A comparison of geodatabase owners in SQL Server
Geodatabases are a collection of tables, views, functions, and stored procedures inside a database. In geodatabases in a Microsoft SQL Server database, this collection of objects can be owned by a database user named sde or the dbo database user. Whichever user owns the geodatabase is considered the geodatabase administrator.
It is important that you understand how SQL Server manages access to data and other objects. Therefore, if you are unfamiliar with SQL Server's security model, read the SQL Server documentation. SQL Server authenticates a login at the instance level then authorizes a corresponding user at the database level. Different privileges granted can apply to the entire instance, a specific database or databases, or data within a database. This could affect your decision on which type of geodatabase owner to use.
The login you connect with when you create the geodatabase determines which database user owns the geodatabase. If the Windows or SQL Server login you connect with is mapped to the dbo user in the database, a dbo-schema geodatabase is created. If the Windows or SQL Server login you connect with is mapped to a user named sde in the database, an sde-schema geodatabase is created.
The sde user
The sde user in a database can be associated with a SQL Server-authenticated login or a Windows-authenticated login. The sde user must have authority on a schema named sde, and that schema must be the sde user's default schema. The sde user also must be granted privileges in the database that allow the user to create and administer the geodatabase.
The dbo user
The dbo user and its default schema exist in all databases automatically. Logins can be dbo in a database in one of two ways:
- By creating or being made owner of a specific database
- By being a member of the sysadmin fixed-server role
Logins that are mapped to the dbo user in a specific database have the highest possible privileges in that database; therefore, they have privileges sufficient to create and administer the geodatabase. Logins that are mapped to dbo in a specific database do not have elevated privileges in the SQL Server instance or other databases unless such privileges are explicitly granted to the login.
Logins that are members of the sysadmin fixed-server role are mapped to dbo in every database on the SQL Server instance and also have the highest possible privileges throughout the SQL Server instance. Such logins have privileges sufficient to create and administer the geodatabase and can create, alter, delete, and administer other securables in the instance.
All database objects owned by the dbo user are stored in the dbo schema.
Which user should own the geodatabase?
There is no difference in the performance or functionality between the two types of geodatabase schemas. Each has benefits and drawbacks. Choose the user (and, consequently, schema) best suited to your system and chosen security model.
The following is a comparison of the two types of schema, based on the type of authentication you use:
Schema | Authentication | Pros | Cons |
---|---|---|---|
Dbo (member of sysadmin) | Windows or SQL Server login |
|
|
Dbo (mapped to dbo in specific database) | Windows or SQL Server login |
|
|
Sde | SQL Server login |
|
|
Sde | Windows login |
|
|
*Most Windows logins, especially domain logins, belong to a specific person. That login is used by that person to log in to his or her computer and access Windows applications, including SQL Server. Therefore, when that person logs in to the computer, he or she will always connect to the geodatabase as the sde user. To avoid that, another Windows login can be created, essentially giving the person two logins. However, that means the person must switch logins on the computer when he or she wants to administer the geodatabase. Additionally, many sites avoid creating multiple logins for the same person, as it can have security implications and increases the complexity of login management.