I have a non admin user account in SQL Server (database authentication) that has been configured to be read-only. However we are noticing that this user can create feature datasets and domains. The user account cannot however create feature classes.
Can anyone suggest why this might be happening?
Are you sure it is able to create Domains and Feature Datasets? and not just able to see those?
Check the permissions that the login has in the database: In Management Studio-->Right Click on the database-->Permissions--> Select the Login--> Explicit Permissions
as far as I can tell, this is standard ArcGIS functionality, at least up to 10.0: The SDE delegates privileges to the underlying database, e.g. Oracle or SQL Server. It doesn't have any rights management structure of its own that I'm aware of. Also, (at least on ArcSDE 10.0 SP5 and Oracle 11.2) PUBLIC has write access (INSERT, UPDATE, DELETE) to GDB_ITEMS and related objects. As far as I can see, this means that you can prevent users from creating new database objects and from modifying existing user objects, but various operations that modify GDB_ITEMS only and don't involve other users objects seem to be open, e.g. creating domains and feature datasets.
For testing, I just created a user on one of my Oracle databases that has CONNECT privileges only, nothing else, and I succesfully created a feature dataset as that user.
I think that's exactly what I am seeing as well. The user has only CONNECT privileges but is able to create feat datasets and even domains.
More than feat datasets I am not ok with such users being able to create domains. This causes issues when we want to maintain a standard schema throughout the org.
Thanks for your reply!
The issue that you have notified about has been reported to ESRI as bug -
NIM089563: The PUBLIC role is automatically granted INSERT/UPDATE/DELETE on geodatabase (GDB) tables.
I am not sure if it has been fixed.