Exercise 4: Add users and administer their permissions

This topic applies to ArcEditor and ArcInfo only.

Complexity: Beginner Data Requirement: ArcGIS Tutorial Data Setup Goal: Create Windows logins, add them to the database server, then assign them permissions in the geodatabase and on specific datasets.

Your login was added to the database server when it was created in preparation for completing this tutorial.

Often, other users will need to access the database server. To do so, the logins for these users must be added to the database server. Before you can do this, the Windows logins must exist on the computer or the network. Therefore, in this exercise, you will first add the logins to your computer, then add them to the database server.

NoteNote:

As indicated in A quick tour of the database servers tutorial, if you do not have administrative privileges on the computer, you must get your systems administrator to create the users for you.

Adding users to the computer

Users are added through the Windows Computer Management console.

You will create two logins: editor1 and manager1.

Steps:
  1. Click the Start button on the Windows task bar.
  2. Open the Windows Control Panel.
  3. From the Control Panel, open the Computer Management console.
  4. Expand Local Users and Groups in the System Tools.
  5. Right-click the Users folder and click New User.
  6. Type editor1 in the User name text box.
  7. Type editor.1 in both the Password and Confirm password text boxes.
  8. Uncheck User must change password at next logon.

  9. Click Create.

    The text boxes are cleared, but the dialog box remains open.

  10. Type manager1 in the User name text box.
  11. Type manager.1 in both the Password and Confirm password text boxes.
  12. Uncheck User must change password at next logon.

  13. Click Create and click Close.

You now have two new users on your computer: editor1 and manager1. Next, you will add these users to your database server.

TipTip:

If both users were going to perform the same type of tasks and have the same privileges in the geodatabases on the database server, you could set up a Windows group and add them to it. However, for this tutorial, editor1 and manager1 will have different privileges, so you will just use the Windows logins.

Adding users to the database server

Now that you have created Windows logins for two new users, you can add them to the database server. Use the database server-level Permissions dialog box to do this.

From the database server-level Permissions dialog box, the database server administrator can add and remove users and grant server administrator privileges. Since neither editor1 nor manager1 will be database server administrators, no permissions will be assigned to them in this set of steps.

Steps:
  1. Restore ArcMap.
  2. In the Catalog window, right-click the database server and click Permissions.
  3. Click Add User.
  4. Type editor1 in the Enter the object name to select text box.
  5. Click Check Names.

    Editor1 prefaced by your computer name appears in the field. (If this were a network user, the name would be prefaced with the name of the network.)

  6. Click OK.
  7. Editor1 appears in the Database Server Users list.
  8. Repeat steps 3 through 6 to add manager1 to the database server.
  9. Click OK to apply your changes and close the Permissions dialog box.

Default geodatabase permissions

When you added the editor1 and manager1 users to the database server, both were added to the Osokopf and buildings geodatabases. You can see this by opening the geodatabase-level Permissions dialog box.

Steps:
  1. Right-click the buildings geodatabase, point to Administration, then click Permissions.

    This opens the geodatabase-level Permissions dialog box. In the Database Server Users list, you will see the logins you just added to the database server.

  2. Choose the user editor1.

    Notice that the option None is chosen for editor1. This is the default geodatabase-wide permission for new users who are not database server administrators.

  3. None indicates the user has no specific permissions on the geodatabase. If a user with a permission of None logs into the database server, he or she can see the geodatabase but is not able to perform any actions on the geodatabase.

    As you can see on the geodatabase Permissions dialog box, the other geodatabase-wide permissions available are Read Only, Read/Write, and Admin.

Granting geodatabase-wide permissions

When a user with read-only permission logs into the database server, he or she is able to see the geodatabase and the data stored in it. This user can query the database and use the data in ArcMap but cannot edit the data (unless the user is granted read/write permissions on specific datasets. Dataset permissions are discussed in the next section).

Users granted read/write geodatabase-wide permissions cannot only view and query the data but can also edit all data in the geodatabase.

When a user is granted administrative privileges on a geodatabase, that user has read/write privileges plus he or she is able to perform geodatabase maintenance tasks, such as database compression and rebuilding indexes on that geodatabase. A geodatabase administrator can also administer the rights of existing users on that geodatabase.

The user's privileges apply only to the geodatabase on which they are granted. The user does not have database server-level administrative privileges and, therefore, cannot perform database server-level administrative tasks, such as adding users or attaching, detaching, restoring, or creating a geodatabase.

