Privileges determine what a user is authorized to do with the data and the database. Assign privileges based on the type of work the person does within the organization.
As a PostgreSQL database administrator, you create group roles based on what people need to do in the database, grant privileges to the group roles, and add individual login roles to each group role. This topic lists the minimum required privileges for common types of database users for which you would create group roles: data viewers, data editors, and data creators.
Note that these privileges apply to using ArcGIS with a PostgreSQL database. If you need to know the privileges required to use a geodatabase in PostgreSQL, see Privileges for geodatabases in PostgreSQL.
The following table lists three groups of users who will connect from ArcGIS and the minimum privileges they require to query, edit, or create data.
Type of user | Required privileges | Purpose |
---|---|---|
Data viewer | CONNECT | This privilege allows you to connect to the database. The CONNECT database privilege is granted to the public group role by default. If you revoke this privilege from public, you need to explicitly grant CONNECT on databases to specific logins or group roles. |
USAGE on schemas that contain data to which data viewers need access | This privilege allows access to data in specific schemas. | |
If your database uses the PostGIS geometry type for spatial data storage, roles require SELECT privileges on the public.geometry_columns and public.spatial_ref_sys tables. | These privileges are required to read PostGIS geometry columns. | |
Data editor* Data editors require the same privileges as data viewers, plus these additional privileges. | USAGE on schemas that contain data to be edited | Editors must have access to schemas containing data they need to edit. |
Data creator | CONNECT | This privilege allows you to connect to the database. The CONNECT database privilege is granted to the public group role by default. If you revoke this privilege from public, you need to explicitly grant CONNECT on databases to specific logins or group roles. |
Each login role that creates data requires AUTHORIZATION on its own schema. Note that the schema name must match the login role name and that group roles cannot share a schema. | This allows data creators to create tables and feature classes in the database. | |
If using the PostGIS geometry type, grant SELECT, INSERT, UPDATE, and DELETE on the public.geometry_columns table and SELECT on the public.spatial_ref_sys table to data creators. | These privileges are required to create and alter the schema of feature classes that use the PostGIS geometry type. |
*You can edit data published to an ArcGIS Server feature service that has editing operations enabled.