GEOG 868
Spatial Database Management

Adding Users and Data to Your Geodatabase

PrintPrint

Adding Users and Data to Your Geodatabase 

Logins and users in SQL Server

Before diving into enterprise geodatabase concepts, it's important to understand some basics of working with SQL Server, the DBMS that we'll be using on our Amazon cloud instances.  (While we're actually using SQL Server Express, I will refer to the software as simply SQL Server, since the two operate essentially the same for our purposes in this class.) Access to SQL Server itself is granted through logins. A login allows someone to authenticate with SQL Server and answers the question, "Who is connecting?"  Access to an individual database (of which there could be several for a given SQL Server instance) is granted through users. Whereas logins are concerned with authentication, user accounts provide authorization to perform different tasks with a database. They answer the question, "What can this person do in the database?"  As we'll see, logins must be mapped to database user accounts in order to work with database objects. This blog post provides further information. 

Related to logins and users is the concept of roles. A role provides a way to group similar users together so that permissions can be granted more easily. Database administrators can define their own desired roles and make permission changes for those roles as they see fit. SQL Server also comes with a set of fixed server and database roles whose permissions cannot be changed. Among these is the sysadmin role, which, as you might guess, has permissions that grant full control over the server. 

Geodatabase ownership

All databases found on a SQL Server instance have a special user called DBO (short for database owner). Any member of the sysadmin fixed server role who uses a database is mapped to the DBO user, and any object created by any member of the sysadmin fixed server role belongs to DBO automatically.

An important consideration when implementing an enterprise geodatabase in SQL Server is who will be the owner of the geodatabase -- the DBO user or the SDE user. While the DBO user is the person who administers the database at the SQL Server level (e.g., creating new users and roles), the SDE user is the person who administers the database within ArcGIS (e.g., updating database statistics and compressing the database). Esri's documentation includes a page that discusses the pros and cons of each [https://pro.arcgis.com/en/pro-app/help/data/geodatabases/manage-sql-server/comparison-geodatabase-owners-sqlserver.htm]. Generally speaking, if the SQL Server database administrator and the geodatabase administrator are the same person, then having the DBO user own the geodatabase is sensible. If, on the other hand, those two roles are filled by different people, then having the SDE user own the geodatabase is probably more advisable. In this course, we're going to work with a DBO-owned geodatabase.

A reminder, if and when you restart your instance of the AMI

In the next section, you will be back working, via your Remote Desktop Connection, on your instance of the Amazon Machine Image (AMI) that holds our enterprise geodatabase, etc.

If you STOP-ed your instance on purpose, or if your Remote Desktop Connection gets interrupted, you will need to re-START your instance via the EC2 Console.

And, if the IP address of the machine you're connecting with has changed since your last connection, remember that you may need to edit the RDP rule to allow connection from your new IP address.

Changing authentication settings

Before we move on to setting up geodatabase users and roles, there are a couple of authentication settings we will change to make our lives a bit easier in this safe learning environment. 

The first will be to set up SQL Server to allow mixed-mode authentication. By default, SQL Server only allows authentication through operating system logins. However, it is also possible to authenticate via user names and passwords stored in the database. In a real-world implementation, you may find it advantageous to utilize Windows authentication. But since that involves a bit of extra work on the instances we've just created, we'll go with SQL Server authentication.

The second setting we'll make will be to relax the default password standards on the Windows Server operating system that filter down to SQL Server. This will allow us to avoid the need to create lengthy, complex passwords.

  1. In your remote desktop window, launch the Microsoft SQL Server Management Studio. You should find it under Start > Microsoft SQL Server Tools.

    (You might consider right-clicking on the Management Studio application and selecting Pin to Start and/or Pin to Taskbar for quicker access to it later.)
  2. In the Connect to Server dialog that appears, enter LOCALHOST\SQLEXPRESS as the Server Name and click Connect.
  3. In the Object Explorer pane on the left side of the window, right-click on the LOCALHOST entry at the top of the tree and select Properties.
  4. Click on the Security page, then change the Server Authentication option from Windows Authentication mode to SQL Server and Windows Authentication mode. Click OK, and click OK to the note about needing to restart for changes to take effect.
  5. Right-click on the LOCALHOST server, and choose Restart.
  6. While the server is restarting, open the Server Manager (found under the Start menu).
  7. In the upper right of the Server Manager window, select Tools > Local Security Policy.
  8. Under Account Policies > Password Policy, double-click on Password must meet complexity requirements and choose Disabled. Click OK, and close both the Local Security Policy dialog and the Server Manager.

We'll now be able to authenticate using simple, easy-to-remember passwords. Obviously, in a real-world implementation, you would want to think twice before lessening your database security like this.

