How SDE Read user can add new feature classes in ArcSDE

03-20-2017 05:54 AM
New Contributor II

Hi Dear:

I have created an enterprise geodatabase database in this way: (Access by Admin, then create GIS Owner account to load the data, create users using admin accounts for sde_user_edit and for sde_user_read).

Everything is okay with SDE_USER_READ as he cannot do any changes to my feature classes (Add or Delete) for the feature datasets and classes that created by gisowner account, BUT why he is able to create new feature classes, new datasets on the same database, how it comes? as per my understanding the GIS owener account is the only responsible account to do this as he is the owner of the data, even my edit account is able to create new feature classes. what I missed here?

0 Kudos
6 Replies
MVP Regular Contributor

How did you create these users? Using ArcCatalog or from the Database end?

Create Database User—Help | ArcGIS Desktop 

The Create Database User tool creates a database user with privileges sufficient to create data in the database.

New Contributor II

Many thanks Asrujit,

Yes, I used this tool "Create Database User" and that was led me to have the following privilliges to my SQL server database:




How to disable these create functions now? I don't want my users to especially sde_read to add and create feature datasets and classes.

0 Kudos
MVP Regular Contributor

From the database end, you can revoke these permissions for that user on that Database. Use SQL Server Management Studio.

In SQL Server Management Studio--> R-Click on the concerned Database--> Properties--> Permissions--> Select the concerned user--> Revoke the required Permissions from the list below.

New Contributor II

Many thanks Asrujit ... It works now .

Thank you my friend.

Esri Esteemed Contributor

Note that you might have issues working with large selection sets which use logfile tables in the database.  "Read-only" users are granted CREATE TABLE to support logfile creation.

Esri Contributor

This will be fine on SQL Server - by default all logfiles, keyset tables & other temporary objects are created in tempdb. No additional permissions are required for this.