ArcSDE DBO and SDE schemas on SQL Server

April 30, 2012 No Comments

Geodatabases stored in SQL Server can be owned by a user named sde or a user who is dbo in the database. Let’s dig into this a little to figure out the differences.

First, a few facts about SQL Server logins, users, principals, schemas, and roles. If you already know this stuff, you can skip down to the next major section:

Logins, users, principals, schemas, and roles, oh my!

1. A login an entity that can gain access to the server. By server, I don’t mean the machine or the web server on the machine, I mean the ‘SQL Server Instance’.

SQL Server security is has two security realms: the server and the database. Logins give you access to the server and they come in two different flavors: Windows Authentication mode or SQL Server and Windows Authentication mode. Since logins gain access to the server, they also define permissions across the whole server (across multiple databases).

NOTE: Server level permissions like “ALTER ANY CREDENTIAL” AND “VIEW ANY DEFINITION” are the permissions assignable to logins.

2. A user is an entity that can gain access to a database. Users need access to the server before accessing a database, so they are mapped to logins by an SID property that both entities hold. As you can see, the terminology of logins and users should not be used interchangeably: Logins are for security of the server realm and users are for security of the database realm. Thus it’s possible to create orphaned users when they get out of sync with the logins on the server. If you move a database from one server to another, the users in the database will be orphaned until you remap them to valid logins on the other server.

NOTE: Database level permissions like “CREATE TABLE” and “BACKUP DATABASE” are the permissions assignable to users.

3. A principal is any entity that can be granted a permission. Since the logins and users we discussed above can be granted permissions, they are also principals. SQL Server has 6 types of server principals and 7 types of database principals, listed below:

Server Principals Database Principals
S = SQL login S = SQL user
U = Windows login U = Windows user
G = Windows group G = Windows group
R = Server role A = Application role
C = Login mapped to a certificate C = User mapped to a certificate
K = Login mapped to an asymmetric key K = User mapped to an asymmetric key
R = Database role

4. A schema is simply container of objects, such as tables, views, stored procedures, etc.

5. A role is a security principal that groups other principals. SQL Server provides nine fixed server roles, such as sysadmin and serveradmin.

Back to ArcSDE

Now that you know the very basics on SQL Server Security, let’s get back to your choice of setting up an SDE Schema geodatabase or a DBO Schema geodatabase.

SDE or DBO Selection

Multiple versus Single

In the screenshot above you’ll see that the SDE Schema can support a multiple spatial database instance, DBO does not, and multiple is better, right? Well, not so fast…

Beginning with version 9, ArcSDE started supporting both multiple and single models (prior to 9, you could only use multiple). Now that ArcSDE supports a single database model, the multiple model (though still supported) has been deprecated.

What’s the difference between them? In the multiple database model, the ArcSDE Admin’s user schema would sit in its own database called SDE. Meanwhile, user-defined data, like feature classes, raster tables, and nonspatial tables, would reside in other databases. It’s called a multiple model because multiple SQL Server databases are used to make one ArcSDE geodatabase. The single model puts everything in one database.

Note that you can still have multiple geodatabases on the same machine even if you opt for the (recommended) single model. SQL Server supports multiple databases within a single SQL Server instance. If you want to create more than one geodatabase when using the single spatial database model, just create them as separate SQL Server databases. Use the ArcSDE post installation wizard to create each one. (Run it multiple times.)

SDE versus DBO Ownership


If you create an SDE Schema geodatabase, it’s going to be owned by a user named “sde”. If you create a DBO Schema geodatabase, it’s going to be owned by the “dbo” user that ships with SQL Server. There’s no difference in the performance or functionality between the two types of geodatabase schemas, but they do have different security implications. Your choice is going to depend on how you administer databases.

DBO

If your server is not configured to support “SQL Server and Windows Authentication mode”, a Windows account named “sde” will be required to login as “sde”. The sde user can login as a Windows user or a SQL Server user, but only if mixed-mode authentication is turned on. Some people don’t want mixed-mode enabled. For them, DBO is easier to setup: no dedicated Windows account required.

