Privileges for using ArcGIS with a SQL Server database

Privileges determine what a user is authorized to do with the data and the database. Assign privileges based on the type of work the person does in the organization.

As a Microsoft SQL Server database administrator, you create roles based on what users need to do in the database, grant privileges to the roles, and add the appropriate user accounts to each role. The minimum required privileges for common types of users for which you would create roles are listed below: data viewers, data editors, and data creators.

These privileges apply to using ArcGIS with a SQL Server database or one of the supported SQL Server database service offerings. If you need to know the privileges required to use a geodatabase, see Privileges for geodatabases in SQL Server.

The following table lists three groups of users and the minimum privileges they require to query, edit, or create data from ArcGIS:


Type of user	Required privileges	Purpose
Data viewer	`CONNECT`	This privilege allows users to connect to the database. The `CONNECT` privilege is granted on databases to the public database role by default. If you revoke this privilege from public, you must explicitly grant `CONNECT` on databases to specific roles or logins.
Data viewer	`SELECT` on other users' tables	Data viewers must have the `SELECT` privilege on specific tables you want them to query. If allowed to read all tables in the database, you can assign users to the db_datareader database role; otherwise, grant `SELECT` on specific tables and views.
Data editor Data editors require the same privileges as data viewers, as well as these additional privileges.	`INSERT`, `UPDATE`, `DELETE` on other users' tables	Grant the editing operations you want editors to perform on specific tables. You can grant any combination of `INSERT`, `UPDATE`, and `DELETE` privileges depending on what editors need to do. Therefore, you can create multiple editor groups and grant the appropriate privileges to each. For example, you can have a full_edit group that has all three privileges as well as `SELECT` on the tables group members need to edit and an updates_only group that has only `SELECT` and `UPDATE` privileges on the tables members need to edit.
Data creator	`CONNECT`	This privilege allows users to connect to the database. The `CONNECT` privilege is granted on databases to the public database role by default. If you revoke this privilege from public, you must explicitly grant `CONNECT` on databases to specific roles or logins.
Data creator	`CREATE TABLE` `CREATE INDEX` Each user must own or have `CONTROL` permission on a schema that has the same name as their username, and the schema must be the user's default schema. You cannot use a single schema for all data creators. Schema names must match individual usernames. You cannot use a single schema for all data creators. For example, the username ruth must own or control a schema named ruth. If this requirement is not met, the user cannot use ArcGIS to create objects in the database, and objects created outside of ArcGIS may not be accessible from ArcGIS clients.	These privileges allow data creators to create tables and feature classes.

Note:

To edit data, publish editable web feature layers that reference the data in your SQL Server database.

If data creators at your site need to create views, grant them the CREATE VIEW permission. If you require that data creators be able to delete the objects they create, grant them the following additional privileges:

DROP VIEW
DROP TABLE
DROP INDEX