Privileges determine what someone is authorized to do with the data and the database. Privileges should be assigned based on the type of work the person does within the organization. Is this person involved with administration of the geodatabase? Does this person need to edit or create data? Or would this person only need to query the data?
Privileges are set at different levels. This page lists the minimum required database and dataset privileges for common types of geodatabase users: data viewers, data editors, data creators, and the geodatabase administrator.
You can use IBM Db2 tools or SQL statements to administer database privileges.
Privileges on datasets in geodatabases must be granted or revoked using ArcGIS, and must be done by the dataset owner.
Db2 grants CREATETAB, BINDADD, CONNECT, and IMPLICITSCHEMA database authority plus the USE privilege on the USERSPACE1 table space and SELECT privilege on the system catalog views to the PUBLIC group by default. To remove any of these database authorities, a database administrator must explicitly revoke them from the PUBLIC group.
If you revoke any of these privileges from the PUBLIC group, grant them to individual users or groups. For example, if you revoke CONNECT from PUBLIC, grant CONNECT to specific groups so that group members can connect to the database. Similarly, if you revoke SELECT on the system catalog views or tables from PUBLIC, you must grant individual users or groups SELECT on the following to allow users to connect:
- SYSIBM.SYSDUMMY1 (catalog view)
- SYSCAT.ROLEAUTH
- SYSCAT.DBAUTH
- SYSCAT.TABAUTH
Db2 minimum privileges
| Type of user | Notes |
|---|---|
Data viewer |
If your database is configured to use shared log file tables (the default), the following additional privileges are needed:
The MON_GET_CONNECTION function cleans up defunct processes from the PROCESS_INFORMATION table when the user connects. To clean up connections, the user must be able to run MON_GET_CONNECTION. |
Data editor |
Table and feature class owners use the Privileges dialog box or Change Privileges geoprocessing tool in ArcGIS to grant editing privileges on their data to other users. The MON_GET_CONNECTION function cleans up defunct processes from the PROCESS_INFORMATION table when the user connects. To clean up connections, the user must be able to run MON_GET_CONNECTION. |
Data creator |
The MON_GET_CONNECTION function cleans up defunct processes from the PROCESS_INFORMATION table when the user connects. To clean up connections, the user must be able to run MON_GET_CONNECTION. |
Geodatabase administrator (the sde user) |
The DBADM authority gives the sde user all privileges against all objects in the database and allows the sde user to grant these privileges to others. It is required to create or upgrade a geodatabase. DBADM authority is also necessary to remove client connections from the database. In addition, the sde user must have either SYSCTRL or SYSADM authority to remove client connections from the database. The MON_GET_CONNECTION function cleans up defunct processes from the PROCESS_INFORMATION table when the user connects. To clean up connections, the sde user must be able to run MON_GET_CONNECTION. |