Another reason to use DBO is that multiple Windows logins can map to the dbo user. You can make any user an SDE admin by adding them to the sysadmin or db_owner role. Each admin will have permission to perform ArcSDE tasks such as compress, and with Windows authentication, they can use their standard network username and password to do it. People tend to write down the sde password if they don’t use it everyday. Reusing Windows credentials can be more secure.

SDE

If the server needs to restrict SDE administrators to certain databases and not others, an SDE Schema will provide that. Unlike the dbo user, which usually has server-wide access to all databases, the sde user can be restricted to just a handful of permissions within a specific database. Thus, the SDE administrator for an SDE Schema geodatabase can be someone without the sysadmin or db_owner role. If you don’t want wide-spread permissions for geodatabase admins, use SDE Schema. The POST installation wizard will give “sde” only the minimum permissions it needs.

Well, that’s a LOT of words to explain one small configuration, but it’s an important choice with security implications you won’t know unless you understand both ArcSDE and SQL Server security. Hopefully you understand them now. Good luck!

SQL Server 2008 R2 Installation: Default or named instance?

April 12, 2012 No Comments

As part of the installation for SQL Server 2008 R2, the wizard will ask you to choose between a default or named instance:

Which one should you choose?

  1. If you plan to install a single instance of SQL Server on a database server, it should be a default instance.
  2. Use a named instance when you plan to install multiple instances on the same machine. A server can host only one default instance.
  3. Any app that installs SQL Server Express should install it as a named instance. This will minimize conflicts when multiple apps are installed on the same machine.

Esri Developer Summit Wrap-up

March 30, 2012 No Comments

Palm Springs Convention CenterWe had a great time at this year’s Dev Summit. It’s a huge conference with a lot of concurrent sessions. There’s no way we could cover it all, but here are some of the highlights:

A Few Esri Announcements

1. ArcGIS API for JavaScript 2.8 is out.

2. An update to Public Information Map was released too. This template is a little known gem for Esri JavaScript developers. It has features (like client side clustering) not in the core API, and it was written with input from the Esri JavaScript dev team. If you are looking for guidance on ArcGIS JavaScript best practices, Public Information Map is a good sample to check out.

3. ArcGIS Runtime is coming to Windows, Mac, Linux, and mobile platforms. No longer is Esri going to split the platform into “Desktop” and “Non-Desktop” categories. The goal now is to have a core C++ runtime that enables ArcGIS on everything from Android and iOS to Redhat servers and Windows desktops. Seeing demos of ArcGIS on Linux and OSX was really cool. And oh yeah, the map rendering was crazy fast!

Discussions with Esri and SitePen

1. Esri gave us a one-on-one demo of Business and Community Analyst products. In case you didn’t know, both have a ton of public and Esri owned data (about 13 gigs). Sure, it’s possible to download, organize and continuously update public domain datasets to do some of the analysis already in these products, but data warehousing is only part of what Business and Community Analyst offer. You also get:

  • An extensive Flex application to discover and explore all that data. Flex was a good choice here. The app has charting and reporting capabilities that would have been hard to build without a rich client like Flex.
  • A complete server REST API. If you want different applications than what you’ll find out-of-the-box, this API empowers you to build them. Mobile apps, Desktop apps, Web apps, whatever.

2. We talked with the Geocoding team for at least an hour this year. Custom geocoders are probably not the most entertaining of topics, but Esri’s team could not have been nicer or more helpful with our questions.

3. Meeting Dojo co-founder Dylan Schiemann was really cool. JavaScript is tough to program, having lots of pitfalls to avoid. SitePen specializes in JavaScript best practices and pushing the envelope of what modern browsers can handle. Dylan presented Top Ways Dojo Can Improve Your Mapping App and talked with us one-on-one about JavaScript best practices on Wednesday night.