Create an Enterprise Geodatabase

Esri's ArcGIS Server/Enterprise AMIs have gone back and forth, sometimes including database software and a pre-configured enterprise geodatabase, sometimes not. This version's AMI does not -- we had to install the RDBMS ourselves -- so let's now create our first database. 

  1. Return to SQL Server Management Studio, and Connect to the local server.
  2. Right-click on Databases, and select New Database.
  3. Set the Database name to egdb (short for enterprise geodatabase).
  4. Click OK to create the database.

    At this point, this is an "ordinary" database. We'll next connect to the database in ArcCatalog, then use an Esri tool to turn it into a "geo" database.

Connect to the database as DBO

We'll start our work with the egdb database by connecting to it as the DBO user.

  1. On your remote connection desktop, open ArcGIS Pro if it's not open already.  I suggest selecting Start without a template.
  2. In the Catalog pane, right-click on Databases, and select New Database Connection.
  3. Choose SQL Server as the Database Platform if it's not selected already.

    Specify LOCALHOST\SQLEXPRESS as the Instance.

    For Authentication type, select Operating system authentication. You'll see that there are no User name and Password fields as you would see if you had instead chosen Database authentication.  This is because you'll be authenticating based on how you logged in to the current Windows Server session (in this case as the user Administrator who has system administrator privileges in both Windows and SQL Server).

    Select egdb as the Database to connect to, and click OK. A new ready-to-be-named connection will appear under the Databases heading. The user making the connection and the geodatabase being connected to are important components of the connection, so I suggest including that information in the connection name.
  4. Name your connection dbo_egdb.sde. The user is dbo and the database is egdb.

    The egdb database is empty since you just created it, so you won't see anything listed in it yet.

Convert the database to a geodatabase

  1. Open the Geoprocessing pane (Analysis > Tools). (It may take a while for this to open the first time.)
  2. Click the Toolboxes heading, then expand Data Management Tools > Geodatabase Administration, and open the Enable Enterprise Geodatabase tool.
  3. Set the Input Database Connection parameter by clicking on the Browse button (folder icon) and selecting the dbo_egdb connection you just created.
  4. Set the Authorization File parameter by navigating to C:\Program Files\ESRI\License10.9\sysgen\keycodes. (Note: If you're unable to browse to this file, see the workaround described in this tech support article.)
  5. Click OK to execute the tool. If the tool executed successfully, the resulting dialog will tell you that it:
    Created geodatabase tables and stored procedures.
    Finished creating geodatabase schema.

Before adding some data to the geodatabase, let's discuss the importance of users and roles in a geodatabase context and lay out the scenario for the rest of our work in this section.

Users and roles in the geodatabase

Database roles enable the database administrator to improve security by assigning users or groups of users various levels of access to the database tables. Commonly used roles in an enterprise geodatabase include viewer, editor, etc. As the names of these roles imply, one user group might be limited to read-only access to data while another group might be allowed to both read and edit the data. While we're only getting to this topic now, you should keep in mind that similar strategies can also be applied to the kind of Postgres/PostGIS databases we talked about in previous lessons.

For illustration purposes, imagine you work in the U.S. federal government and that you are administering a geodatabase that will host data from a number of different departments: state boundaries from the Census Bureau, major highways from the Department of Transportation, rivers from the Department of the Interior, etc. You want each department to have stewardship over their data and to have just read-only access to other departments' data. 

Click here to download to your machine the Lesson 6 data. In the steps below, you will then copy said us_data.zip archive file from your local machine to your remote instance. The Downloads (or Documents) folder on your remote instance is a logical place to paste and unzip the data.

  1. Go to the taskbar on your remote desktop, and open the File Explorer (via the file-folders icon).

    The File Explorer will open to the contents of This PC. In the Devices and drives list, you’ll see the drives that exist on your local computer and the drives that are on your remote instance.
  2. Find the us_data.zip file that you just retrieved, and copy it to the Local Disk Downloads folder.
  3. Unzip the us_data.zip file that you just uploaded.
    There are four Shapefile datasets.

Note that in our enterprise database environment, vector data is stored as feature classes. So, later, the Shapefile datasets that I gave you will be uploaded and converted to feature classes.

One aspect of the data loading/creation process that's worth keeping in mind is that when a feature class or feature dataset is created in the geodatabase, its name in the ArcGIS applications has two parts:

<owner>.<feature class/feature dataset>

Some organizations set up users specifically to handle data loading/data creation so that the owner listed in the two-part name clearly conveys the department that maintains the data. Following on this practice, let's add a user to the database who will control the loading of the Census data.

Add a data loader/creator to the geodatabase

The Create Database User tool is one of several geodatabase administration tools available through the ArcGIS Pro GUI.

