GDB and SQL permissions

2045
13
Jump to solution
10-23-2014 07:13 AM
Marco_AlejandroBonilla
Occasional Contributor

Hi,

I've been reading some help topics and GeoNet posts about managing permissions in GDB, eventhough I am overwhelmed by all the implied considerations on implementing GDB security.

My question seems relatively simple but I can't solve my issue yet, so:

What are the minimum permissions that my users must have in the database in SQL Server in order for me to manage their select/editing permissions with arcCatalog for mi Enterprise Geodatabase?

Thank you

Marco

0 Kudos
1 Solution

Accepted Solutions
AsrujitSengupta
Regular Contributor III

The best I can think of would be to create separate groups and add the Windows logins to the groups as desired.

The groups will have permissions based on your need.

Example:

db_datareader: for previewing purpose only

db_datareader: for users who are going to edit all the data in the geodatabase

grant privileges from ArcCatalog: for users who are supposed to edit certain data only.

The reason for suggesting groups-- you have Windows AD setup and won't have to add each login manually and setup permissions.

View solution in original post

13 Replies
Sravan_KumarUddarraju
New Contributor

Grant Select, update, Delete, Insert permissions to the user.

If there are many users,

1) Create role

2) Provide permissions (Select, update delete, insert) to the role

3) Assign the users to that role.

Srav

0 Kudos
Marco_AlejandroBonilla
Occasional Contributor

Thanks for the answer, although,

That's for Geodatabase permissions' managment, through ArcCatalog, but how the permissions inside the SQL Server (database server) must stand in order to avoid issues in that first assignment?

Greetings,

MB

0 Kudos
AsrujitSengupta
Regular Contributor III

What exactly are these users supposed to do?

Edit particular data in the geodatabase? edit all data in the sde geodatabase? only preview the data in the sde geodatabase?

0 Kudos
StevenGraf1
Regular Contributor

You shouldn't have to grant them any permissions inside SQL Server, just add them to the database.  Once they are added to the database, you can grant them permissions on only data you own inside ArcCatalog.

Steven

0 Kudos
Marco_AlejandroBonilla
Occasional Contributor

Asrujit, there are many users with different requirements, some of them will just preview the data meanwhile other users will edit data; also, schema must remain unchanged.

TKS

MB

0 Kudos
AsrujitSengupta
Regular Contributor III

The best I can think of would be to create separate groups and add the Windows logins to the groups as desired.

The groups will have permissions based on your need.

Example:

db_datareader: for previewing purpose only

db_datareader: for users who are going to edit all the data in the geodatabase

grant privileges from ArcCatalog: for users who are supposed to edit certain data only.

The reason for suggesting groups-- you have Windows AD setup and won't have to add each login manually and setup permissions.

Marco_AlejandroBonilla
Occasional Contributor

Steven, the problem is that In the enterprise where I'm working, the permissions were managed through SQL and also through ArcCatalog because they were having some issues in editing data. So, I'm trying to rebuild the users/rol administration in order to optimize the permissions' control. For this reason, I'm, in first place, rebuilding the groups and logins in Active Directory, after that, I must establish the minimum permissions in SQL in order to manage the GDB permissions only from ArcCatalog and avoid any (GDB nor SQL) permissions issues.

TKS,

MB

0 Kudos
Marco_AlejandroBonilla
Occasional Contributor

So, in the past, in SQL, some permissions were established (Owner, R/W, Read-Only).

TKS

MB

0 Kudos
StevenGraf1
Regular Contributor

My workflow is pretty simple,

1st. Create the Active Directory user.

2nd.  Add the user to the database through SQL Mgmt Studio.

3rd.  Add the user to the Ent GDB through ArcCatalog.

4th.  Add permissions to either Feature Datasets or Feature Classes.

Keep in mind that you can't create a geodatabase user for an entire windows group. ArcGIS Help (10.2, 10.2.1, and 10.2.2)

Hope this helps in your migration.

Steven