Branch Versioning Default Access Permission Changes

1227
3
07-11-2022 10:04 AM
Status: Closed
Labels (1)
CoryBowlin
Regular Contributor

Currently in ArcGIS Pro, while using Branch versioning, the default "Access" level can only be changed by the geodatabase administrator.  This restriction is unnecessary and burdensome. I would like to propose ESRI change the minimum account level required to perform this modification to the data owner account of the dataset. This would more similarly model traditional versioned database access permissions. This also follows the principle of least privilege. If an account can create/update/delete a feature class (data owner) the same account should be able to modify access to the default of the same data.

3 Comments
MelissaJarman
Status changed to: Closed

The Default version is the default for that specific versioning type for the entire geodatabase – eg: All branch versioned datasets for the entire enterprise geodatabase.

Because different database users could own different branch versioned datasets in a geodatabase, keeping the access permission restricted as the geodatabase admin is best.

We are interested in hearing additional use cases from our users based on business needs.

CoryBowlin

Thanks @MelissaJarman  for your comments. I just tested this as a dataowner (not the geodatabase admin account) on a Traditonal Versioned DB to make sure my thought process was correct. Right now Pro 2.8.3 and other versions of pro and Arcmap  that I have used in the past, the dataowner account can modify the default Access level of the traditional versioned DBs. This doesn't seem to align with some of the ESRI documentation

I do see your point that modifications would impact other data owned by other dataowner accounts. I guess for what I'm asking for to work well, the access would have to only apply to each dataset or table and not the whole database. Still I think it would be wise to give dataowners the full leverage to protect the data they own.

I hope to hear from others that would like to see dataowners the flexibility to control editing on all versions including the default for Branch Versioned data. 

DeanMoiler

In our recent workings with branch versioned services, I find common cause @CoryBowlin in this request. I have a branch versioned service that I wish to restrict editing access to protected for the service, to allow only version administrators to post/reconcile edits to default, but would need to request this be set by the database administrator rather than allowing for a version administrator, or the owner of the web feature layer, to make this change for the service and its data.

Ideally the owner of the feature service, or a portal administrator would be able to set this level individually, as it seems to indicate whether you need to be an admin, have privilege via custom role, or the owner of the service to reconcile/post. 

In an even more ideal world, you would be able to assign version edit to different groups, e.g. Team One (data owners) perform default reconcile/post, Team 2 (data ground truth / validators) perform edits to a different version of the data (create one new feature layer item per version?). Members of the version owning group would be able to set the access level for the version shared with them. I will post this to another idea to see if that gets any interest.