ArcGIS Desktop

  • ArcGIS Pro
  • ArcMap

  • My Profile
  • Help
  • Sign Out
ArcGIS Desktop

ArcGIS Online

The mapping platform for your organization

ArcGIS Desktop

A complete professional GIS

ArcGIS Enterprise

GIS in your enterprise

ArcGIS for Developers

Tools to build location-aware apps

ArcGIS Solutions

Free template maps and apps for your industry

ArcGIS Marketplace

Get apps and data for your organization

  • Documentation
  • Support
Esri
  • Sign In
user
  • My Profile
  • Sign Out

Help

  • Home
  • Get Started
  • Map
  • Analyze
  • Manage Data
  • Tools
  • More...

Privileges for geodatabases in PostgreSQL

  • Minimum privileges
  • Privileges required to create or upgrade a geodatabase

Privileges determine what a user is authorized to do with the data and the database. Privileges should be assigned based on the type of work the person does within the organization. Is the user involved with administration of the geodatabase? Does the user need to edit or create data? Would the user only need to query the data?

User privileges are set at different levels. This topic describes the required database and dataset privileges for common types of users: data viewers, data editors, data creators, and the geodatabase administrator.

Individual database users in PostgreSQL are referred to as login roles. To group together login roles based on the common tasks the users perform, you can create group roles, add the login roles to the group roles, and assign privileges to the group roles.

Note:

The CONNECT database privilege is granted to the public group role by default. If you revoke this privilege from public, you need to explicitly grant CONNECT on databases to specific logins or group roles.

You can use one of the administrative applications that connect to PostgreSQL databases, such as pgAdmin III, to administer user privileges. Or you can use SQL statements to grant and revoke privileges.

Privileges on datasets should be granted or revoked by the dataset owner using the Privileges dialog box or Change Privileges geoprocessing tool in ArcGIS for Desktop. See Grant and revoke dataset privileges for instructions.

Minimum privileges

The following table lists privileges to be granted to each of three common groups—data viewers, data editors, and data creators—and the minimum privileges needed by the geodatabase administrator (the sde login role) for day-to-day operations.

Type of userDatabase privilegesDataset privilegesNotes

Data viewer

  • USAGE on sde schema
  • USAGE on all other schemas that contain data to which data viewers need access

SELECT on specific datasets

If the user will be accessing feature classes that use PostGIS geometry storage, the user must be granted SELECT privileges on the public.geometry_columns and public.spatial_ref_sys tables.

Data editor

  • USAGE on sde schema
  • USAGE on all other schemas that contain data that editors need to access

SELECT, INSERT, UPDATE, and DELETE on other users' datasets

If the user will be editing versioned data through a versioned view, the user must also be granted SELECT, INSERT, UPDATE, and DELETE privileges on the versioned view. When you use the Privileges dialog box in ArcGIS to grant the SELECT, INSERT, UPDATE, and DELETE privileges on a versioned feature class, those privileges are automatically granted on the associated versioned view.

If the user will be accessing feature classes that use PostGIS geometry storage, the user must be granted SELECT privileges on the public.geometry_column and public.spatial_ref_sys tables.

Data creator

  • AUTHORIZATION on the user's own schema
  • USAGE on sde schema
  • USAGE on all other schemas that contain data that data creators need to access

If using the PostGIS geometry type, you must also grant SELECT, INSERT, UPDATE, and DELETE on the public.geometry_columns table (syntax = GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE public.geometry_columns TO <role_name>). Also grant SELECT on the public.spatial_ref_sys table (syntax = GRANT SELECT ON TABLE public.spatial_ref_sys TO <role_name>).

Geodatabase administrator (the sde login role)

USAGE on all other user schemas

If this is not granted, sde will not be able to compress or upgrade the geodatabase.

PostgreSQL privilege table

Privileges required to create or upgrade a geodatabase

The sde login role must be granted superuser status to create a geodatabase. To upgrade a geodatabase, the sde login role must be granted superuser status, have the ability to access all other users' schemas, and be able to select all the datasets in the geodatabase.

Superuser status is also required to drop database connections using ArcGIS tools. Therefore, you can revoke superuser privileges after the geodatabase is created or upgraded but only if you do not want the sde user to be able to drop connections.

ArcGIS Desktop

  • Home
  • Documentation
  • Support

ArcGIS Platform

  • ArcGIS Online
  • ArcGIS Desktop
  • ArcGIS Enterprise
  • ArcGIS for Developers
  • ArcGIS Solutions
  • ArcGIS Marketplace

About Esri

  • About Us
  • Careers
  • Esri Blog
  • User Conference
  • Developer Summit
Esri
Tell us what you think.
Copyright © 2019 Esri. | Privacy | Legal