A comparison of geodatabase owners in SQL Server

Geodatabases are a collection of tables, views, functions, and stored procedures inside a database. In geodatabases in a Microsoft SQL Server database, this collection of objects can be owned by a database user named sde or the dbo database user. Whichever user owns the geodatabase is considered the geodatabase administrator.

NoteNote:

It is important that you understand how SQL Server manages access to data and other objects. Therefore, if you are unfamiliar with SQL Server's security model, read the SQL Server documentation. SQL Server authenticates a login at the instance level then authorizes a corresponding user at the database level. Different privileges granted can apply to the entire instance, a specific database or databases, or data within a database. This could affect your decision on which type of geodatabase owner to use.

The login you connect with when you create the geodatabase determines which database user owns the geodatabase. If the Windows or SQL Server login you connect with is mapped to the dbo user in the database, a dbo-schema geodatabase is created. If the Windows or SQL Server login you connect with is mapped to a user named sde in the database, an sde-schema geodatabase is created.

The sde user

The sde user in a database can be associated with a SQL Server-authenticated login or a Windows-authenticated login. The sde user must have authority on a schema named sde, and that schema must be the sde user's default schema. The sde user also must be granted privileges in the database that allow the user to create and administer the geodatabase.

The dbo user

The dbo user and its default schema exist in all databases automatically. Logins can be dbo in a database in one of two ways:

Logins that are mapped to the dbo user in a specific database have the highest possible privileges in that database; therefore, they have privileges sufficient to create and administer the geodatabase. Logins that are mapped to dbo in a specific database do not have elevated privileges in the SQL Server instance or other databases unless such privileges are explicitly granted to the login.

Logins that are members of the sysadmin fixed-server role are mapped to dbo in every database on the SQL Server instance and also have the highest possible privileges throughout the SQL Server instance. Such logins have privileges sufficient to create and administer the geodatabase and can create, alter, delete, and administer other securables in the instance.

All database objects owned by the dbo user are stored in the dbo schema.

Which user should own the geodatabase?

There is no difference in the performance or functionality between the two types of geodatabase schemas. Each has benefits and drawbacks. Choose the user (and, consequently, schema) best suited to your system and chosen security model.

The following is a comparison of the two types of schema, based on the type of authentication you use:

Schema

Authentication

Pros

Cons

Dbo (member of sysadmin)

Windows or SQL Server login

  • If the SQL Server database administrator also serves as the geodatabase administrator, it might make sense to use a dbo schema to avoid having the same person use two different logins depending on what task he or she wants to do.
  • If more than one geodatabase administrator is needed, multiple logins can be added to the sysadmin fixed-server role.
  • The login has elevated privileges on all securables in the SQL Server instance.
  • The login must be created and added to the sysadmin role prior to running the Create Enterprise Geodatabase tool.
  • If using a local rather than a domain Windows login, the login only exists on the server where SQL Server is installed. Therefore, ArcGIS clients must be installed on the same server, and all geodatabase administration tasks must be performed while logged in as the local login on that server.

Dbo (mapped to dbo in specific database)

Windows or SQL Server login

  • The geodatabase administrator can perform geodatabase and database administration in the specific database.
  • Elevated privileges do not extend beyond the specific database.
  • If additional geodatabase administrators are needed, other logins can be placed in the sysadmin fixed-server role, making them dbo in this database as well.
  • The user has elevated privileges in the database.
  • The login and the database must be created prior to running the Create Enterprise Geodatabase tool, and the login must be set as the owner of the database.
  • If using a local rather than a domain Windows login, the login only exists on the server where SQL Server is installed. Therefore, ArcGIS clients must be installed on the same server, and all geodatabase administration tasks must be performed while logged in as the local login on that server.

Sde

SQL Server login

  • The sde user only requires a few statement permissions within a specific database to administer the geodatabase.
  • An sde SQL Server login, database user, and schema can be created with the Create Enterprise Geodatabase tool when the geodatabase is created in the database.
  • Only a single login can map to the sde user.
  • The SQL Server instance must allow mixed-mode authentication.
  • The Create Enterprise Geodatabase tool must be run by the database administrator.

Sde

Windows login

  • The sde user only requires a few statement permissions within a specific database to create and administer the geodatabase.
  • You can map an existing domain Windows login to the sde user.
  • A Windows-authenticated sde login can be used at sites where the SQL Server instance allows only Windows authentication.
  • The creation and management of a Windows login that is not directly associated with a specific person might be required.*
  • The database, sde login, user, and schema must be created prior to running the Create Enterprise Geodatabase tool.
  • Only a single login can map to the sde user.
  • You must be logged in to Windows with the sde login to run the Create Enterprise Geodatabase tool.
  • If using a local rather than a domain Windows login, the login only exists on the server where SQL Server is installed. Therefore, ArcGIS clients must be installed on the same server, and all geodatabase administration tasks must be performed while logged in as the local login on that server.

*Most Windows logins, especially domain logins, belong to a specific person. That login is used by that person to log in to his or her computer and access Windows applications, including SQL Server. Therefore, when that person logs in to the computer, he or she will always connect to the geodatabase as the sde user. To avoid that, another Windows login can be created, essentially giving the person two logins. However, that means the person must switch logins on the computer when he or she wants to administer the geodatabase. Additionally, many sites avoid creating multiple logins for the same person, as it can have security implications and increases the complexity of login management.

Related Topics

11/14/2016