
Yes; the Privileges dialog box in ArcGIS Desktop and Change Privileges geoprocessing tool allow the dataset owner to grant or revoke privileges on datasets.  The database privileges (connect, create table, create view, create procedure) are granted by the database administrator.

When you register the data store that Derek mentioned, you are registering a database connection (.sde) file. That's the .sde file to which I was referring. This is the connection information that authenticates ArcGIS Server in the database. It requires a user name and password or, in the case of operating system authentication, will use the login of the connecting client (the ArcGIS Server primary administrator account for ArcGIS Server).

And if I understand you correctly, if the owner of the data or the user in the .sde file would like the publish a map service, they both need the permission to connect tot he database and some privileges to the datasets. right?

Pretty much...except the owner of the data already has full privileges on the datasets he/she owns.  But if any other user besides the data owner needs to publish the data, that user needs connect permissions to the database and privileges on the data to be published. And, yes, the user specified in the .sde file that is registered as the ArcGIS Server data store (registered database) needs database connect and dataset privileges.
0 Kudos