Grant and revoke privileges with another user

1387
5
10-24-2014 01:45 PM
Highlighted
Occasional Contributor

Hi all,

I would like to manage privileges for my feature datasets inside my enterprise geodatabase (10.2-SQL Server) with another user (Not DBO user nor SDE user).

I'm using windows authentification and assigning db_owner permissions to a specific user in a database level using SQL Management Studio, but it doesn't seems to work.

Is there a way to achieve this?

Thanks for your help,

MB

Reply
0 Kudos
5 Replies
Highlighted
Regular Contributor

You can only apply permissions to the data that the logged in user owns.

For instance:  If there is a feature dataset call MyDb."marco".featureclass1, only the user marco can apply permissions.

Steven

Highlighted
Regular Contributor

I don't think their is anyway around it.  Maybe @ESRI can provide some insight.

Reply
0 Kudos
Highlighted
Regular Contributor III

There is an option of "With Grant" which may help in this scenario.

SQL SERVER – Difference Between GRANT and WITH GRANT | Journey to SQL Authority with Pinal Dave

Welcome to SQLServer MVP Blog: Grant vs With Grant option in SQL Server

This is available in the database properties--> Permissions

Highlighted
Esri Contributor

The WITH GRANT option is only available from the database using database level tools. I would not recommend using this privilege to manage privileges for data in an enterprise geodatabase, especially when data is contained in a feature dataset. There are many cases (too many to list) where an ArcGIS dataset is not just one table but many tables in the underlying DBMS. If you use database tools to manage privileges on these datasets and happen to miss one of the underlying tables you will run into issues reading and writing this data. This can lead to data corruption and a lot of sadness. Please stick to managing privileges for datasets with Esri tools.

The recommended approach to this is to load data using a 'headless' user. This user could be a database user or an OS authenticated user that isn't associated to someone specific in your organization. Loading data as this user will allow you to manage privileges using this user.

Hope this helps,

Russell

Highlighted
Occasional Contributor

I've decided to manage all the privileges with only one account as recommended, but I think this topic could be useful for enterprise gdb management, hope in the future we could use something like that.

I'll mark all your comments as helpful, thank you very much for your answers and interest

MB

Reply
0 Kudos