Community

Allowing SDE editing without giving out credentials

146
5
Monday
ChrisBerryman
by
Regular Contributor
Monday

Hello everyone, 

I am curious if anyone has been asked to find a solution to restrict users from knowing sde user credentials and instead provide an sde file pre loaded with the credentials to a database?

Our security group has asked if its possible to do this, but still have the usernames be unique to the individual for audit purposes.  

I know that users can edit feature services by referencing them into arcgis desktop or arcgis pro that way, but what about the old fashioned SDE connection method?

 

0 Kudos
5 Replies
George_Thompson
by Esri Notable Contributor
Esri Notable Contributor
Monday

If you have an Active Directory (AD) group set up with the users that need to "edit" the data, they could use the connection with OS credentials (no password needed) to make the connection and edit.

Look at step 5: https://pro.arcgis.com/en/pro-app/latest/help/data/geodatabases/manage-sql-server/connect-sqlserver....

What would need to be "audited" by username: connections / date edited / etc.?

Adding users in SQL server (look at the bottom paragraph): https://pro.arcgis.com/en/pro-app/latest/help/data/geodatabases/manage-sql-server/add-users-sqlserve...

 

--- George T.
ChrisBerryman
by
Regular Contributor
Tuesday

George, 

I was asked about providing the ability to edit through an sde connection, but at the same time preventing access to the databases from other means such as microsoft access or another db client thats not ArcGIS Desktop or ArcGIS Pro.  

For auditing, it comes down to keep track of whos making edits and inserts which comes with the usual method of sde editing. 

0 Kudos
George_Thompson
by Esri Notable Contributor
Esri Notable Contributor
Tuesday

I am not sure about "... preventing access to the databases from other means such as microsoft access or another db client thats not ArcGIS Desktop or ArcGIS Pro." That seems like a tall order.....

Understand on the auditing, I would look into editor tracking and maybe archiving.

--- George T.
0 Kudos
ChrisBerryman
by
Regular Contributor
Tuesday

Yeah we currently use editor tracking and archiving when necessary.   This request is just coming from non GIS people who have a hard time understanding that to edit GIS data its typically done using an SDE connection in ArcMap or ArcPro..   

0 Kudos
MelissaNorthey
by
Frequent Contributor
Tuesday

I've found using operating system authentication is useful for this. We use A/D groups: I have one for Read only access and others for departmental editing rights.  The connection file (.sde) can be transferred between users and it works with just their login.  They will know their password, but they don't use it when building a connection file with operating system authentication. 

For example, Sally is in the Utilities department so she is in the GISDB_Read and the GISDB_UtilityEditor A/D groups.  In the GIS database the groups are given rights on each layer/table/dataset.  Sally's connection file can be called GISDBAccess.sde for instance and it can be copied from her profile to Jim's profile on his PC.  When Jim connects to the database Jim's connection is using the Operating System authentication for his Windows account and he will only have the rights that his user has based on the A/D groups he's been assigned to.  I hope that makes sense and helps.  You can reach out if you have any follow up questions, mnorthey@ocalafl.gov.