User groups or roles

Most database managment systems (DBMS) provide ways for the administrator to group users based on their data access needs and assign privileges to the group. This can reduce the time spent altering each individual user's permissions. You could, therefore, utilize groups (also called roles, types, or authorities depending on the DBMS) that grant rights to users based on their common functions.

You use roles in the database in the same way and for the same reasons as your system administrator uses groups in the operating system—to simplify administration of large numbers of privileges for large numbers of users.

Common categories or groups of users are those who view data, those who edit data, and those who create data. The specific types of privileges needed for these groups are detailed in the user privilege topics for each DBMS. Read the one that applies to the DBMS you use.

User privileges for geodatabases in DB2User privileges for geodatabases in InformixUser privileges for geodatabases in OracleUser privileges for geodatabases in PostgreSQLUser privileges for geodatabases in SQL Server

In most cases, granting rights to groups does not preclude granting rights to individual users in enterprise geodatabases. For instance, you could grant the minimum privileges required to create data in the database to the data creator group (which could include the geodatabaes administrator), then grant additional privileges to only the geodatabase administrator user. Each DBMS handles privilege precedence differently, though, so consult your DBMS documentation for details on the behavior of privileges for roles and individual users in your DBMS .

In addition, most DBMS products provide predefined groups. One of these is the PUBLIC role, described below. For other DBMS-specific predefined groups, please consult your DBMS documentation.

The PUBLIC role

There is a group that exists by default in all database management systems—the PUBLIC group, or role. PUBLIC is basically a variable that equates to anyone connected to the database; therefore, any right granted to PUBLIC is granted to everyone with a database connection. There are cases in which all users require a certain privilege. For example, to connect to SQL Server databases, users must be granted the CONNECT permission. Since everyone needs it, SQL Server grants this permission to the PUBLIC role by default.

Sometimes, high-level privileges are given to PUBLIC by default when the database is created. However, for security reasons, granting privileges to PUBLIC should be used only when absolutely necessary.

8/21/2013