A quick tour of permissions for database servers

Permissions to work with geodatabases and datasets on database servers are controlled by assigning users and groups to predefined roles in the Catalog. The user or group in this case is a Windows-authenticated login that identifies the user; a role defines the operations the user is able to perform.

The predefined roles and possible permissions given to users and groups are as follows:

Permissions are cumulative. If you are an administrator at the database server level, you are also a geodatabase administrator. If you are a geodatabase administrator, you automatically have read/write permissions on all datasets in that geodatabase.

The following describes each level at which permissions can be assigned.

Database server permissions

The only permission that can be set at the database server level is the server administrator; you either are one or not.

During the postinstallation setup process that enables the SQL Server Express instance to store geodatabases, a user login is added to the database server. At that time, the user is assigned to the server administrator role. After that, database server permissions are accessed from the database server context menu in the Catalog window.

Permissions from the database server context menu

The server administrator can perform the following tasks:

Typically, you have only one database server administrator.

The following is an example of the Permissions dialog box for database servers. User har has been added to the Server administrator role.

Database server permissions

Geodatabase permissions

Geodatabase-wide permissions are accessed through the geodatabase context menu when accessing the geodatabase through the Database Servers node in the Catalog window.

Permissions on geodatabase context menu

Permissions at this level are initially granted by a server administrator and are managed using roles. Possible roles to which a user can be assigned are as follows:

In the following sample geodatabase Permissions dialog box, user pllama is added to the Read/Write role for the geodatabase historical.

Geodatabase-level permission dialog box

For more information on server and geodatabase administrators, see The administrative user for database servers.

Dataset permissions

Dataset permissions are accessed through the Privileges command on the dataset context menu, which opens the Permissions dialog box. Possible dataset permissions available through the Permissions dialog box at the dataset level are read only, read/write, and none.

A user may have no geodatabase-wide permissions (None) but can still be granted read or read/write permission to specific feature datasets in the geodatabase. For example, you might want to give users in an analyst group read-only permissions to the geodatabase but grant them read/write permissions to one specific feature class in the geodatabase.

When a user creates a dataset, such as a table, it is owned by that user and considered to be part of that user's schema. User permissions on datasets within a geodatabase can only be set by the owner of the dataset.

In the case of a server administrator, the datasets he or she creates are owned by dbo and stored in the dbo schema. Therefore, the server administrator can grant permissions on any datasets in the dbo schema, but only on objects in the dbo schema. In other words, a server administrator cannot grant permission to data owned by nonadministrative users.

The following is an example of the dataset Permissions dialog box for a dataset named firestations:

Dataset permission dialog box

To learn how to assign users to these roles and thereby grant or revoke permissions, see Altering dataset permission in ArcSDE geodatabases.

Related Topics