In Microsoft SQL Server, database administrators add logins to the SQL Server instance, and these logins are mapped to users in individual databases on the SQL Server instance. Database users who will create tables and feature classes must have privileges necessary to create these objects in the database, and they must have a schema in which they can create them. When using ArcGIS, that schema must have the same name as the database user.
You can use the Create Database User tool or script to do all of the following:
- Create or add a login to the SQL Server instance.
- Create a user mapped to the specified login.
- Create a matching schema for the user in the database you specify.
- Grant privileges to the user sufficient to create tables, feature classes, and views in the specified database.
Add a user who can create data
You can run the Create Database User tool from ArcGIS Desktop or call the tool in a Python script to create a database user who can create tables, feature classes, and views.
You must be connected to the database with a login that has sysadmin privileges to the SQL Server instance to run the Create Database User tool.
If you want to create a database user for a Windows login, the Windows login must already exist before you run the tool.
Use the Create Database User tool
- Start an ArcGIS Desktop client.
- Connect to the database or geodatabase with a login that has sysadmin privileges in the SQL Server instance.
- Open the Create Database User tool.
The tool is in the Geodatabase Administration toolset of the Data Management toolbox.
- Specify the database connection for the Input Database Connection.
- Choose whether you want to create a SQL Server-authenticated login or use an existing Windows-authenticated login.
- Leave Create Operating System Authenticated User unchecked to create a SQL Server-authenticated login. Note that, by default, SQL Server instances use Windows Authentication only. If your instance is not configured to use SQL Server and Windows Authentication, choosing to create a database-authenticated login will fail.
- Check Create Operating System Authenticated User to use an existing Windows-authenticated login.
- Type a name for the database user that the tool will create.
If you choose to create a SQL Server-authenticated login, the name you type here will also be used for the login.
- Type a password for the database user.
- If you already have a database role that you want to add this user to, specify the role.
- Click OK (ArcMap) or Run (ArcGIS Pro).
Run a Python script
To script user creation, follow these steps:
- Create a text file on an ArcGIS client machine and copy the following script into the file.
""" Name: create_database_user.py Description: Provide connection information to a database user. Type create_database_user.py -h or create_database_user.py --help for usage """ # Import system modules import arcpy import os import optparse import sys # Define usage and version parser = optparse.OptionParser(usage = "usage: %prog [Options]", version="%prog 1.0 for 10.1 release") #Define help and options parser.add_option ("--DBMS", dest="Database_type", type="choice", choices=['SQLSERVER', 'ORACLE', 'POSTGRESQL', ''], default="", help="Type of enterprise DBMS: SQLSERVER, ORACLE, or POSTGRESQL.") parser.add_option ("-i", dest="Instance", type="string", default="", help="DBMS instance name") parser.add_option ("-D", dest="Database", type="string", default="none", help="Database name: Not required for Oracle") parser.add_option ("--auth", dest="Account_authentication", type ="choice", choices=['DATABASE_AUTH', 'OPERATING_SYSTEM_AUTH'], default='DATABASE_AUTH', help="Authentication type options (case-sensitive): DATABASE_AUTH, OPERATING_SYSTEM_AUTH. Default=DATABASE_AUTH") parser.add_option ("-U", dest="Dbms_admin", type="string", default="", help="DBMS administrator user") parser.add_option ("-P", dest="Dbms_admin_pwd", type="string", default="", help="DBMS administrator password") parser.add_option ("--utype", dest="user_type", type ="choice", choices=['DATABASE_USER', 'OPERATING_SYSTEM_USER'], default='DATABASE_USER', help="Authentication type options (case-sensitive): DATABASE_USER, OPERATING_SYSTEM_USER. Default=DATABASE_USER") parser.add_option ("-u", dest="dbuser", type="string", default="", help="database user name") parser.add_option ("-p", dest="dbuser_pwd", type="string", default="", help="database user password") parser.add_option ("-r", dest="role", type="string", default="", help="role to be granted to the user") parser.add_option ("-t", dest="Tablespace", type="string", default="", help="Tablespace name") # Check if value entered for option try: (options, args) = parser.parse_args() #Check if no system arguments (options) entered if len(sys.argv) == 1: print "%s: error: %s\n" % (sys.argv[0], "No command options given") parser.print_help() sys.exit(3) #Usage parameters for spatial database connection database_type = options.Database_type.upper() instance = options.Instance database = options.Database.lower() account_authentication = options.Account_authentication.upper() dbms_admin = options.Dbms_admin dbms_admin_pwd = options.Dbms_admin_pwd dbuser = options.dbuser dbuser_pwd = options.dbuser_pwd tablespace = options.Tablespace user_type = options.user_type role = options.role if (database_type == "SQLSERVER"): database_type = "SQL_SERVER" if( database_type ==""): print(" \n%s: error: \n%s\n" % (sys.argv[0], "DBMS type (--DBMS) must be specified.")) parser.print_help() sys.exit(3) if(database_type == "SQL_SERVER"): if( account_authentication == "DATABASE_AUTH" and dbms_admin == ""): print("\n%s: error: %s\n" % (sys.argv[0], "DBMS administrator must be specified with database authentication")) sys.exit(3) if( account_authentication == "OPERATING_SYSTEM_AUTH" and