Hi,
I've been reading some help topics and GeoNet posts about managing permissions in GDB, eventhough I am overwhelmed by all the implied considerations on implementing GDB security.
My question seems relatively simple but I can't solve my issue yet, so:
What are the minimum permissions that my users must have in the database in SQL Server in order for me to manage their select/editing permissions with arcCatalog for mi Enterprise Geodatabase?
Thank you
Marco
Solved! Go to Solution.
The best I can think of would be to create separate groups and add the Windows logins to the groups as desired.
The groups will have permissions based on your need.
Example:
db_datareader: for previewing purpose only
db_datareader: for users who are going to edit all the data in the geodatabase
grant privileges from ArcCatalog: for users who are supposed to edit certain data only.
The reason for suggesting groups-- you have Windows AD setup and won't have to add each login manually and setup permissions.
Grant Select, update, Delete, Insert permissions to the user.
If there are many users,
1) Create role
2) Provide permissions (Select, update delete, insert) to the role
3) Assign the users to that role.
Srav
Thanks for the answer, although,
That's for Geodatabase permissions' managment, through ArcCatalog, but how the permissions inside the SQL Server (database server) must stand in order to avoid issues in that first assignment?
Greetings,
MB
What exactly are these users supposed to do?
Edit particular data in the geodatabase? edit all data in the sde geodatabase? only preview the data in the sde geodatabase?
You shouldn't have to grant them any permissions inside SQL Server, just add them to the database. Once they are added to the database, you can grant them permissions on only data you own inside ArcCatalog.
Steven
Asrujit, there are many users with different requirements, some of them will just preview the data meanwhile other users will edit data; also, schema must remain unchanged.
TKS
MB
The best I can think of would be to create separate groups and add the Windows logins to the groups as desired.
The groups will have permissions based on your need.
Example:
db_datareader: for previewing purpose only
db_datareader: for users who are going to edit all the data in the geodatabase
grant privileges from ArcCatalog: for users who are supposed to edit certain data only.
The reason for suggesting groups-- you have Windows AD setup and won't have to add each login manually and setup permissions.
Steven, the problem is that In the enterprise where I'm working, the permissions were managed through SQL and also through ArcCatalog because they were having some issues in editing data. So, I'm trying to rebuild the users/rol administration in order to optimize the permissions' control. For this reason, I'm, in first place, rebuilding the groups and logins in Active Directory, after that, I must establish the minimum permissions in SQL in order to manage the GDB permissions only from ArcCatalog and avoid any (GDB nor SQL) permissions issues.
TKS,
MB
So, in the past, in SQL, some permissions were established (Owner, R/W, Read-Only).
TKS
MB
My workflow is pretty simple,
1st. Create the Active Directory user.
2nd. Add the user to the database through SQL Mgmt Studio.
3rd. Add the user to the Ent GDB through ArcCatalog.
4th. Add permissions to either Feature Datasets or Feature Classes.
Keep in mind that you can't create a geodatabase user for an entire windows group. ArcGIS Help (10.2, 10.2.1, and 10.2.2)
Hope this helps in your migration.
Steven