I have created an enterprise geodatabase database in this way: (Access by Admin, then create GIS Owner account to load the data, create users using admin accounts for sde_user_edit and for sde_user_read).
Everything is okay with SDE_USER_READ as he cannot do any changes to my feature classes (Add or Delete) for the feature datasets and classes that created by gisowner account, BUT why he is able to create new feature classes, new datasets on the same database, how it comes? as per my understanding the GIS owener account is the only responsible account to do this as he is the owner of the data, even my edit account is able to create new feature classes. what I missed here?
How did you create these users? Using ArcCatalog or from the Database end?
The Create Database User tool creates a database user with privileges sufficient to create data in the database.
Many thanks Asrujit,
Yes, I used this tool "Create Database User" and that was led me to have the following privilliges to my SQL server database:
- CREATE TABLE
- CREATE PROCEDURE
- CREATE VIEW
How to disable these create functions now? I don't want my users to especially sde_read to add and create feature datasets and classes.
From the database end, you can revoke these permissions for that user on that Database. Use SQL Server Management Studio.
In SQL Server Management Studio--> R-Click on the concerned Database--> Properties--> Permissions--> Select the concerned user--> Revoke the required Permissions from the list below.
Note that you might have issues working with large selection sets which use logfile tables in the database. "Read-only" users are granted CREATE TABLE to support logfile creation.
This will be fine on SQL Server - by default all logfiles, keyset tables & other temporary objects are created in tempdb. No additional permissions are required for this.