A quick tour of permissions for database servers
Permissions to work with geodatabases and datasets on database servers are controlled by assigning users and groups to predefined roles in the Catalog. The user or group in this case is a Windows-authenticated login that identifies the user; a role defines the operations the user is able to perform.
The predefined roles and possible permissions given to users and groups are as follows:
- None—No specific access to the geodatabase or the datasets in the geodatabase has been granted.
- Read Only—The user can only view and select data.
- Read/Write—The user can read, write to, and create new datasets in a geodatabase or can read and write to an existing dataset.
- Admin—The user can perform administrative tasks in a specific geodatabase.
- Server administrator—This user manages the database server.
Permissions are cumulative. If you are an administrator at the database server level, you are also a geodatabase administrator. If you are a geodatabase administrator, you automatically have read/write permissions on all datasets in that geodatabase.
The following describes each level at which permissions can be assigned.
Database server permissions
The only permission that can be set at the database server level is the server administrator; you either are one or not.
During the postinstallation setup process that enables the SQL Server Express instance to store geodatabases, a user login is added to the database server. At that time, the user is assigned to the server administrator role. After that, database server permissions are accessed from the database server context menu in the Catalog window.
The server administrator can perform the following tasks:
- Add and remove users to/from the database server.
- Manage geodatabase and user security.
- Create and delete geodatabases.
- Attach and detach geodatabases.
- Back up and restore geodatabases.
- Upgrade geodatabases.
- Compress geodatabases.
- Update statistics and indexes in the geodatabase.
- Shrink the geodatabase.
- Start, stop, and pause the database server.
Typically, you have only one database server administrator.
The following is an example of the Permissions dialog box for database servers. User har has been added to the Server administrator role.
Geodatabase-wide permissions are accessed through the geodatabase context menu when accessing the geodatabase through the Database Servers node in the Catalog window.
Permissions at this level are initially granted by a server administrator and are managed using roles. Possible roles to which a user can be assigned are as follows:
- Read Only—This allows the user to select from every table in the geodatabase.
- Read/Write—Users assigned to the Read/Write role are able to select and edit all existing data and create new geodatabase objects such as feature classes. If a user is given read/write permission at the geodatabase level, you cannot change his or her permission at the dataset level; it is automatically read/write.
- Admin—Users assigned to the Admin role are administrators on that geodatabase only. This means the user has read/write permissions to all the datasets in the geodatabase and those rights cannot be taken away at the dataset level. For example, you could not open the Permissions dialog box at the dataset level and choose Read Only rights for that user on the dataset.
In addition to having read/write access to the datasets in the geodatabase, geodatabase administrators can perform administrative tasks on that geodatabase, including creating geodatabase backups, compressing the geodatabase, upgrading the geodatabase, and administering other users' rights on the geodatabase. (Users must already exist on the database server; geodatabase administrators cannot add users to the database server.)
- The other option for user roles is None. In this case, the user has no geodatabase-wide permissions; however, you can still grant this user read only or read/write permissions to specific datasets, as discussed under the section "Dataset permissions." None is the default level of geodatabase permission granted when users are added to the database server.
In the following sample geodatabase Permissions dialog box, user pllama is added to the Read/Write role for the geodatabase historical.
For more information on server and geodatabase administrators, see The administrative user for database servers.
Dataset permissions are accessed through the Privileges command on the dataset context menu, which opens the Permissions dialog box. Possible dataset permissions available through the Permissions dialog box at the dataset level are read only, read/write, and none.
A user may have no geodatabase-wide permissions (None) but can still be granted read or read/write permission to specific feature datasets in the geodatabase. For example, you might want to give users in an analyst group read-only permissions to the geodatabase but grant them read/write permissions to one specific feature class in the geodatabase.
When a user creates a dataset, such as a table, it is owned by that user and considered to be part of that user's schema. User permissions on datasets within a geodatabase can only be set by the owner of the dataset.
In the case of a server administrator, the datasets he or she creates are owned by dbo and stored in the dbo schema. Therefore, the server administrator can grant permissions on any datasets in the dbo schema, but only on objects in the dbo schema. In other words, a server administrator cannot grant permission to data owned by nonadministrative users.
The following is an example of the dataset Permissions dialog box for a dataset named firestations:
To learn how to assign users to these roles and thereby grant or revoke permissions, see Altering dataset permission in ArcSDE geodatabases.