Can Active Directory groups be used for SDE database roles in 10.2.2?
We are using SLQServer 2012 with the SDE schema.
I came across the same problem (SQL Server 2012, ArcGIS 10.3) and decided that it is difficult to map AD groups to SQL Server entities. Here's what we came up with:
It may help to share this with Geodatabase since, although ArcSDE is grouped with ArcGIS Server, I think the Geodatabase people might have more info on SQL permissions.
Yes, AD sure is supported, Best make sure SQL Server is set up for mixed mode authentication.
Active Directory should be encouraged ahead of sql logins because of security concerns and audits.
It appears that you can use AD for GIS readers, but not control editors or table creators this way.
We needed to create GIS database roles and schemas. If anyone else has managed to use AD for editing using the SDE schema let me know. It seems you can only use AD to control access to the .sde connection file for editing and writing GIS files.
We have set up AD Groups for GIS editors in order to allow them to edit a group of feature classes stored in a feature dataset. We've created Logins and Users in SQL (SQL Server 2012) which tally with the name of the featuredataset. I have set the privileges at the featuredataset level in ArcCatalog.
We give editors access to the edit version of our the geodatabase through layer files (created from a Windows Authentication SDE connection file. For one editor in one AD group this is working well. But I have an issue with another user in a different AD group. This other AD group contains two users plus myself and a testuser, one user and my testuser (and me as admin) can edit through the layer file but one user can't. I've checked and rechecked everything several times so cannot work out why one user loads the layer file and gets a red exclamation mark, so it's not even pulling the data from the version into ArcMap. All our GIS users have read only access to the geodatabse through layer files and the user can see the data in those, and this user is able to see data as read only, which means the connection to the default database is fine. It appears that the WinAuth connection which should give the editable access to a version of the default is not working.
I ran event profiler in SQL and compared to a test user with the same AD group membership and can see differences in the event items. One event shows a connection to the vesion.sde and the other doesn't. I can't figure out how to resolve this issue. Does anyone have any suggestions?
Retrieving data ...