Privileges of users on enterprise geodatabase,

3577
4
12-09-2013 11:12 AM
JamalNUMAN
Legendary Contributor
Privileges of users on enterprise geodatabase,

By default, users of a particular enterprise geodatabase are able to (assuming that M is the enterprise geodatbase and u1, u2 are users of this geodatbase):

1. Export any layer from the enterprise geodatabase

[ATTACH=CONFIG]29690[/ATTACH]

2. Create feature classes on the enterprise geodatabase

[ATTACH=CONFIG]29691[/ATTACH]

3. Create domains on the enterprise geodatabase

[ATTACH=CONFIG]29692[/ATTACH]

Is there a way to ban these actions?

Thank you

Best

Jamal
----------------------------------------
Jamal Numan
Geomolg Geoportal for Spatial Information
Ramallah, West Bank, Palestine
0 Kudos
4 Replies
WilliamCraft
MVP Regular Contributor
From the looks of it, your screenshots appear to represent an enterprise geodatabase stored in SQL Server.  You also appear to be using the DBO schema rather than the SDE schema. 

Have a look at this Esri help resource to learn more about user permissions for SQL Server geodatabases:

http://resources.arcgis.com/en/help/main/10.2/index.html#//002q0000002s000000

The level of permissions that a user has (u1, u2, etc.) within the database depends on what you grant to begin with.  Sometimes you may grant specific permissions such as GRANT INSERT, UPDATE, DELETE, SELECT to u1 on 'TABLE1'; additionally you may wish to simply assign a role to a particular user.  A role, such as 'db_owner' or 'db_datareader' has a predefined set of permissions associated with it that you should become familiar with before assigning them to user accounts.  These are called Fixed Database Roles, and here is a quick once-over article on what they include: http://msdn.microsoft.com/library/ms189612.aspx.  Think of the Fixed Database Roles as 'system permissions' and think of the specific grants I mentioned earlier as 'object permissions'. 

So, getting back to your question, if you wish to "ban" other users from being able to perform specific operations you need to understand how the permissions work at the RDBMS level and act accordingly.  To prevent exporting of data, I think you would have to simply prevent a user from connecting at all.  It is my understanding that, if a user can see the data by being able to CONNECT and view a table via the ArcGIS Desktop tools, then that user can perform an export via ArcMap or ArcCatalog.  Modifying domains usually requires administrative privileges to the geodatabase.  I believe this would require the DBO user itself or any user who is assigned the 'db_owner' role.  The ability to create a feature class would require CREATE TABLE, CREATE PROCEDURE, and CREATE VIEW permissions.  I believe the 'db_owner' role would suffice here as well based on the two URLs I provided.
by Anonymous User
Not applicable
Original User: Jamal432@gmail.com

From the looks of it, your screenshots appear to represent an enterprise geodatabase stored in SQL Server.  You also appear to be using the DBO schema rather than the SDE schema. 

Have a look at this Esri help resource to learn more about user permissions for SQL Server geodatabases:

http://resources.arcgis.com/en/help/main/10.2/index.html#//002q0000002s000000

The level of permissions that a user has (u1, u2, etc.) within the database depends on what you grant to begin with.  Sometimes you may grant specific permissions such as GRANT INSERT, UPDATE, DELETE, SELECT to u1 on 'TABLE1'; additionally you may wish to simply assign a role to a particular user.  A role, such as 'db_owner' or 'db_datareader' has a predefined set of permissions associated with it that you should become familiar with before assigning them to user accounts.  These are called Fixed Database Roles, and here is a quick once-over article on what they include: http://msdn.microsoft.com/library/ms189612.aspx.  Think of the Fixed Database Roles as 'system permissions' and think of the specific grants I mentioned earlier as 'object permissions'. 

So, getting back to your question, if you wish to "ban" other users from being able to perform specific operations you need to understand how the permissions work at the RDBMS level and act accordingly.  To prevent exporting of data, I think you would have to simply prevent a user from connecting at all.  It is my understanding that, if a user can see the data by being able to CONNECT and view a table via the ArcGIS Desktop tools, then that user can perform an export via ArcMap or ArcCatalog.  Modifying domains usually requires administrative privileges to the geodatabase.  I believe this would require the DBO user itself or any user who is assigned the 'db_owner' role.  The ability to create a feature class would require CREATE TABLE, CREATE PROCEDURE, and CREATE VIEW permissions.  I believe the 'db_owner' role would suffice here as well based on the two URLs I provided.