dbms_admin != ""): print("\nWarning: %s\n" % ("Ignoring DBMS administrator specified when using operating system authentication...")) else: if( dbuser.lower() == ""): print("\n%s: error: %s\n" % (sys.argv[0], "Database user must be specified.")) sys.exit(3) if( dbms_admin == ""): print("\n%s: error: %s\n" % (sys.argv[0], "DBMS administrator must be specified!")) sys.exit(3) if ( user_type == "DATABASE_USER" and (dbuser =="" or dbuser_pwd =="")): print(" \n%s: error: \n%s\n" % (sys.argv[0], "To create database authenticated user, user name and password must be specified!")) parser.print_help() sys.exit(3) # Get the current product license product_license=arcpy.ProductInfo() # Checks required license level if product_license.upper() == "ARCVIEW" or product_license.upper() == 'ENGINE': print("\n" + product_license + " license found!" + " Creating a user in an enterprise geodatabase or database requires an ArcGIS Desktop Standard or Advanced, ArcGIS Engine with the Geodatabase Update extension, or ArcGIS Server license.") sys.exit("Re-authorize ArcGIS before creating a database user.") else: print("\n" + product_license + " license available! Continuing to create...") arcpy.AddMessage("+++++++++") # Local variables instance_temp = instance.replace("\\","_") instance_temp = instance_temp.replace("/","_") instance_temp = instance_temp.replace(":","_") Conn_File_NameT = instance_temp + "_" + database + "_" + dbms_admin if os.environ.get("TEMP") == None: temp = "c:\\temp" else: temp = os.environ.get("TEMP") if os.environ.get("TMP") == None: temp = "/usr/tmp" else: temp = os.environ.get("TMP") Connection_File_Name = Conn_File_NameT + ".sde" Connection_File_Name_full_path = temp + os.sep + Conn_File_NameT + ".sde" # Check for the .sde file and delete it if present arcpy.env.overwriteOutput=True if os.path.exists(Connection_File_Name_full_path): os.remove(Connection_File_Name_full_path) try: print("\nCreating Database Connection File...\n") # Process: Create Database Connection File... # Usage: out_file_location, out_file_name, DBMS_TYPE, instnace, database, account_authentication, username, password, save_username_password(must be true) #arcpy.CreateDatabaseConnection_management(temp , Connection_File_Name, database_type, instance, database, account_authentication, dbms_admin, dbms_admin_pwd, "TRUE") arcpy.CreateDatabaseConnection_management(out_folder_path=temp, out_name=Connection_File_Name, database_platform=database_type, instance=instance, database=database, account_authentication=account_authentication, username=dbms_admin, password=dbms_admin_pwd, save_user_pass="TRUE") for i in range(arcpy.GetMessageCount()): if "000565" in arcpy.GetMessage(i): #Check if database connection was successful arcpy.AddReturnMessage(i) arcpy.AddMessage("\n+++++++++") arcpy.AddMessage("Exiting!!") arcpy.AddMessage("+++++++++\n") sys.exit(3) else: arcpy.AddReturnMessage(i) arcpy.AddMessage("+++++++++\n") print("Creating database user...\n") arcpy.CreateDatabaseUser_management(input_workspace=Connection_File_Name_full_path, user_authentication_type=user_type, user_name=dbuser, user_password=dbuser_pwd, role=role, tablespace_name=tablespace) for i in range(arcpy.GetMessageCount()): arcpy.AddReturnMessage(i) arcpy.AddMessage("+++++++++\n") except: for i in range(arcpy.GetMessageCount()): arcpy.AddReturnMessage(i) #Check if no value entered for option except SystemExit as e: if e.code == 2: parser.usage = "" print("\n") parser.print_help() parser.exit(2)
You can run the script from a computer where ArcGIS Desktop (Standard or Advanced), ArcGIS Server (Standard or Advanced), or ArcGIS Engine with the Geodatabase Update extension installed.
- Save the file with a .py extension.
- Run the script, providing options and information specific to your SQL Server instance and the user you want to create.
In the following example, the script name is create_database_user.py. A SQL Server-authenticated login (gisd_owner) is created in the SQL Server instance, ssi5, and a corresponding user and schema are created in the database, gisdata. The user is not added to a role.
create_database_user.py --DBMS SQL_SERVER -i ssi5 -D gisdata --auth DATABASE_AUTH -U sa -P !nocopy! --utype DATABASE_USER -u gisd_owner -p T3mpPass
Tip:
Type -h or --help at the command prompt to get syntax help.
Your database now has a user that can create tables.
Once the datasets exist, the data owner can grant privileges on the datasets to other users. See Grant and revoke dataset privileges for instructions.
Create logins and users with SQL Server tools
If you want to create a user who has different privileges than those granted by the Create Database User tool or has no privileges granted directly to the user, you can use SQL Server tools to do that. Here are some things to keep in mind when you are creating your own logins and users to be used with ArcGIS:
- All database users who will create data must have a schema in the database. That schema must have the same name as the user name.
- You can grant a Windows group access to SQL Server rather than individual Windows logins, which simplifies creation and management of logins. All members of the Windows group can log in to SQL Server. Server, database, and dataset privileges granted to the group automatically apply to every member of the group. However, be aware that you cannot create one schema to store the data created by all the group members. Each user in the group who creates data in the geodatabase must have his or her own schema in which to store the data. SQL Server creates a user and schema in the database the first time a group member creates data. This happens automatically; do not create a schema and user manually.
For instructions on using SQL Server tools to create logins, users, and schemas, see Microsoft SQL Server documentation.