User privileges for geodatabases in PostgreSQL
This topic describes the required database privileges for common types of users: data viewers, data editors, data creators, and the geodatabase administrator.
Individual database users in PostgreSQL are referred to as login roles. To group together login roles based on the common tasks the users perform, you can create group roles, add the login roles to the group roles, then assign privileges to the group roles.
The following table lists privileges to be granted to each of three common groups—data viewers, data editors, and data creators—and the minimum privileges needed by the geodatabase administrator (the sde login role) for day-to-day operations. Privileges needed by the geodatabase administrator to upgrade the geodatabase are listed at the end of this topic.
|
Type of user |
Database privileges |
Dataset privileges |
Notes |
|---|---|---|---|
|
Data viewer |
|
SELECT on specific datasets |
If the user will be accessing feature classes that use PostGIS geometry storage, the user must be granted SELECT privileges on the public.geometry_columns and public.spatial_ref_sys tables. |
|
Data editor |
|
SELECT, INSERT, UPDATE, and DELETE on other users' datasets |
If the user will be editing versioned data through a versioned view, the user must also be granted SELECT, INSERT, UPDATE, and DELETE privileges on the versioned view. When you use the Privileges dialog box in ArcGIS to grant the SELECT, INSERT, UPDATE, and DELETE privileges on a versioned feature class, those privileges are automatically granted on the associated versioned view. If the user will be accessing feature classes that use PostGIS geometry storage, the user must be granted SELECT privileges on the public.geometry_column and public.spatial_ref_sys tables. |
|
Data creator |
|
If using the PostGIS geometry type, you must also grant SELECT, INSERT, UPDATE, and DELETE on the public.geometry_columns table (syntax = GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE public.geometry_columns TO <role_name>). Also grant SELECT on the public.spatial_ref_sys table (syntax = GRANT SELECT ON TABLE public.spatial_ref_sys TO <role_name>). |
|
|
Geodatabase administrator |
USAGE on all other user schemas |
If this is not granted, the geodatabase administrator will not be able to compress or upgrade the geodatabase. |
Note:The CONNECT database privilege is granted to the public group role by default. If you revoke this privilege from public, you need to explicitly grant CONNECT on databases to specific logins or group roles.
You can use one of the administrative applications that connect to PostgreSQL databases, such as pgAdmin III, to administer user privileges. Or you can use SQL statements to grant and revoke privileges and privileges.
Dataset privileges should be granted or revoked by the dataset owner using the Privileges dialog box or Change Privileges geoprocessing tool, which is available in ArcGIS for Desktop. See Granting and revoking privileges on datasets and Change Privileges for instructions.
Privileges required to create or upgrade a geodatabase
To create or upgrade a geodatabase, the geodatabase administrator (the sde user) must be granted superuser privilege and have the ability to access all other users' schemas and select all the datasets in the geodatabase. Superuser privileges are also required to drop database connections from ArcGIS for Desktop. Therefore, you can revoke superuser privileges after geodatabase creation or upgrading is performed, but only if you do not want the sde user to be able to drop connections.