Hello all!
What I would like to implement is a truly read only SDE user. I am currently using PostgreSQL as the backend to a 9.3 SDE database. I have a "gisuser" role that has only been granted SELECT privileges on all the tables in the database. Also, the role was created with basic privileges: nocreatedb, noinherit, etc.
I've found that selections fail unless the current user to has a schema in the DB. I'm assuming Select By Attributes requires the creation of temporary tables. I'm sure there are other functions out there that also require the current user to have some privileges for temporary data storage. However, giving the "gisuser" account a schema also allows the "gisuser" to create its own feature classes.
I would like to be able to allow users (mostly GIS novices and students learning the software) access to data stored in SDE, but I want to prevent them from inadvertently creating feature classes in SDE. My concern is that most of geoprocessing tools (Clip, for instance) automatically specifies the output location to be the same workspace as the input features. I'm sure that someone will forget to specify a local GDB as the output and clutter up the SDE database with "orphaned" feature classes in the gisuser schema.
Any ideas on how to provide access to SDE to several users through a "read only" account would be appreciated. Thanks!
PS I'm not a DBA, so if I'm off on details I apologize and would appreciate getting set straight.