Privileges determine what someone is authorized to do with the data and the database. Privileges should be assigned based on the type of work the person does in the organization. Is this person involved with administration of the geodatabase? Does this person need to edit or create data? Or would this person only need to query the data?
Privileges are set at different levels. This page lists the minimum required database and dataset privileges for common types of geodatabase users: data viewers, data editors, data creators, and the geodatabase administrator.
The database administrator can use IBM Db2 tools or SQL statements to administer database privileges.
SELECT on the following system catalog tables and view:
SYSIBM.SYSDUMMY1 (catalog view)
SYSCAT.ROLEAUTH
SYSCAT.DBAUTH
SYSCAT.TABAUTH
SELECT on the DB2GSE.ST_GEOMETRY_COLUMNS system table
SELECT on the SYSIBMADM.APPLICATIONS system view
SELECT on other users' tables and feature classes
EXECUTE on the MON_GET_CONNECTION function
EXECUTE on the SYSIBMADM.DBMS_LOCK system module
USE on the USER TEMPORARY TABLESPACE that was created when the geodatabase was created
USE on the SYSTOOLSPACE tablespace
Table and feature class owners must use the Privileges dialog box or Change Privileges geoprocessing tool in ArcGIS to grant the select privilege on their data to other users.
The MON_GET_CONNECTION function cleans up defunct processes from the PROCESS_INFORMATION system table when the user connects. To clean up connections, the user must be able to run MON_GET_CONNECTION.
The SYSIBMADM.APPLICATIONS view stores information about applications connected to the database. The SYSIBMADM.DBMS_LOCK module provides functions for lock management. The SYSTOOLSPACE tablespace stores tables used for lock management. All users must be able to query the view, run this module, and use tables in this system tablespace to use branch versioned data.
The USE privilege is required on the USER TEMPORARY TABLESPACE to allow the software to create the global temporary table used to store selection sets that contain more than 1,000 records.
Data editor
Data editors require all the same privileges as a data viewer plus the following:
INSERT, UPDATE, and DELETE on other users' tables
CONTROL, ALTER, DELETE, INSERT, and UPDATE REFERENCES on SYSIBM.SYSDUMMY1
Table and feature class owners must use the Privileges dialog box or Change Privileges geoprocessing tool in ArcGIS to grant insert, update, and delete privileges on their data to other users.
You can grant any combination of INSERT, UPDATE, and DELETE privileges depending on what editors need to do. Therefore, you can create multiple editor groups and grant the appropriate privileges to each. For example, you can have a full_edit group that has all three privileges as well as SELECT on the tables group members need to edit and an updates_only group that has only SELECT and UPDATE privileges on the tables members need to edit.
Data creator
Data creators require all the same privileges as a data viewer plus the following:
CREATETAB in database
CONTROL on database objects
Geodatabase administrator (the sde user)
For Db2 11.5.x, the sde user requires all the same privileges as a data creator plus DBADM authority on the database.
For Db2 12.1 and later, the sde user requires all the same privileges as a data creator plus DBADM WITH DATAACCESS WITH ACCESSCTRL on the database.
The DBADM or DBADM WITH DATAACCESS WITH ACCESSCTRL authorities give the sde user all privileges for all objects in the database and allow the sde user to grant these privileges to others, which is required to create or upgrade a geodatabase.
To remove client connections from the database, the sde user must also have either SYSCTRL or SYSADM authority.