What I would like to implement is a truly read only SDE user. I am currently using PostgreSQL as the backend to a 9.3 SDE database. I have a "gisuser" role that has only been granted SELECT privileges on all the tables in the database. Also, the role was created with basic privileges: nocreatedb, noinherit, etc.
I've found that selections fail unless the current user to has a schema in the DB. I'm assuming Select By Attributes requires the creation of temporary tables. I'm sure there are other functions out there that also require the current user to have some privileges for temporary data storage. However, giving the "gisuser" account a schema also allows the "gisuser" to create its own feature classes.
I would like to be able to allow users (mostly GIS novices and students learning the software) access to data stored in SDE, but I want to prevent them from inadvertently creating feature classes in SDE. My concern is that most of geoprocessing tools (Clip, for instance) automatically specifies the output location to be the same workspace as the input features. I'm sure that someone will forget to specify a local GDB as the output and clutter up the SDE database with "orphaned" feature classes in the gisuser schema.
Any ideas on how to provide access to SDE to several users through a "read only" account would be appreciated. Thanks!
PS I'm not a DBA, so if I'm off on details I apologize and would appreciate getting set straight.
If selections are made over a threshold value (default 100) log files are used. Depending on the log file configuration settings, create table permission may be required. The default is Shared log files for which create table is required by the users making selections of over 100 records. You may want to consider using a pool of log files owned by the ArcSDE administrator, which do not require users to have create table privilege. Please refer to the following link for general log file configuration information: