Windows group authentication for SDE user on SQL Server/ArcGIS 10.3?

MartinAmeskamp · ‎02-17-2015

Hi,

we're starting to work with ArcGIS 10.3 Enterprise GDB (what used to be called ArcSDE) on MS SQL Server 2012. We're using the following procedure to set up the database:

Create a new database (say DB1) as sysadmin (sa)
Create a windows authenticated login (e.g. AD user mydomain\martin)
Create a database user sde in the DB1 and map this to mydomain\martin
Ccreate a schema sde and grant the necessary privileges (create table, view, function, procedure) to user sde.
Login as mydomain\martin on a desktop machine, start ArcCatalog, add a database connection with windows authentication and run the Enable Geodatabase tool.

Works just fine. Question: Can I follow the same workflow except that I use an AD group login rather than an AD user login to authorize user sde?

Thanks, Martin

MartinAmeskamp · ‎02-26-2015

Hi, we've done some more tests, and I've come to the following conclusion:

Due to the fact that ArcGIS requires the user and schema to be identical when creating datasets, there is no way to have multiple windows-authenticated users create database objects in the same schema.

Also, SQL Server doesn't allow a login authenticated by a group as database owner, so the dbo-variant of creating the SDE schema doesn't work with groups.

So, if you want to give SDE admin rights (create/update SDE schema) to a group of people, you need DB authentication. Also, if you want to have a group of people to be able to create datasets in a common schema, you also need to use DB authentication.

Accounts that edit and read data can be authenticated by AD group logins.

Any comments?

Martin

View solution in original post

MartinAmeskamp · ‎02-26-2015