  1. Again on your remote connection desktop, return to the geoprocessing Toolboxes.
  2. At the same Data Management Tools > Geodatabase Administration path, open the Create Database User tool.

    In the Create Database User dialog, set the Input Database Connection field to your dbo_egdb.sde connection.

    We're going to use database authentication for this user, so leave the Create Operating System Authentication User box unchecked.

    Enter a Database User name of census.

    To make this easy to remember, enter the same string (census) for the Database User Password.

    Leave the Role field empty. We'll discuss roles shortly, but you should note that if any database roles existed, you would have the option of associating the new user with a role in this dialog.

    Click Run to create the new user.

    With the new user created, let's add a database connection based on that user's authentication parameters.
  3. As you did earlier, access the New Database Connection dialog.

    The Database Platform and Instance should be correctly specified as SQL Server and LOCALHOST\SQLEXPRESS already.

    Change the Authentication Type to Database authentication.

    Enter the census:census User name and Password combination established above.

    You will probably want to leave the Save user name and password box checked for your work here, though this is another setting you'd want to consider carefully in a real-world implementation.

    If you entered the name and password properly, you should be able to select egdb from the Database dropdown.

    Click OK to create the connection.
  4. Following on the convention suggested earlier, rename the connection to census_egdb.sde.

Loading data

With the census user created, let's work as that user to load the state and city data you downloaded above. Because feature datasets are frequently used to house feature classes, let's create one of those first.

  1. Right-click on the census_egdb.sde connection, and select New > Feature Dataset.
  2. The Output Geodatabase parameter should be filled automatically with the census_egdb.sde connection, so leave that setting in place.
  3. Set the Feature Dataset Name to usa.
  4. The data you'll be importing are in geographic coordinates, NAD83 datum, so specify that as the Coordinate System for this feature dataset, and click Run.

    You should see a new CENSUS.usa feature dataset appear under your connection.
  5. In the Catalog pane, right-click on Folders, select Add Folder Connection, and make a connection to the folder where you copied the data (if the Downloads folder, you'll need to navigate to C:/Users/Administrator/Downloads).
  6. Now, expand the census_egdb.sde connection, and right-click on the CENSUS.usa feature dataset, and select Import > Feature Class(es).

    Setting the Input Features parameter, browse to where you unzipped the us_data shapefiles, and select the us_boundaries and us_cities shapefiles. 

    Confirm that the Output Geodatabase is set to your CENSUS.usa feature dataset and click Run

    After a few moments, new CENSUS.us_boundaries and CENSUS.us_cities feature classes should appear in the CENSUS.usa feature dataset.
  7. For additional practice, repeat the steps above to create a new transportation user, connect as that user, and load the us_roads shapefile into the geodatabase.

An important point to note about the process we just went through is that users created via the Create Database User tool have the ability to load/create data. It's generally considered a best practice to restrict this ability to a small number of trusted administrators to avoid cluttering the database with unwanted data. We'll now see that following this best practice requires adding lower-permission users through a different process.

Adding data editors/viewers to the geodatabase

Returning to our scenario, the users in the departments are as follows:

Department editors viewers
Geodatabase Users
Census Moe Larry, Curly
Transportation Lisa Bart, Homer
Interior Stan Cartman, Kenny

To add these users, we'll need to return to the SQL Server Management Studio.

  1. If you closed your Management Studio window earlier, re-open it and connect to LOCALHOST\SQLEXPRESS using Windows Authentication.
  2. In the Object Explorer, expand the Security folder, then right-click on Logins and select New Login.
  3. In the Login – New dialog, enter a Login name of Moe.

    Select SQL Server Authentication, then a Password of Moe (it's case-sensitive, same as the login name).

    Uncheck each of the three checkboxes (Enforce password policy, Enforce password expiration, User must change password at next login). Again, this is a place where you might choose differently in a real-world implementation.

    Set the Default database to egdb.

    Click OK to create the new login. 
  4. If you expand the Logins folder, you should now see a Moe login, along with census and transportation, which were created by the ArcGIS Add User tool earlier.


    We'll now associate the new login with the egdb database that you created above.
  5. In the Object Explorer, navigate through the following folders: Databases > egdb > Security > Users. Again, you should see census and transportation here, listed as users in the egdb database.
  6. Right-click the Users folder and click New User. In the Database User – New dialog:

    Enter a User name of Moe.

    Enter a matching Login name of Moe. (You could also click the '...' button to the right to browse the list of logins associated with the SQL Server instance.)

