Privileges for using ArcGIS with a PostgreSQL database

Privileges determine what a user is authorized to do with the data and the database. Assign privileges based on the type of work the person does within the organization.

As a PostgreSQL database administrator, you create group roles based on what users need to do in the database, grant privileges to the group roles, and add individual login roles to each group role. The table below lists the minimum required privileges for common types of database users for which you would create group roles: data viewers, data editors, and data creators.

These privileges apply to using ArcGIS with a PostgreSQL database and supported PostgreSQL database service offerings. If you need to know the privileges required to use a geodatabase, see Privileges for geodatabases in PostgreSQL.

The following table lists three groups of users and the minimum privileges they require to query, edit, or create data from ArcGIS.

Type of userRequired privilegesPurpose

Data viewer

CONNECT

This privilege allows you to connect to the database.

The CONNECT database privilege is granted to the public role by default. If you revoke CONNECT from public, you must explicitly grant it on specific databases to all roles that need to connect to that database.

USAGE on schemas that contain data to which data viewers need access

This privilege allows access to data in specific schemas.

If the database uses the PostGIS geometry type for spatial data storage, roles require the SELECT privilege on the PostGIS spatial_ref_sys table and the geometry_columns view.

These privileges are required to read PostGIS geometry columns.

If the database uses the PostGIS geography type for spatial data storage, roles require the SELECT privilege on the PostGIS spatial_ref_sys table and the geography_columns view.

These privileges are required to read PostGIS geography columns.

SELECT on specific tables

This allows viewers access to specific tables and feature classes in the schemas to which they have access.

Data editor*

Data editors require the same privileges as data viewers, plus these additional privileges.

INSERT, UPDATE, and DELETE on specific tables

Grant the editing operations you want editors to perform on specific tables.

You can grant any combination of INSERT, UPDATE, and DELETE privileges depending on what editors need to do. Therefore, you can create multiple editor groups and grant the appropriate privileges to each. For example, you can have a full_edit group that has all three privileges plus SELECT on the tables group members need to edit and an updates_only group that has only SELECT and UPDATE privileges on the tables members need to edit.

Data creator

Data creators require the same privileges as data viewers plus this additional setting for their schema.

Each login role that creates data requires AUTHORIZATION on its own schema. Note that the schema name must match the login role name and that group roles cannot share a schema.

Use the AUTHORIZATION clause when creating or altering the schema to ensure that all the objects created in the schema are owned by the specified user.

*To edit data, publish editable web feature layers that reference the data in your PostgreSQL database.

Tip:

ArcGIS Insights may require additional privileges. See Required database privileges in the ArcGIS Insights help for more information.