4. I think we were the first to give feedback on ArcGIS for Open Street Map version 2. The tools work pretty well for editing OSM nodes and ways as long as you enable a map topology to keep them connected. Using the tool marks your edits with created_by = ArcGIS Editor for OpenStreetMap (2.0).

Some of our Favorite Sessions

Speed Geeking was a good idea: 10 presentations, 5 minutes each. I hope they do more of this next year.

Dave Bouwman, DTS Agile, was entertaining as always: Getting Real-Time: Node.js and Socket.io

Dylan Schiemann, SitePen, had a packed house: Top Ways Dojo Can Improve Your Mapping App

– Robert Claypool, Sr. Software Developer, GISbiz

Setup Visual Studio 2010 Remote Debugging – Step by Step

February 28, 2012 No Comments

Every Visual Studio developer has probably come across the need of Remote Debugging at some point during development. I too faced that situation, and found only a few (not entirely helpful) references via Google.

Since I’ve spent the last few days on this issue, and Remote Debugging now works in my environment, I thought it best to document the process. Here’s a step-by-step approach to help someone in need.

Steps to enable remote debugging on a local machine:

  1. Create a local user account with administrator privileges. (e.g. rmdbgr/pwd123)
  2. Share the web application directory (e.g. Foo.Bar) with full control as accessible from the remote machine.
  3. Enable the custom web server option in web application properties (which is below “Web” tab).

Steps to enable remote debugging on a remote machine:

  1. Setup the required development environment. (IIS, .NET Framework, ASP.NET, etc.)
  2. Install the Microsoft Visual Studio 2010 Remote Debugger.
  3. Create an administrator user account on the remote machine with the same username and password. (e.g. rmdbgr/pwd123)
  4. Go to services.msc and start the “Visual Studio 10 Remote Debugger” service with rmdbgr user.
  5. Create an IIS7 virtual directory for the shared web application which is in the local machine.

Start remote debugging:

  1. Run the VS2010 IDE on the local machine as rmdbgr user.
  2. Open the solution and run the project in debug mode.

Possible issues and troubleshooting:

  • If the “The network BIOS command limit has been reached.” error arises, check out this article: http://support.microsoft.com/kb/810886
  • If any security error arises, try disabling the firewall on both machines and try again.

ArcGIS Server Subdomain Configurations

February 12, 2012 No Comments

Let’s suppose you install ArcGIS Server on machine “foobar1″ and it serves out tiles from http://foobar1/arcgisoutput/.

Secondly, you have a subdomain that points to this machine and you want ArcGIS server to respond accordingly:

gisstuff.example.net --> ROUTES TO ------------> foorbar1
ArcGIS Server ---------> STILL RESPONDS WITH --> foorbar1 ???

Here, the ArcGIS website is getting requests through the subdomain. (Your router takes care of that) However, the ArcGIS HTTP responses do not point to the right address. They are still pointing to the machine itself without “knowing” of the router’s configuration.

http://foobar1/arcgisoutput/ --> IS RETURNED, INSTEAD OF --> http://gisstuff.example.com/arcgisoutput/

For this problem, (or any other reason you need to control the response URLs) look in ArcGIS Server’s configuration file at \server\system\Server.dat (Windows OS)

The Server.dat file maintains the server’s properties. The server object manager (SOM) reads the contents of this file at its startup and is configured accordingly … Be sure to restart the SOM service after editing this file.

For more info, see the web help HERE and HERE. There’s a lot you can configure with ArcGIS Server, you just have to know where to go. Good luck!

The “ArcGIS Viewer for Silverlight 1.0″ is ready for public download.

January 20, 2012 No Comments

The ArcGIS Viewer for Silverlight 1.0 was released yesterday for public download. For details on what’s been added since the last release (beta 2), check out the What’s New topics on Esri’s website.

Smart Pen Demonstration

November 18, 2011 No Comments

Here’s a Smart Pen demonstration for collecting field data. This is a custom app we designed for a specific utility data workflow, but the application is readily configurable to use in other industries.