Available with Standard or Advanced license.
If you want to let other database users view or modify the contents of any data in a database, you must grant them the privileges to do so.
You can use the Privileges dialog box, the Change Privileges geoprocessing tool, or the ChangePrivileges_management function in a Python script to specify what privileges a user or group has on a specific dataset.
You can grant select privileges, meaning the user can read and select from but not modify the contents of a dataset. You can also grant update, insert, and delete privileges, which allow the user to modify the contents of a dataset.
The following rules apply to granting and revoking privileges on data in a database or geodatabase in ArcGIS:
- Only the table owner can alter privileges on it.
- Only the table owner can drop it or alter its schema definition; therefore, even if another user has been granted insert, update, and delete privileges on a dataset, that user cannot alter the schema.
- If you are going to grant the insert, update, or delete privilege to a user, you must also grant the select privilege; users must be able to read the dataset before they can edit it.
- The dbo and db_owner roles do not appear in the User/Role list in the Privileges dialog box for SQL Server databases. These users automatically have privileges granted on all data in the database. The privileges vary by role, and you cannot revoke those privileges.
- PostgreSQL login roles or groups that have been granted superuser status in the database do not appear in the User/Role list Privileges dialog box. These users automatically have full privileges on all data, and you cannot revoke those privileges.
- You can only alter a user's privileges on one dataset at a time using the Privileges dialog box. To alter privileges on multiple datasets at once, use the Change Privileges geoprocessing tool or Python function instead.
- Revoking privileges requires an exclusive lock on the dataset. If anyone else is connected to the dataset, you won't be able to revoke privileges.
These rules apply to granting and revoking privileges on datasets in a geodatabase only:
- All feature classes in a feature dataset must have the same privileges applied.
- When privileges are granted to a feature class or table that participates in a relationship class, privileges must be granted to both the origin and destination classes. If the origin and destination feature classes are within the same feature dataset, they have the same set of privileges, since privileges are granted at the feature dataset level. However, when the origin or destination class is not in the same feature dataset, you must ensure the proper privileges are granted to both the origin and destination classes. If the relationship class is either attributed or has many-to-many cardinality, privileges are automatically propagated to the intermediate table when you assign privileges to the origin class.
- If the dataset is not registered as versioned, you can grant and revoke the update, insert, and delete privileges individually using the Privileges dialog box. For example, you can grant a user select and update privileges, which allows the user to connect to the dataset and alter existing features but does not allow the user to add new features or delete existing features.
- If the dataset is registered as versioned, the privileges that allow a user to modify a dataset (update, insert, and delete) must be granted and revoked as a group.
- If the dataset is registered as versioned, the geodatabase administrator must have full privileges on it. Therefore, you cannot revoke privileges from the geodatabase administrator on versioned datasets.
Use one of the following methods to grant or revoke privileges on datasets you own:
- Privileges dialog box—You can see what privileges a user or group already has on a specific dataset when you use the Privileges dialog box. You can also grant privileges on the dataset to more than one user or group at a time.
- Change Privileges tool—You can grant privileges on multiple datasets to a user or group when you use the Change Privileges tool.
- Python script—Python scripts can be run from Linux machines where ArcGIS Server is installed. Privileges can be altered on multiple datasets.
Use the Privileges dialog box
- Connect to the database or geodatabase that contains the data you own and for which you want to grant or revoke privileges.
- Right-click the dataset, point to Manage, and click Privileges.
- If the user or role whose privileges you want to change is already in the list, check or uncheck the boxes for the privileges you want to grant or revoke, and then click OK to apply your changes.
If you uncheck all the privilege boxes, the user or role will be removed from the list.
- If the user or role is not already in the list, do the following:
- Click Add User to open the User/Role dialog box.
- If you have privileges in the database to view the system table that lists all users and roles in the database, you can choose the database users or roles you want to add from the list by checking the box next to their names.
- Click OK to close the User/Role dialog box.
- Check the boxes of the privileges you want each new user or role to have and click OK.
Use the Change Privileges tool
You can use the Change Privileges tool to grant or revoke privileges on datasets you own. The tool can be found in the Geodatabase Administration toolset of the Data Management toolbox.
You can change a user's or group's privileges on multiple datasets at once using this tool. Be aware that the Change Privileges tool does not show what privileges the user already has on the datasets. Also, insert, update, and delete privileges must be granted as a set, not individually.
- Connect to the geodatabase or database as the owner of the datasets for which you want to grant or revoke privileges.
- Open the Change Privileges tool.
- Browse to your database connection and choose the datasets for which you want to change privileges.
- Type the name of the user or group whose privileges you want to change.
- Use the View and Edit drop-down lists to choose the privileges you want to grant to the specified user or group.
To grant edit privileges, view privileges must also be granted.
- Click OK to run the tool.
Use a Python script
If you want to use a Python script to grant or revoke privileges on a dataset you own, you can use the ChangePrivileges_management function.
- First, create a database connection using the CreateDatabaseConnection_management function. You must connect as the owner of the datasets and save the user name with the file.
In this example, the connection file gdb.sde is created in the /usr/connections directory. The connection is made to the cataloged database, projdata, as user eng1.
import arcpy arcpy.CreateDatabaseConnection_management (r'/usr/connections', "gdb.sde", "DB2", "PROJDATA", "DATABASE_AUTH", "eng1", "T!i569", "SAVE_USERNAME")
- Run the ChangePrivileges_management function.
In this example, view privileges are granted on three datasets to the group readers.
arcpy.ChangePrivileges_management ("/usr/connections/gdb.sde/projdata.eng1.properties,projdata.eng1.routes,projdata.eng1.demo", "readers", "GRANT", "AS_IS")