Thank you William for the very useful answer,

My understanding that permissions are granted at two levels,

1. At the level of features class: where users are granted select\insert\update\delete permissions

[ATTACH=CONFIG]29727[/ATTACH]

2. Al the level of the enterprise geodatabase: by default, users added to a particular enterprise geodatabase is granted Connect\Create Procedure\Create table\Create View\View Definition.

[ATTACH=CONFIG]29728[/ATTACH]

At work environment, I�??m required to �??ban�?� users from being able to

1. Export layers\tables: Mr. Macro has indicated too that this property can�??t be set and thus all users who have �??select�?� property will be able to export layers. At the same time, my business requirement dectates to ban users from being able to export layers while they have other permission granted.

2. Create tables\layers on the enterprise geodatabase

3. Create domains on the enterprise geodatabase

4. Delete tables\layers: this property is set by default and thus all users are not able to delete tables\feature classes

What might be the solution?
0 Kudos
WilliamCraft
MVP Regular Contributor

1. Export layers\tables: Mr. Macro has indicated too that this property can�??t be set and thus all users who have �??select�?� property will be able to export layers. At the same time, my business requirement dectates to ban users from being able to export layers while they have other permission granted.

2. Create tables\layers on the enterprise geodatabase

3. Create domains on the enterprise geodatabase

4. Delete tables\layers: this property is set by default and thus all users are not able to delete tables\feature classes

What might be the solution?



1. Any user who has access to an ArcGIS Desktop client (ArcMap, ArcCatalog) will be able to export the data if they have CONNECT and if they have SELECT privileges on the table in question.  As I mentioned before, if they can "see" the data then they can export it.  To prevent this, either don't give them an ArcGIS Desktop client or develop custom code to restrict specific menu options and buttons within the desktop suite of products based on the role of the user logging in.  You can do this with a custom login DLL, but it's a long road to get to this point. 

2. To restrict users from creating tables within the geodatabase, ensure the users do not have the CREATE TABLE privilege.  As I mentioned before, I believe this can be achieved by the assigning only db_datareader role to the users. 

3. Only geodatabase administrators should have the rights to create domains within the SQL Server geodatabase.  That being said, if a user only has the db_datareader role then that should prevent them from being able to do this.  Alternatively, simply revoking INSERT, UPDATE and DELETE on the SDE tables for a given user should also do the trick. 

4. Similar to #2 above... to restrict users from deleting tables within the geodatabase, ensure the users do not have the DROP TABLE privilege.  As I mentioned before, I believe this can be achieved by the assigning only db_datareader role to the users.
0 Kudos
by Anonymous User
Not applicable
Original User: Jamal432@gmail.com

1. Any user who has access to an ArcGIS Desktop client (ArcMap, ArcCatalog) will be able to export the data if they have CONNECT and if they have SELECT privileges on the table in question.  As I mentioned before, if they can "see" the data then they can export it.  To prevent this, either don't give them an ArcGIS Desktop client or develop custom code to restrict specific menu options and buttons within the desktop suite of products based on the role of the user logging in.  You can do this with a custom login DLL, but it's a long road to get to this point. 

2. To restrict users from creating tables within the geodatabase, ensure the users do not have the CREATE TABLE privilege.  As I mentioned before, I believe this can be achieved by the assigning only db_datareader role to the users. 

3. Only geodatabase administrators should have the rights to create domains within the SQL Server geodatabase.  That being said, if a user only has the db_datareader role then that should prevent them from being able to do this.  Alternatively, simply revoking INSERT, UPDATE and DELETE on the SDE tables for a given user should also do the trick. 

4. Similar to #2 above... to restrict users from deleting tables within the geodatabase, ensure the users do not have the DROP TABLE privilege.  As I mentioned before, I believe this can be achieved by the assigning only db_datareader role to the users.





many thanks William for the elaboration,

1. It works. Unchecking the �??create table�?� permission for a particular users bans him\her from being able to create layers\tables on the enterprise geodatabase (screenshots below)


[ATTACH=CONFIG]29738[/ATTACH], [ATTACH=CONFIG]29739[/ATTACH]

2. What I couldn�??t figure out is how to ban users from being able to create domains on the enterprise geodatabase? Can this be managed from the �??SQL Server Management Studio�?�?

[ATTACH=CONFIG]29740[/ATTACH]
0 Kudos