AnsweredAssumed Answered

SDE in SQL Server and data owner permissions

Question asked by sherriekubis on Jan 3, 2019
Latest reply on May 7, 2019 by przemyslaw_dusza

Like • Show 0 Likes0
Comment • 15

SQL Server Enterprise 2016

ArcGIS 10.5.1

We are moving from Oracle to SQL Server and have installed under the 'sde' schema, not dbo. Following our security model, we have a data owner, data editors and data viewers. The Data Owner called 'SDECREATOR' owns data in the geodatabase, and then assigned permissions as needed to editors and viewers.

The data owner is a sql login and database user that has CONNECT, CREATE PROCEDURE, CREATE TABLE, CREATE VIEW. The account owns data, but inside of SSMS, it can't see users to grant to, or see what grants have been given. For example, the viewing account is SDEVIEW. It can issue GRANT SELECT ON MYFC to SDEVIEW, and it works, but looking at properties doesn't show anything.

I believe this to be related to now having the correct permissions. If I had the role db_owner to SDECREATOR, it can see what it needs to. However, since this role an do a lot more than own and manage data, I really don't want to do that.

Is there another way around this?

Sherrie

No one else has this question

Outcomes

15 Replies

JFarmer-esristaff Jan 4, 2019 7:43 AM
Mark Correct
Correct Answer
Hi Sherrie,

You are certainly on the right track with your workflow here. I might recommend a slight change though in the implementation. See more below.

Granting permissions from the database side is a valid workflow for a lot of our users. However, it requires that the user granting those permissions have some pretty high level clearance, usually the SA user or database owner. It also means that those users that are granted permissions have those permissions across the entire database. There are ways around this last part but I won't muddy this up with that.

Contrast that with ArcGIS, we allow you to set permissions at the feature dataset and feature class level. In this case, you could simply make a connection as the SDECREATOR user in the Catalog pane of ArcMap, right click the desired feature dataset or class, and go to Manage > Privileges. As the data owner, you can grant privileges on that data to any user with just the standard data owner privileges on the database side that you mentioned above. Of course, the downside here, is that you would need to do this for all data so it could be a lot of work if there is a lot of data to set permissions to. The Change Privileges geoprocessing tool would help speed this up though, allowing changes to multiple datasets at once.

If using ArcGIS to give permissions to your editors and viewers is not your desired workflow, that's OK. But I would recommend then that you use the SA user or another database administrator user to assign privileges to your users in SSMS. Keeping with the rule of least privileges that you guys are already following, this provides a level of checks and balances rather than giving your SDECREATOR user more privileges than they need.

Some links on this below but let me know if you have any questions for me.

Permissions (Database Engine) - SQL Server | Microsoft Docs
Privileges for geodatabases in SQL Server—Help | ArcGIS Desktop
Grant and revoke dataset privileges—ArcGIS Help | ArcGIS Desktop

Jonathan
4 people found this helpful
Like • Show 0 Likes0
Actions
- sherriekubis @ JFarmer-esristaff on Jan 7, 2019 10:44 AM
  Mark Correct
  Correct Answer
  Hi Jonathon, thank you for the response. We have been doing SDE (I still cal it by this name, sorry), for a very long time, but always in Oracle. Now we are migrating to SQL Server. Our SDE Administrators are considered trusted users, they own their data and are very knowledgeable. In Oracle they don't have DBA or SYSDBA, but can do their work without issue. They do a lot from ArcGIS, but they also do a lot in TOAD, as they write ETL scripts that join spatial and tabular data. When moving them to MS SQL, they need the same access, which means a 'sa' or 'dbo' user. Having a DBA or another account perform the grants it's feasible. I've been looking for grants that would allow them to see users and what permissions have been granted to them, and allow them to travel around investigating schema data with SELECT access. They have a lot to do with this migration, over what they normally do, and I want to make it as smooth for them as possible without giving away higher privileges. That means allowing them to see users, privileges assigned to users, and schema data for investigative purposes.
  
  Any other insights would be appreciated ... but I fear the worst in that they are going to need db_owner.
  
  Sherrie
  Like • Show 0 Likes0
  Actions
  - JFarmer-esristaff @ sherriekubis on Jan 8, 2019 7:26 AM
    Mark Correct
    Correct Answer
    Hi Sherrie,
    
    I'll look into this some more and see want options I can find. It all depends on how Microsoft has structured things so I'll need to do some research. I haven't dealt much with granting privileges on the database side with users other than a member of sysadmin or db_owner.
    
    Jonathan
    Like • Show 0 Likes0
    Actions
    - sherriekubis @ JFarmer-esristaff on Jan 9, 2019 5:36 AM
      Mark Correct
      Correct Answer
      Thanks Jonathan. I'm researching as well, will update if I find anything.
      
      Sherrie
      Like • Show 0 Likes0
      Actions
wgsl2005 May 6, 2019 7:53 AM
Mark Correct
Correct Answer
Jonathan and Sherrie, can you please share what privileges from database side are requries for a data viewer? I have tried either of the followings but still couldn't see the feature classes created by Test_Creator in TestSchema. dbo is the owner of TestSchema and Test_Creator/Test_Viewer defaults to TestSchema. The weird thing is that if i log in SSMS with Test_Viewer i can see the tables created by Test_Creator. By they way, we are using sde 10.5.1 and SQL server 2014.