Editor1 needs to be able to edit all the data in the buildings and Osokopf geodatabases. Manager1 will be administering the buildings geodatabase but will only view the data in the Osokopf geodatabase. As database server administrator, you will grant the proper permissions to each user.

Steps:
  1. Right-click the Osokopf geodatabase, point to Administration, then click Permissions.
  2. Choose editor1 from the Database Server Users list, click Read/Write, then click Apply.

    This adds editor1 to a role that has read/write permission to the geodatabase. Since this is applied at the geodatabase level, editor 1 now has read/write access to all the data in the Osokopf geodatabase.

  3. Choose manager1 from the Database Server Users list and click Admin.

    This adds manager1 to a role in the geodatabase that has administrator (db_owner) permissions in the database.

  4. Click OK to apply the changes and close the Permissions dialog box for the Osokopf geodatabase.
  5. Right-click the buildings geodatabase, point to Administration, then click Permissions.
  6. Choose editor1 from the Database Server Users list, click Read/Write, then click Apply.

    Editor1 now also has read/write permissions to all data in the buildings geodatabase.

  7. Choose manager1 in the Database Server Users list and click Read Only.

    This adds manager1 to a role in the geodatabase that can only view and select all the data in the buildings geodatabase.

  8. Click OK to apply the changes and close the Permissions dialog box for the buildings geodatabase.

Altering dataset permissions

There are three types of permission that can be granted on a dataset: None, Read Only, and Read/Write. Only the owner of a dataset can alter other users' permissions on that dataset.

You can tell who owns a dataset based on the schema name that appears in the fully qualified name of the table, feature class, feature dataset, raster catalog, raster dataset, or mosaic dataset. The schema name of the user who creates the dataset is incorporated into the name of the dataset and enclosed in quotes. For example, if a user with the domain account universe\ghila creates a table (contacts) in the geodatabase proj_work, the fully qualified name of the table is proj_work."universe\ghila".contacts.

Database server administrators use the dbo schema, so data they create has dbo in the dataset name. Any user who is a member of dbo (in other words, any user who is a database server administrator) is considered owner of the datasets in the dbo schema.

When you altered the geodatabase-wide permissions for editor1 and manager1 in the buildings geodatabase, those permissions applied to the datasets in that geodatabase. For example, editor1 was granted read/write geodatabase-wide permissions on the buildings geodatabase so has read/write access to all data in that geodatabase. You cannot alter editor1's dataset-level permissions for any data in this geodatabase because he or she already has the highest level of permission possible. To see this, follow these steps:

Steps:
  1. Expand the buildings geodatabase.
  2. Right-click the gov_bldgs feature class and click Permissions.

    This opens the dataset-level Permissions dialog box.

  3. Choose editor1 from the Database Server Users list.

    All the permission options are inactive, and a note states the user has higher-level permissions.

Manager1 has Read Only geodatabase-wide permissions on the buildings geodatabase. Therefore, manager1 has Read Only dataset-level permissions to all the data. To see this, choose manager1 from the Database Server Users list.

Since there is a higher level of permission that can be granted (Read/Write), you can alter manager1's permissions on individual datasets in the buildings geodatabase.

Since all the datasets currently present in the buildings geodatabase are owned by dbo, you can change user permissions on any of the datasets in that geodatabase. To do so, follow these steps:

Steps:
  1. Right-click the government feature class and click Permissions.
  2. Choose manager1 from the Database Server Users list.
  3. Click Read/Write.
  4. Click OK.

Manager1 now has read/write access to the gov_bldgs feature class. Permissions on the other datasets in the buildings geodatabase remain read only.

To confirm this, do the following:

Steps:
  1. Right-click the utilities feature class and click Permissions.
  2. Choose manager1 from the Database Server Users list.

    Notice that manager1 still has read-only permission on this feature class.

  3. Click OK to close the dataset Permissions dialog box.

Making a backup of your changes

Now that you have added users and altered permissions, create a backup of both the buildings and Osokopf geodatabases. Follow the instructions in exercise 3 to create the backup files in the same location as the first buildings backup, but change the names and descriptions of the backup files.

For example, a second backup of the buildings geodatabase could be called buildings_bu2 and have a description of "Users added and permissions granted." The Osokopf backup could be called osokopf_bu1.

You created Windows logins, added them to a database server, and granted them permissions on two geodatabases. You also altered one of the user's permissions to a dataset. Now the users can edit the data.


11/18/2013