    Important: Leave the Default schema blank. If you wanted Moe to have the ability to own data in the geodatabase (i.e., to create new feature classes), then you would enter Moe as the default schema. The ArcGIS Create Database User tool makes this setting for the new user, which is why we're not using that tool to create lower-level users like Moe, but instead using SQL Server Management Studio as outlined here. The reasoning behind the different user creation process is found in Esri's documentation:

    "Users who own data must also have schemas in the database that have the same name as the user name."

    Click OK. Moe should now have access to the egdb database.
  7. Return to ArcGIS Pro and establish a database connection for user Moe following the steps used to create the census_egdb connection earlier.

    Note: At this point, you're emulating what a non-administrative user of your database would go through to connect to the geodatabase. Earlier connections and data loading procedures are tasks that you would be more likely to carry out in a database administrator role.

    After creating a connection for Moe and opening that connection, you'll find that Moe is not able to see any of the data that's been loaded into the database. We'll look at how to fix that shortly.
  8. Repeat the steps above to add Larry and Curly (and Lisa, Bart, and Homer if you're so inclined) as egdb geodatabase users.

Creating roles

In order for users to have the ability to view and/or edit the data in a geodatabase, the data owner must grant those privileges. That can be done on a user basis (using an ArcGIS tool), but the process can be done more efficiently by assigning users to roles and assigning privileges to the roles. In this section, you'll create a viewer role and an editor role in the egdb database.

One important note on roles: while the privileges must be granted by the data owner (the census and transportation users in our scenario), the roles must be created by someone with sysadmin privileges. That is the DBO user in our implementation.

  1. Return to the Geoprocessing pane > Toolboxes > Data Management > Geodatabase Administration.   Open the Create Role tool.
  2. In the resulting dialog, set the Input Database Connection parameter to your dbo_egdb.sde connection.
  3. For Role, enter viewer.
  4. Confirm that Grant role (and not Revoke role) is selected in the next dropdown.
  5. In the User Name(s) field, enter a list of the users you created in the section above who were listed as viewers. As it says in the Tool Help panel, the user list should be separated by commas (no spaces).
  6. Click Run
  7. Repeat these steps to create an editor role for the appropriate users. 

    If you're paying close attention to the scenario, you might be thinking we should have separate editor roles for each of the three data owners, such that Moe can only edit his Census data, Lisa can only edit her Transportation data, and Stan can only edit his Interior data. You're welcome to implement that sort of design if you wish, but for simplicity's sake, feel free to create just a single editor role.

Manage geodatabase privileges

Finally, we'll now work through the data owner connections to assign the proper privileges to go with the roles just created.

  1. Return to the Geodatabase Administration toolbox and open the Change Privileges tool.
  2. For the Input Dataset parameter, browse to the CENSUS.usa feature dataset (through either the census or dbo connection).
  3. The User parameter can be set to either a user or a role.  We want to set the viewer role's privileges here, so enter viewer for this parameter.  
  4. For the View parameter, select the Grant view privileges option. 
  5. For the Edit parameter, confirm that the Do not change edit privileges option is selected.

    Since you learned about SQL earlier in the course, it should make sense that the View privilege has Select next to it in parentheses and that the Edit privilege has Update/Insert/Delete next to it. 
  6. Click Run to apply the changes. This will provide the same level of privileges across all feature classes housed within the usa feature dataset.
  7. Repeat these steps to assign both View and Edit privileges to the editor role and, if desired, repeat the process for the data owned by the transportation user.
  8. Now, in a map, test the settings you've made by making database connections through at least Larry and Moe and attempting to perform some edits (such as creating a new state and/or deleting an existing one).  For example:
    - Larry should be able to view all feature classes, but not edit them.
    - Moe should be able to both view and edit all feature classes.
    - Neither Larry nor Moe should be able to import or create a new feature class.

    (Hint: you make Database Connections via the Catalog pane.)

Note:

  • Privileges can be assigned at the feature class level, but only if the feature class is not part of a feature dataset. When dealing with a feature dataset, privileges must be assigned at the dataset level (as outlined above), and they will cascade to each child feature class.
  • The Input Dataset parameter supports specifying multiple datasets/feature classes at once. 
  • It is also possible to right-click on a feature dataset/feature class and select Manage > Privileges.  

This concludes the hands-on activities you'll be doing with your geodatabase instance in this lesson. Feel free to do some experimenting with your instance. When done, close the remote desktop connection to your instance, and most importantly, remember to stop your instance through the EC2 Console to avoid racking up unnecessary charges.

Go on to the next page to see this week's graded activity.

With that, we've finished our tutorial on creating a SQL Server geodatabase, adding users, loading some data, and assigning data privileges to the users. You weren't specifically instructed to add the Department of the Interior users and import the us_hydro shapefile, but you're welcome to do so if you're looking for additional practice.