User groups or roles

Most database managment systems (DBMS) provide ways for the administrator to group users based on their data access needs and assign privileges to the group. This can reduce the time spent altering each individual user's permissions. You could, therefore, utilize groups (also called roles, types, or authorities depending on the DBMS) that grant rights to users based on their common functions.

You use roles in the database in the same way and for the same reasons as your system administrator uses groups in the operating system—to simplify administration of large numbers of privileges for large numbers of users.

Common categories or groups of ArcSDE users are those who view data, those who edit data, and those who create data. The specific types of privileges needed for these groups are detailed in the user permission topics for each DBMS. Read the one that applies to the DBMS you use.


In most cases, granting rights to groups does not preclude granting rights to individual users in ArcSDE geodatabases licensed through ArcGIS Server Enterprise. For instance, you could grant the minimum CREATE rights to the data creator group (which could include the ArcSDE administrator), then grant additional rights to only the administrative user. Each DBMS handles privilege precedence differently, though, so consult your DBMS documentation for details on the behavior of permissons for roles and individual users in your DBMS .

In addition, most DBMS products provide predefined groups. One of these is the PUBLIC role, described below. For other DBMS-specific predefined groups, please consult your DBMS documentation.

The PUBLIC role

There is a group that exists by default in all DBMSs—the PUBLIC group, or role. PUBLIC is basically a variable that equates to anyone connected to the database; therefore, any right granted to PUBLIC is granted to everyone with a database connection. There are cases in which all users require a certain privilege. For example, in an Oracle database, all users must be able to execute the stored procedures DBMS_PIPE and DBMS_LOCK. You should, therefore, grant rights to execute these stored procedures to the PUBLIC role.

Sometimes, high-level privileges are given to PUBLIC by default when the database is created. However, for security reasons, granting privileges to PUBLIC should be used only when absolutely necessary.