Privileges determine what someone is authorized to do with the data and the database. Privileges should be assigned based on the type of work the person does within the organization. Is this person involved with administration of the geodatabase? Does this person need to edit or create data? Or would this person only need to query the data?
Privileges determine what a user is authorized to do with the data and the database. Assign privileges based on the type of work the person does within the organization.
Privileges are set at the database or dataset level. Use SQL or SAP HANA tools to grant and revoke database privileges or privileges on SAP HANA system metadata tables.
Privileges on datasets in geodatabases must be granted or revoked using ArcGIS, and must be done by the dataset owner.
SAP HANA grants the SELECT privilege on system metadata tables to the PUBLIC role by default. If you revoke these privileges, you must grant privileges to individual groups or users.
The following sections list privileges that apply to databases in SAP HANA and SAP HANA Cloud.
Minimum privileges
The following table lists the minimum privileges required for the sde user and for other users to query, edit, or create data from ArcGIS. If you create standard SAP HANA users, they already have the privileges to select sys tables and to create and drop tables. If you create restricted users, they require the privileges listed here.
Minimum privileges for geodatabases in SAP HANA
| Type of user | Required privileges | Purpose |
|---|---|---|
Data viewer | SELECT on sys.st_geometry_columns, sys.st_spatial_reference_systems, and st_units_of_measure SAP HANA system views | These privileges are required to read ST_Geometry metadata for spatial operations. |
SELECT on <table1>, <table2>, <tablen> | Data viewers must have the SELECT privilege on specific tables you want them to query. | |
| Geodatabases in SAP HANA 2.0 SPS 08 rev 81 or later and SAP HANA Cloud use application locks, making these privileges required to acquire and release these locks. | |
Data editor Data editors require the same privileges as data viewers, plus these additional privileges. | INSERT, UPDATE, DELETE on other users' tables | Grant the editing operations you want editors to perform on specific tables. |
Data creator Data creators require the same privileges as data viewers, plus these additional privileges. |
| These privileges allow data creators to create tables and feature classes in the database. |
Geodatabase administrator (the sde user) The sde user requires the same privileges as data creators, plus these additional privileges for day-to-day operations. | CATALOG READ | This privilege is required for the sde user to view and manage geodatabase connections. |
Privileges required for geodatabase upgrade
To upgrade the geodatabase, the sde user must be temporarily granted elevated privileges to allow the sde user to upgrade objects in users' schemas.
Grant ALL PRIVILEGES on each schema that contains data that is registered with the geodatabase to the sde user. This privilege on each schema can be revoked after the geodatabase upgrade is complete.
If the geodatabase is in SAP HANA (not in SAP HANA Cloud) you can instead grant the sde user the DATA ADMIN system privilege in the database. This privilege can be revoked after the geodatabase upgrade is complete.
Note:
These privileges are in addition to the minimum privileges listed in the previous section.
Additional privileges
If data creators need to create views to restrict the amount of data returned from the database to the ArcGIS client, also grant them CREATE VIEW and DROP VIEW privileges.
If the sde user needs to remove connections from the geodatabase, grant the sde user SESSION ADMIN permission in the database.
ArcGIS Insights may require additional privileges. See Required database privileges in the ArcGIS Insights help for more information.