Is there any specific user requirement for Publishing?

Yogesh_Chavan

We have ArcGIS Pro 3.3, Enterprise 11.3 and SQL Server 2022.

In our SQL Databases(SDE), the data is only owned by a singe user X.

We would like to know what is the best or recommended way of publishing services from ArcGIS Pro to Enterprise?

Question: In our case as we have only one user being the data owner, should we have a new dedicated user for publishing? or is it okay to keep using the user X for publishing?

Any help on this would be appreciated!!

VinceAngelo

@Yogesh_Chavan wrote:

Question: In our case as we have only one user being the data owner, should we have a new dedicated user for publishing? or is it okay to keep using the user X for publishing?

If you only have one login you are not anywhere close to best practice. Publishing with the table owner means that any zero-day security bug would allow "read-only" users to delete the contents of your database (or just systematically corrupt it), with no way to determine who did it.

It is NOT okay to keep using user X for publishing. You need to create a browsing login and user, and grant it only SELECT access to the tables involved in publishing (and nothing else), then publish connected as that user.

Using enterprise-class database tools means having an enterprise-class security model. There are entire books on database security, but you can start with a chapter in any database administration guide.

- V

View solution in original post

DanPatterson

Member roles—ArcGIS Online Help | Documentation

Publisher—User privileges plus the ability to publish features and map tiles as hosted web layers. Members assigned the Publisher role can also perform analysis on layers in maps. The Publisher role is compatible with the Creator, Professional, and Professional Plus user types.

... sort of retired...

Yogesh_Chavan

Thank you for having a look.

Question: In our case as we have only one user being the data owner, should we have a new dedicated user for publishing? or is it okay to keep using the same for publishing?

VinceAngelo

@Yogesh_Chavan wrote:

Question: In our case as we have only one user being the data owner, should we have a new dedicated user for publishing? or is it okay to keep using the user X for publishing?

If you only have one login you are not anywhere close to best practice. Publishing with the table owner means that any zero-day security bug would allow "read-only" users to delete the contents of your database (or just systematically corrupt it), with no way to determine who did it.

It is NOT okay to keep using user X for publishing. You need to create a browsing login and user, and grant it only SELECT access to the tables involved in publishing (and nothing else), then publish connected as that user.

Using enterprise-class database tools means having an enterprise-class security model. There are entire books on database security, but you can start with a chapter in any database administration guide.

- V

Yogesh_Chavan

Thank you so much @VinceAngelo for sharing your ideas.

In our environment this user X is only used for almost all new files creations(Dataset, Feature-classes and tables), and we have other users use the databases using windows auth, other users do not use this login, they only work with editing this data in ArcGIS Pro, or ArcGIS Portal Map Viewer.

So, its like the user X acts as admin for managing and publishing only. Whereas other users continue working on data.

VinceAngelo

Never, never, NEVER, NEVER publish as the data owner. This is a HUGE security risk. Just don't do it.

This is a Security Modeling 101 issue. The principle here is "minimum necessary privilege". The owner has way too much access to the table. Instead, create one or more browse users, and roles for each kind of access, and grant access to the tables to the roles, and grant roles to users. Publish data with the user holding the least possible access to make effective use the data. If some apps need UPDATE, but others don't, publish with different publishing users (e.g., "app1_pub" & "app2_pub"), only granting the minimum necessary to each.

- V

Yogesh_Chavan

Thank you @VinceAngelo for sharing this information.

MarceloMarques

@Yogesh_Chavan - please read my community.esri.com blog article below

Database Connections Best Practices

I hope this helps.

| Marcelo Marques | Esri Principal Product Engineer | Cloud & Database Administrator | OCP - Oracle Database Certified Professional | "In 1992, I embarked on my journey with Esri Technology, and since 1997, I have been working with ArcSDE Geodatabases, right from its initial release. Over the past 32 years, my passion for GIS has only grown stronger." | “ I do not fear computers. I fear the lack of them." Isaac Isimov |

simoxu

Just jumping in to share my thoughts:

The type of permissions you need to grant depends on what type of database you are using and what type of authentication you are using to connect (database auth, or OS auth). please see the details in the following Esri doc:

https://enterprise.arcgis.com/en/server/latest/install/windows/making-your-data-accessible-to-arcgis...

At the geodatabase level, normally you'll need 3 geodatabase roles: creator, editor and reader.

creator - very few db users should be assigned this role.

editor - only the db users who need to edit data should be assigned this role

reader - most of the db users

Yogesh_Chavan

Thank you @simoxu, for reviewing and sharing your thoughts.

In our environment this user X is only used for almost all new files creations(Dataset, Feature-classes and tables), and we have other users use the databases using windows auth, other users do not use this login, they only work with editing this data in ArcGIS Pro, or ArcGIS Portal Map Viewer.

So, its like the user X acts as admin for managing and publishing only. Whereas other users continue working on data.