Here’s the environment I have:
- Oracle 12c, configured with ST_Geometry spatial type and containing versioned data
- ArcGIS 10.2.1 (patched up to UT4)
- ArcFM 10.2.1b
I’m in the process of cleaning up the roles on a project database that has been handed to me. The group that was previously working with it did not have a great deal of GIS experience and did not provision roles properly. To make things easier, the DBA role was liberally provided to many accounts, and those accounts that didn’t have it were provided massive blanket roles (provisioned through Oracle at a schema level, and not via ArcGIS) and what appeared to be every single system privilege you could provide.
This is not an acceptable setup going forward, so I’ve spent a bit of time designing proper roles and getting those roles created and provisioned properly (i.e. via ArcGIS interfaces for spatial/versioned data) and ensuring that at least the minimum amount of Oracle permissions are there (as per http://resources.arcgis.com/en/help/main/10.2/index.html#//002n0000002v000000) for the test account. After creating the test account, provisioning it with the necessary oracle privileges and my new roles, I took it out for a test run – and quickly found out that while I can connect to the database with it, see all the objects and see all the records in the objects – I could not view the data spatially, either in ArcCatalog or ArcMap.
It took a little while, but we found out that the reason that things were failing was that the user did not have EXECUTE access to a large group (I think around 80) ST packages/procedures. Granting the user EXECUTE rights to those packages resolved that issue. Then I encountered a problem that the user could not edit versioned data (and actually did not even consider the versioned material to be versioned, even though other accounts were fine) – so now I’m in the process of trying to figure out the provisioning for the backend SDE/System tables to allow this functionality to work....which is both time consuming and aggravating.
So my questions are:
- Is there a list of the minimum level of permissions required for packages and system tables that would need to be applied for user access? I can’t see any documentation that covers this, and I don’t recall ever hearing about this problem for other setups. Which leads to my next question:
- Are these rights and roles set in the backend via the ‘Enable Enterprise’ and ‘Create Spatial Type’ tasks – or another system process that gets run during the setup?
- If there are system processes that do this, can they be re-run on a database without causing issues?
If there is any information that someone could provide on either of these questions, that would be greatly appreciated.
Thanks in advance.