Privileges determine what a user is authorized to do with the data and the database. Assign privileges based on the type of work the person does within the organization.
As a PostgreSQL database administrator, you create group roles based on what people need to do in the database, grant privileges to the group roles, and add individual login roles to each group role. This topic lists the minimum required privileges for common types of database users for which you would create group roles: data viewers, data editors, and data creators.
Note that these privileges apply to using ArcGIS with a PostgreSQL database. If you need to know the privileges required to use a geodatabase in PostgreSQL, see Privileges for geodatabases in PostgreSQL.
The following table lists three groups of users and the minimum privileges they require to query, edit, or create data from ArcGIS.
Type of user | Required privileges | Purpose |
---|---|---|
Data viewer | CONNECT | This privilege allows you to connect to the database. The CONNECT and TEMP database privileges are granted to the public group role by default. If you revoke these privileges from public, you need to explicitly grant CONNECT and TEMP privileges on databases to specific logins or group roles. |
USAGE on schemas that contain data to which data viewers need access | This privilege allows access to data in specific schemas. | |
If your database uses the PostGIS geometry type for spatial data storage, roles require SELECT privileges on the public.geometry_columns and public.spatial_ref_sys views. | These privileges are required to read PostGIS geometry columns. | |
If your database uses the PostGIS geography type for spatial data storage, roles require SELECT privileges on the public.geography_columns and public.spatial_ref_sys views. | These privileges are required to read PostGIS geography columns. | |
SELECT on specific datasets | This allows viewers access to specific tables and feature classes in the schemas to which they have access. | |
Data editor* Data editors require the same privileges as data viewers, plus these additional privileges. | INSERT, UPDATE, and DELETE on specific datasets | You can grant any combination of INSERT, UPDATE, and DELETE privileges depending on what editors need to do. Therefore, you might create multiple group roles and grant the appropriate privileges to each. For example, you might have a full_edit group role that has all three privileges plus SELECT on the tables group members need to edit and an updates_only group role that has only SELECT and UPDATE privileges on the tables members need to edit. |
Data creator Data creators require the same privileges as data viewers plus this additional privilege. | Each login role that creates data requires AUTHORIZATION on its own schema. Note that the schema name must match the login role name and that group roles cannot share a schema. | AUTHORIZATION ensures that all the objects created in the schema are owned by that user. |
*To edit data from ArcGIS, publish the data as a feature service that has editing capabilities enabled.