Community
Select to view content in your preferred language

How to pretend DataViewers of editing/ deleting Database Contents

1112
3
02-08-2012 03:42 AM
SebastianKrings
by
Frequent Contributor
‎02-08-2012 03:42 AM
Hi,

after SDE PostInstallations completes the public role is given permissions to INSERT, UPDATE and DELETE data on SDE Objects withing Geodatabase (including the table GDB_ITEMS).
Due to this a user who should have right like a DataViewer (in ESRI documentation its talked about only "SELECT") is still able to connect to my database directly and edit or delete any Rows within those tables.
A side-effect is that in ArcCatalog the DataViewer (SELECT only as described in ESRI documentation) is allowed to create Datasets within ArcCatalog. There he is able to grant himself rights using the permissions tool and then he's able to store data. Thats not my understanding of a "Data Viewer". Also confusing is the following sentence from ESRI documentation:

http://help.arcgis.com/en/arcgisdesk...0000028000000/
"When you add users, you also assign them a default schema in the database. If the user is going to own data in the geodatabase, the default schema must have the same name as the user name. If it does not, the user cannot create datasets, copy datasets into the geodatabase, or use geoprocessing tools that result in new datasets."


They are writing abou "must" and "If it does not, the user cannot create datasets,...". This is still not true.

In my mind this is a serious lack of security.

I am now looking for a good way to solve this.

One solution could be to still revoke all rights given by postinstallation. But I do not know if they were need for any other issues.


Thanks for any hints and help.
0 Kudos
3 Replies
MelanieWhalen2
by Esri Alum
Esri Alum
‎02-08-2012 01:55 PM
Hi Sebastian,

ArcSDE is designed so that users inherit permissions through the PUBLIC role to access the ArcSDE Repository tables.  This is necessary for a geodatabase user to function successfully.  It is possible to revoke those permissions from the PUBLIC role.  However, this is not how ArcSDE is designed to work.  Esri is aware of the security concerns this causes users.  The following enhancement request has been submitted: [#NIM010483  EnhReq: Security concerns with PUBLIC's privileges automatically given to metadata tables].

Regards,

Melanie W.
0 Kudos
SebastianKrings
by
Frequent Contributor
‎02-08-2012 11:36 PM
Hello,

thanks for your answer.
Where can I find the description of this ticket for further information and to get updated if theres any change?
Maybe its possible to subscribe to the ticket?

Due to the Ticket # I found this article. A comment asked if that were an equal solution, but he didnt received any answer.
http://support.esri.com/en/knowledgebase/techarticles/detail/35408

But because there its described that the revoked right shall be granted explicity instead of using public role I think the problem still exists.

Thanks.
0 Kudos
MelanieWhalen2
by Esri Alum
Esri Alum
‎02-10-2012 08:40 AM
Hi Sebastian,

Unfortunately, information on this bug has not been published.  You can open a support ticket and have your incident attached to the bug.  Then, you will be able to find the most up-to-date information on this bug through the ESRI Customer Care Portal at https://customers.esri.com or by using MySupport at http://support.esri.com.

Regards,

Melanie W.
0 Kudos