Privileges determine what a user is authorized to do with the data and the database. Assign privileges based on the type of work the person does within the organization.
As a Microsoft SQL Server database administrator, you create roles based on what people need to do in the database, grant privileges to the roles, and add the appropriate user accounts to each role. This topic lists the minimum required privileges for common types of users for which you would create roles: data viewers, data editors, and data creators.
Note that these privileges apply to using ArcGIS with a SQL Server database. If you need to know the privileges required to use a geodatabase in SQL Server, see Privileges for geodatabases in SQL Server.
The following table lists three groups of users and the minimum privileges they require to query, edit, or create data from ArcGIS.
Type of user | Required privileges | Purpose |
---|---|---|
Data viewer | CONNECT | This privilege allows users to connect to the database. The CONNECT privilege is granted on databases to the public database role by default. If you revoke this privilege from public, you must explicitly grant CONNECT on databases to specific roles or logins. |
SELECT on other users' tables | Data viewers need select privileges on specific tables you want them to see and query. If allowed to read all tables in the database, you can assign users to the db_datareader database role; otherwise, grant SELECT on specific tables and views. | |
Data editor* Data editors require the same privileges as data viewers, plus these additional privileges. | INSERT, UPDATE, DELETE on other users' tables | Grant the editing operations you want editors to perform on specific tables. You can grant any combination of INSERT, UPDATE, and DELETE privileges depending on what editors need to do. Therefore, you might create multiple editor roles and grant the appropriate privileges to each. For example, you might have a full_edit role that has all three privileges plus SELECT on the tables role members need to edit and an updates_only role that has only SELECT and UPDATE privileges on the tables members need to edit. |
Data creator | CONNECT | This privilege allows users to connect to the database. The CONNECT privilege is granted on databases to the public database role by default. If you revoke this privilege from public, you must explicitly grant CONNECT on databases to specific roles or logins. |
| These privileges allow data creators to create tables and feature classes. |
*To edit data from ArcGIS, publish the data as a feature service that has editing capabilities enabled.
Additional, optional privileges you may want to grant data creators include the following:
- CREATE VIEW
- DROP VIEW
- DROP TABLE
- DROP INDEX