We are using Enterprise 11.1, and ArcGIS Pro 3.1.2. This issue seems to come and go, but it's reared its head again.
When creating an enterprise geodatabase (SQL Server), we are using branch versioning, and set the default access level to "protected". Despite this, portal user roles without the "Manage All" capability are allowed to edit the default directly and post to it. @EvaTTA mentioned this fairly recently, and in that post it was said to be linked to bugs BUG-000135099 and BUG-000150561, but I cannot find any information on these.
I'll note something especially strange, that "protected" was working as expected last time I checked on Oct 3, but today on the same dataset I dusted off my test account that is not a "Version Administrator", and that account was able to edit the protected default directly. I think the only thing that's changed since then schema-wise is adding a couple of values to one of the domains.
Has anybody encountered this? I'm stumped because as far as I can tell I'm doing everything by the book with respect to creating the enterprise geodatabases, managing portal users, and publishing the feature services.
Solved! Go to Solution.
Hello, I tried following the suggestions of @MarceloMarques, essentially having a separate database user with minimal privileges to create the feature classes, and publishing from that connection. I'm not sure how well these translate from SQL Server to postgres, but the privileges I granted this "publisher" user were Connect, Create procedure, Create table, Create view, Delete, Execute, Insert, Select, and Update.
In any case, the issue still persisted. Turns out that what was causing our problem has to do with Portal privileges: it appears any user with Administrative privileges > Content > Update enabled will be able to do anything that a version administrator can do.
Either this is a bug in which case please fix it Esri, or this documentation is inaccurate -- it does not list the apparently crucial "Update" privilege under the definition of users who act as a "Version administrator."
The Bugs you referred:
BUG-000150561 seems related to you issue, but I don't see much info available on the link. Probably contact Esri Tech Support and get an update on the Bug.
For BUG-000150561, it is closed and a duplicate of another issue (BUG-000135099) which is showing as fixed in Pro 3.1; https://www.esri.com/content/dam/esrisites/en-us/media/products/arcgis-pro-issues-addressed/arcgis-p...
@SamSzotkowski - I sent you a direct message with some questions and I also recommend you reach out to technical support so we can isolate the issue for you and get to the root of the problem.
Please feel free to reach out to me directly.
Hello! Did you ever reconcile this issue? No pun intended 😁. I am dealing with the same exact issue right now. Non version admins can edit default, reconcile and post to default, reconcile and post each others versions as well. The default version is set to protected and we are in Postgres.
No, we kind of ignored it for a bit because there were bigger fish to fry, but I'm meeting with Esri on Monday about this so I'll be sure to update this post once we figure out what's wrong and/or get it resolved.
I think it's notable that you're using postgres and we're using SQL server, possibly rules out an issue with the database itself.
For BUG-000150561, it is closed and a duplicate of another issue (BUG-000135099) which is showing as fixed in Pro 3.1; https://www.esri.com/content/dam/esrisites/en-us/media/products/arcgis-pro-issues-addressed/arcgis-p...
-------------------------------------------------------------------------------------------------------------------------------
BUG-000136400 - When posting edits from child versions in branch versioning, the following error message is returned, "Error: Insufficient permission". Duplicate Record #BUG-000135099
This is a duplicate of BUG-000135099: The SDE/DBO is the owner of the default version, the security model is bypassed. Therefore, in future releases, the ability to register datasets owned by SDE/DBO as versioned (branch) is to be blocked.
-------------------------------------------------------------------------------------------------------------------------------
BUG-000150561 - Portal for ArcGIS users with an editor role can edit the default branch version although the access is set to be protected. Duplicate Record #BUG-000135099
-------------------------------------------------------------------------------------------------------------------------------
BUG-000135099 - Branch versioned data owned by the DBO or SDE users allows standard portal users access to view and manage all versions via the service.
From Workaround: Branch versioned data must not be owned by the SDE or DBO users. Do not register data owned by SDE or DBO users as branch versioned.
The ArcGIS Server 10.9.1 Utility Network and Data Management Patch 6 is now live on the support site. The URL is:
https://support.esri.com/en-us/patches-updates/2023/arcgis-server-10-9-1-utility-network-and-data-ma...
The ArcGIS Server 10.8.1 Utility Network Patch 11 is now live on the support site. The URL is:
https://support.esri.com/en-us/patches-updates/2023/arcgis-server-10-8-1-utility-network-patch-11\
-------------------------------------------------------------------------------------------------------------------------------
Note: always install the latest patches that were released!!!
Esri Support Search Results - ArcGIS Pro
Esri Support Search Results - ArcGIS Enterprise: Portal + Server + Datastore + WebAdaptor + Utility Network
-------------------------------------------------------------------------------------------------------------------------------
I've read about some of those bugs and mentioned in my original post, yet I'm seeing this issue in Pro 3.1 and 3.2.
Anyhow, I'm not sure what this means: "Branch versioned data must not be owned by the SDE or DBO users." When you're sharing a branch versioned dataset, the docs say "You must own the data you're publishing. That means the credentials you use in the database connection that accesses the data must be those of the data owner." You can't even publish if you're not connected as a user with db_owner or sysadmin. Plus when you create an enterprise database, you have to choose either a dbo- or sde-owned schema.
So I wholeheartedly accept that I'm misunderstanding something, what are these workarounds telling me to do exactly?
My probably wrong understanding of the workaround led me to creating an enterprise gdb as a sysadmin, then creating a new user and giving them db_owner privilege on that database, then connecting as them. So all the feature classes show up as "TEST_ACCOUNT.fc_name" in Pro. I published while connected as TEST_ACCOUNT, protected the default, and so on, and the issue persists.
You can restrict those privileges and avoid granting sysadmin and db_owner to users, the only user you might need to grant db_owner is the sde user and that only temporarily when doing the arcsde repository upgrade. You can learn more on how properly setup the sde user privileges and the data owner user privileges in my database template scripts for SQL Server in the link below.
For more best practices please visit my community.esri.com blog below. There you will find the ArcGIS Pro database guide books for SQL Server, and you can also download my database template scripts for SQL Server to assist to setup the SQL Server Geodatabase. You can use the Production Mapping database guidebooks, the best practices can be applied to any industry.
Mapping and Charting Solutions (MCS) Enterprise Databases Best Practices