Exercise 4: Add users and administer their permissions

This topic applies to ArcGIS for Desktop Standard and ArcGIS for Desktop Advanced only.

Complexity: Beginner Data Requirement: ArcGIS Tutorial Data for Desktop Goal: Create Windows logins, add them to the database server, then assign them permissions in the geodatabase and on specific datasets.

Your login was added to the database server when it was created in preparation for completing this tutorial.

Often, other users will need to access the database server. To do so, the logins for these users must be added to the database server. Before you can do this, the Windows logins must exist on the computer or the network. Therefore, in this exercise, you will first add the logins to your computer, then add them to the database server.

NoteNote:

As indicated in A quick tour of the database servers tutorial, if you do not have administrative privileges on the computer, you must get your systems administrator to create the users for you.

Adding logins to the computer

Logins are added through the Windows Computer Management console (or Server Manager console on server operating systems).

You will create three logins: editor1, editor2, and manager1.

Steps:
  1. Open the Windows Computer Management or Server Manager console.

    How you open this will depend on the version of Windows you are using.

  2. Expand Local Users and Groups in the System Tools on PCs. On servers, Local Users and Groups is found under the Configuration.
  3. Right-click the Users folder and click New User.
  4. Type editor1 in the User name text box.
  5. Type Editor.1 in both the Password and Confirm password text boxes.

    If your computer uses a password policy, provide a password that meets that policy.

  6. Uncheck User must change password at next logon.

  7. Click Create.

    The text boxes are cleared, but the dialog box remains open.

  8. Type editor2 in the User name text box.
  9. Type Editor.2 in both the Password and Confirm password text boxes.

    If your computer uses a password policy, provide a password that meets that policy.

  10. Uncheck User must change password at next logon.
  11. Click Create.
  12. Type manager1 in the User name text box.
  13. Type Manager.1 in both the Password and Confirm password text boxes.

    If your computer uses a password policy, provide a password that meets that policy.

  14. Uncheck User must change password at next logon.
  15. Click Create and click Close.

You now have three new logins on your computer: editor1, editor2, and manager1. Next, you will add these logins to your database server.

TipTip:

If these logins were going to perform the same type of tasks and have the same privileges in the geodatabases on the database server, you could set up a Windows group and add them to it. However, for this tutorial, editor1, editor2, and manager1 will have different privileges, so you will just use the Windows logins.

Adding logins to the database server

Now that you have created Windows logins for three new users, you can add them to the database server. Use the database server-level Permissions dialog box to do this.

From the database server-level Permissions dialog box, the database server administrator can add and remove logins and grant server administrator privileges. Since none of these logins will be database server administrators, no permissions will be assigned to them in this set of steps.

Steps:
  1. Restore ArcMap.
  2. In the Catalog window, right-click the database server and click Permissions.
  3. Click Add User.
  4. Type editor1 in the Enter the object name to select text box.
  5. Click Check Names.

    Editor1 prefaced by your computer name appears in the field. (If this were a network user, the name would be prefaced with the name of the network.)

  6. Click OK.
  7. Editor1 appears in the Database Server Users list.
  8. Repeat steps 3 through 6 to add editor2 and manager1 to the database server.
  9. Click OK to apply your changes and close the Permissions dialog box.

Default geodatabase permissions

When you added the editor1, editor2, and manager1 logins to the database server, all three were added as users to the Osokopf and buildings08 geodatabases. You can see this by opening the geodatabase-level Permissions dialog box.

Steps:
  1. Right-click the buildings08 geodatabase, point to Administration, then click Permissions.

    This opens the geodatabase-level Permissions dialog box. In the Database Server Users list, you will see the logins you just added to the database server.

  2. Choose editor1.

    Notice that the option No Geodatabase Permissions is chosen for editor1. This is the default geodatabase-wide permission for new users who are not database server administrators.

  3. No Geodatabase Permissions indicates the user has no specific permissions on the geodatabase. If a user with a permission of No Geodatabase Permissions logs in to the database server, he or she can see the geodatabase but is not able to perform any actions on the geodatabase.

    As you can see on the geodatabase Permissions dialog box, the other geodatabase-wide permissions available are Read Only, Read/Write, and Geodatabase Administrator.

Granting geodatabase-wide permissions

When a user with read-only permission logs in to the database server, he or she is able to see the geodatabase and the data stored in it. This user can query the database and use the data in ArcMap but cannot edit the data (unless the user is granted read/write permissions on specific datasets. Dataset permissions are discussed in the next section).

Users granted read/write geodatabase-wide permissions cannot only view and query the data but can also edit all data in the geodatabase.

When a user is granted administrative privileges on a geodatabase, that user has read/write privileges plus he or she is able to perform geodatabase maintenance tasks, such as database compression and backups for that geodatabase. A geodatabase administrator can also administer the rights of existing users on that geodatabase.

The user's privileges apply only to the geodatabase on which they are granted. The user does not have database server-level administrative privileges and, therefore, cannot perform database server-level administrative tasks, such as adding users or attaching, detaching, restoring, or creating a geodatabase.

Editor1 needs to be able to edit all the data in the buildings08 and Osokopf geodatabases. Manager1 will be administering the buildings08 geodatabase but will only view the data in the Osokopf geodatabase. Editor2 will only be editing specific datasets and will not be granted any geodatabase-wide permissions. As database server administrator, you will grant the proper geodatabase permissions to editor1 and manager1.

