ArcSDE Issue regarding Users and Privileges

AhmedArrar · ‎09-02-2014

I am using ArcSDE 10.2.1 with Oracle 11g R2... I have created a user with create session privilege granted to him, I also granted him a select privilege on a dataset the user is unable to perform any edits but he is able to export data to XML, GDB and shapefile and copy the FDS to a personal GDB.

please advice.

Anonymous User · ‎09-02-2014

Hi Ahmed,

What is exactly the problem? Please take a look at this link you might already know:

ArcGIS Help (10.2, 10.2.1, and 10.2.2)

AhmedArrar · ‎09-02-2014

I went through this article and it was useless but to make things clear here are extra details:

- Oracle Installed and the DB Instance created.

- ArcSDE Repository and user created perfectly.

- Tablespaces were created to comply with ArcSDE dbtune file

- dbtune imported "st_geometry"

- data owner user created with the following privileges:

- create table

- create sequence

- create trigger

- create view

- create session

- unlimited tablespace

- data viewer user created with only create session privilege

- data owner user loaded the data perfectly, registered it as versioned, grant select on one FDS to the data viewer

- data viewer unable to edit features, but able to export the FDS which he had privileges for viewing.

what do you advice

Anonymous User · ‎09-02-2014

I´m still not sure what the problem is. You do not want the data viewer to export data?

AhmedArrar · ‎09-02-2014

Hi Richard,

thank you for your cooperation, sure as a data viewer the user is to be unable to edit so how about exporting the data, the user mustn't do so. this is my issue I wonder if any one has faced this issue before.

regards.

Anonymous User · ‎09-02-2014

When a user can view data in ArcSDE he will be able to export that data outside the geodatabase. This is standard behaviour.

RiyasDeen · ‎09-02-2014

Hi Ahmed,

If a user has select privilege on a feature class then arcmap will allow the user to add the FC as layer. If you can add a layer to arcmap then there is nothing preventing the user from exporting the FC out.

Exporting a feature class requires select privilege on the FC, which the user already has. Export is nothing but select and insert on new FC.

AhmedArrar · ‎09-02-2014

hi,

then how does ArcSDE guarantees data integrity? regarding my experience with ArcSDE releases prior to 10.2, if a user is a viewer he shouldn't be able to export the data since he is not the owner of the data. I am using ArcSDE as an enterprise GDB in order to manage multiple users edits and at the same time to keep my data secure and centralized, but this is not rational.

if a user has a privilege as a viewer then he must be able to add data to ArcMAP and use it to prepare maps for example, I can share my DB connection file with users who doesn't have ArcGIS Desktop advanced "they have basic" and they can easly connect and retrieve the data display it, inquire it, analyze it and present it.

suppose that my data has external stockholders viewers, then every one can take a copy of the data. again it makes no sense.

do you agree.

Anonymous User · ‎09-02-2014

There a other ways to protect your data. If you really don´t want external viewers to retrieve your data, think of other ways, as for example creating map or WMS services.

VinceAngelo · ‎09-02-2014

How could GRANTing a user SELECT access possibly impair data integrity? SELECT access has ALWAYS meant that users can download data -- there is no other possible way this could work. If you don't want users extracting data, don't grant them SELECT access.

You'll need to use other tools to give them access to an application which won't give them the ability to directly download data, but even that wouldn't stop screen capture and heads-up digitizing in some other context.