GRANT SELECT ON SCHEMA::TestSchema TO Test_Viewer
or
ALTER ROLE db_datareader ADD MEMBER Test_Viewer
Like • Show 0 Likes0
Actions
- JFarmer-esristaff @ wgsl2005 on May 6, 2019 7:51 AM
  Mark Correct
  Correct Answer
  The SELECT privilege is all a data viewer needs in SQL Server: http://desktop.arcgis.com/en/arcmap/latest/manage-data/gdbs-in-sql-server/privileges-sqlserver.htm#ESRI_SECTION1_C1C15319C6AE40B8993FDB2E89482D5F
  
  If you want to test if this is related to granting permissions on the schema, try granting permissions just to the underlying table and see if they can view it then. I typically don't alter the default roles in SQL Server, it's probably better to setup your own custom role if you want to go that route.
  
  Jonathan
  Like • Show 0 Likes0
  Actions
  - wgsl2005 @ JFarmer-esristaff on May 6, 2019 8:14 AM
    Mark Correct
    Correct Answer
    Jonathan, thanks for your quick response. I have tried what you suggested "GRANT SELECT ON TestSchema.Test TO Test_Viewer" from database side and still couldn't see the feature class from ArcCatalog. I have also tried ArcCatalog -> SDE connection with Test_Creator -> Feature class -> Manage -> Privileges -> grant select and no luck either. But I can see the table when I log in SSMS with Test_Viewer. Any ideas?
    Like • Show 0 Likes0
    Actions
    - JFarmer-esristaff @ wgsl2005 on May 6, 2019 8:27 AM
      Mark Correct
      Correct Answer
      Hmm... that's odd.
      
      I've seen behavior before where a user had to grant editing privileges to a feature class for anyone to be able to see it. I'll need to go back through our cases and see if I can find that and how we fixed it.
      
      To see if this is that issue, try 2 things:
      Grant SELECT, INSERT, UPDATE, DELETE and EXECUTE to this user and see what happens
      Also try giving the DB_OWNER database role and see what happens
      
      But you shouldn't need either of these just to view a feature class. This is just a test to see what we get (if you can view anything at all with this user after giving it full privileges).
      Like • Show 0 Likes0
      Actions
      - mvolz47 @ JFarmer-esristaff on May 6, 2019 8:59 AM
        Mark Correct
        Correct Answer
        Jonathan:
        
        Was the necessity to grant editing privileges to a feature class for anyone to see it considered a BUG as this seems like a serious data security risk?
        Like • Show 0 Likes0
        Actions
        JFarmer-esristaff @ mvolz47 on May 6, 2019 9:16 AM
        Mark Correct
        Correct Answer
        Michael,
        
        It certainly would be if we could reproduce it here. I'm not aware of any defects out there now for this issue though (don't see any in our system).
        Like • Show 0 Likes0
        Actions
      - wgsl2005 @ JFarmer-esristaff on May 6, 2019 9:10 AM
        Mark Correct
        Correct Answer
        Tried the followings and still couldn't see the tables
        Grant SELECT, INSERT, UPDATE, DELETE and EXECUTE to this user and see what happens
        Also try giving the DB_OWNER database role and see what happens
        Grant Test_Viewer the schema owner of the Test_Schema
        Is there anything needed to done at SDE level?
        Like • Show 0 Likes0
        Actions
        JFarmer-esristaff @ wgsl2005 on May 6, 2019 9:21 AM
        Mark Correct
        Correct Answer
        Well, I'd say we've got an issue here and it isn't a permissions one. We've just tried giving almost all the permissions possible in SQL Server (db_owner) and it still didn't work.
        
        So then I'd start asking questions like how was this viewer user created? Are there other viewer users in this database that exhibit the same behavior? Are there other ArcGIS clients that you can test connecting with to see if you see the feature class? Things like that.
        
        If you're able, it may not be a bad idea for Tech Support to take a look as well. They can get into the details a lot easier than we can here.
        
        Jonathan
        Like • Show 0 Likes0
        Actions
        wgsl2005 @ JFarmer-esristaff on May 6, 2019 9:37 AM
        Mark Correct
        Correct Answer
        Here is the SQL used to create the date viewer in SSMS
        
        CREATE LOGIN [Test_Viewer] WITH PASSWORD='********', DEFAULT_DATABASE=[TempInstance1], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=ON
        
        CREATE USER [Test_Viewer] FOR LOGIN [Test_Viewer] with DEFAULT_SCHEMA=[TestSchema]
        Like • Show 0 Likes0
        Actions
wgsl2005 May 6, 2019 10:44 AM
Mark Correct
Correct Answer
Sorry for the confusion. The issue was with that i have checked 'List only objects owned by the connecting user with enterprise databases' in ArcCatalog to avoid seeing relationship classes. The default is off. After I unchecked, I can see feature classes. Thank you Jonathan for your help!
Like • Show 2 Likes2
Actions
przemyslaw_dusza May 7, 2019 12:26 AM
Mark Correct
Correct Answer
Sherrie Kubis if you are looking for great tools to manage and work with SQL Server according to GIS and DB best practices take a look a those gratis tools https://github.com/geocom-gis/GeocomDatabaseManagementTools
Like • Show 0 Likes0
Actions

GeoNet

The Esri Community

SDE in SQL Server and data owner permissions

Outcomes

Related Content

Recommended Content