Steps:
  1. Right-click the Osokopf geodatabase, point to Administration, then click Permissions.
  2. Choose editor1 from the Database Server Users list, click Read/Write, then click Apply.

    This adds editor1 to a role that has read/write permission to the geodatabase. Since this is applied at the geodatabase level, editor1 now has read/write access to all the data in the Osokopf geodatabase.

  3. Choose manager1 from the Database Server Users list and click Geodatabase Administrator.

    This adds manager1 to a role in the geodatabase that has administrator (db_owner) permissions in the database.

  4. Click OK to apply the changes and close the Permissions dialog box for the Osokopf geodatabase.
  5. Right-click the buildings08 geodatabase, point to Administration, then click Permissions.
  6. Choose editor1 from the Database Server Users list, click Read/Write, then click Apply.

    Editor1 now also has read/write permissions to all data in the buildings08 geodatabase.

  7. Choose manager1 in the Database Server Users list and click Read Only.

    This adds manager1 to a role in the geodatabase that can only view and select all the data in the buildings08 geodatabase.

  8. Click OK to apply the changes and close the Permissions dialog box for the buildings08 geodatabase.

Altering dataset permissions

There are three types of permission that can be granted on a dataset: No Geodatabase Permissions, Read Only, and Read/Write. Only the owner of a dataset can alter other users' permissions on that dataset.

You can tell who owns a dataset based on the schema name that appears in the fully qualified name of the table, feature class, feature dataset, raster catalog, raster dataset, or mosaic dataset. The schema name of the user who creates the dataset is incorporated into the name of the dataset and enclosed in quotes. For example, if a user with the domain account universe\ghila creates a table (contacts) in the geodatabase proj_work, the fully qualified name of the table is proj_work."universe\ghila".contacts.

Database server administrators use the dbo schema, so data they create has dbo in the dataset name. Any user who is a member of dbo (in other words, any user who is a database server administrator) is considered owner of the datasets in the dbo schema.

When you altered the geodatabase-wide permissions for editor1 and manager1 in the buildings08 geodatabase, those permissions applied to the datasets in that geodatabase. For example, editor1 was granted read/write geodatabase-wide permissions on the buildings08 geodatabase so has read/write access to all data in that geodatabase. You cannot alter editor1's dataset-level permissions for any data in this geodatabase because he or she already has the highest level of permission possible. To see this, follow these steps:

Steps:
  1. Expand the buildings08 geodatabase.
  2. Right-click the gov_bldgs feature class, point to Manage, then click Privileges.

    This opens the dataset-level Permissions dialog box.

  3. Choose editor1 from the Database Server Users list.

    All the permission options are inactive, and a note states that the user has higher-level permissions.

Manager1 has Read Only geodatabase-wide permissions on the buildings08 geodatabase. Therefore, manager1 has Read Only dataset-level permissions to all the data. To see this, choose manager1 from the Database Server Users list.

Since there is a higher level of permission that can be granted (Read/Write), you can alter manager1's permissions on individual datasets in the buildings08 geodatabase.

Since all the datasets currently present in the buildings08 and Osokopf geodatabases are owned by dbo, you can change user permissions on any of the datasets in these geodatabases. To do so, follow these steps:

Steps:
  1. Right-click the gov_bldgs feature class in the buildings08 geodatabase, point to Manage, then click Privileges.
  2. Choose manager1 from the Database Server Users list.
  3. Click Read/Write.
  4. Click OK.

Manager1 now has read/write access to the gov_bldgs feature class. Permissions on the other datasets in the buildings08 geodatabase remain read-only.

To confirm this, do the following:

Steps:
  1. Right-click the utilities feature class, point to Manage, then click Privileges.
  2. Choose manager1 from the Database Server Users list.

    Notice that manager1 still has read-only permission on this feature class.

Grant editor2 permissions to edit the schools feature class.

Steps:
  1. Right-click the schools feature class, point to Manage, then click Privileges.
  2. Choose editor2 from the Database Server Users list.
  3. Click Read/Write.
  4. Click OK to apply your changes and close the dataset Permissions dialog box.

Now grant editor2 permissions to view the parks feature dataset in the Osokopf geodatabase.

Steps:
  1. Expand the Osokopf geodatabase.
  2. Right-click the parks feature dataset, point to Manage, then click Privileges.
  3. Choose editor2 from the Database Server Users list.
  4. Click Read Only.
  5. Click OK to apply your changes and close the dataset Permissions dialog box.

Making a backup of your changes

Now that you have added users and altered permissions, create a backup of both the buildings08 and Osokopf geodatabases. Follow the instructions in exercise 3 to create the backup files in the same location as the first backup, but change the names and descriptions of the backup files.

For example, a second backup of the buildings08 geodatabase could be called buildings_bu2 and have a description of "Users added and permissions granted." The Osokopf backup could be called osokopf_bu1.

You created Windows logins, added them to a database server, and granted them permissions on two geodatabases. You also altered one of the user's permissions to a dataset. Now the users can edit the data. In Exercise 5, you will log in to the database server as another user, load data, and set up editor tracking.

4/22/2015