ArcGIS Help 10.1 - Granting and revoking privileges on datasets

If you want to let other database users view or modify the contents of any data in a database, you must grant them the privileges to do so.

You can use the Privileges dialog box in ArcGIS for Desktop to specify what privileges a user or group has on a specific dataset. You can grant just select privileges, meaning the user can read and select from but not modify the contents of a dataset. You can also grant select, update, insert, and delete privileges, which allows the user to both read and modify the contents of a dataset.

The following rules apply to granting and revoking privileges on data in a database or geodatabase:

Only the table owner can alter privileges on it.
Only the table owner can drop it or alter its definition; therefore, even if another user has been granted insert, update, and delete privileges on a dataset, that user cannot alter the schema.
If you are going to grant the insert, update, or delete privilege to a user, you must also grant the select privilege; the user must be able to read the dataset before the user can edit it.
The user or group name you type may require you to provide the domain or machine name, depending on the type of database management system in which the dataset is stored and the type of authentication the user will utilize to connect to that geodatabase. For example, if the operating system login was created to include the prefix of the domain or machine, you need to provide the domain or machine name with a backslash before the user name:
```
BARNYARD\user1
```
The dbo and db_owner roles will not appear in the User/Role list for SQL Server databases. These users automatically have full privileges on all data, and you cannot revoke those privileges.
PostgreSQL login roles or groups that have been granted superuser privileges in the database will not appear in the User/Role list. These users automatically have full privileges on all data, and you cannot revoke those privileges.
You can only alter a user's privileges on one dataset at a time using the Privileges dialog box. To alter privileges on multiple datasets at once, use the Change Privileges geoprocessing tool instead.
Revoking privileges requires an exclusive lock on the dataset; therefore, if another user is connected to the dataset, you won't be able to revoke privileges from users on the dataset.
All feature classes in a feature dataset must have the same user privileges.
Beginning with ArcGIS 10.1, if new feature classes are added to a feature dataset, or a network or topology is built in the feature dataset, existing user privileges are automatically granted to the new feature class, network, or topology to match the privileges granted on the feature dataset.
When privileges are granted to a feature class or table that participates in a relationship class, privileges must be granted to both the origin and destination class. If the origin and destination feature classes are within the same feature dataset, they have the same set of privileges since privileges are granted at the feature dataset level. However, when the origin or destination class are in not in the same feature dataset, you must ensure the proper privileges are granted to both the origin and destination classes. If the relationship class is either Attributed or has Many to Many cardinality, privileges are automatically propagated to the intermediate table when you assign privileges to the origin class.
If the dataset is not versioned, you can grant and revoke the update, insert, and delete privileges individually. For example, you can grant a user select and update privileges, which allows the user to connect to the dataset and alter existing features but does not allow the user to add new features or delete existing features.
If the dataset is registered as versioned, the privileges that allow a user to modify a dataset (update, insert, and delete) must be granted and revoked as a group.
If the dataset is registered as versioned, the geodatabase administrator must have full privileges on it. Therefore, you cannot revoke privileges from the geodatabase administrator on versioned datasets.

These rules apply to granting and revoking privileges on data in a geodatabase:

All feature classes in a feature dataset must have the same user privileges.
Beginning with ArcGIS 10.1, if new feature classes are added to a feature dataset, or a network or topology is built in the feature dataset, existing user privileges are automatically granted to the new feature class, network, or topology to match the privileges granted on the feature dataset.
When privileges are granted to a feature class or table that participates in a relationship class, privileges must be granted to both the origin and destination class. If the origin and destination feature classes are within the same feature dataset, they have the same set of privileges since privileges are granted at the feature dataset level. However, when the origin or destination class are in not in the same feature dataset, you must ensure the proper privileges are granted to both the origin and destination classes. If the relationship class is either Attributed or has Many to Many cardinality, privileges are automatically propagated to the intermediate table when you assign privileges to the origin class.
Revoking privileges requires an exclusive lock on the dataset; therefore, if another user is connected to the dataset, you won't be able to revoke privileges from users on the dataset.
If the dataset is not versioned, you can grant and revoke the update, insert, and delete privileges individually. For example, you can grant a user select and update privileges, which allows the user to connect to the dataset and alter existing features but does not allow the user to add new features or delete existing features.
If the dataset is registered as versioned, the privileges that allow a user to modify a dataset (update, insert, and delete) must be granted and revoked as a group.
If the dataset is registered as versioned, the geodatabase administrator must have full privileges on it. Therefore, you cannot revoke privileges from the geodatabase administrator on versioned datasets.

Steps:

Start ArcMap, open the Catalog window, then double-click the Database Connections folder in the Catalog tree.
Connect to the database or geodatabase that contains the data for which you want to alter privileges.

Be sure to connect as the owner of the data.
Right-click the dataset, point to Manage, then click Privileges.

The Privileges dialog box opens.
If the user or role whose privileges you want to change is already in the list, check or uncheck the boxes to grant or revoke the privileges you want.
Note:
If you uncheck all the privilege boxes, the user or role will be removed from the list.
If the user or role is not already in the list, do the following:
1. Click Add to open the User/Role dialog box.
2. If you have privileges in the database to view the system table that lists all users and roles in the database, you can choose the database users or roles you want to add from the list by checking the box next to their names. Otherwise, type the name of the database user, database role, operating system login, or Windows group to which you want to grant privileges. To type multiple users or groups, type the names separated by commas (no spaces).
3. Click OK to close the User/Role dialog box.
4. Check the boxes of the privileges you want each new user or role to have and click OK.

7/30/2013