GISbiz

ArcSDE DBO and SDE schemas on SQL Server

Geodatabases stored in SQL Server can be owned by a user named sde or a user who is dbo in the database. Let’s dig into this a little to figure out the differences.

First, a few facts about SQL Server logins, users, principals, schemas, and roles. If you already know this stuff, you can skip down to the next major section:

Logins, users, principals, schemas, and roles, oh my!

1. A login an entity that can gain access to the server. By server, I don’t mean the machine or the web server on the machine, I mean the ‘SQL Server Instance’.

SQL Server security is has two security realms: the server and the database. Logins give you access to the server and they come in two different flavors: Windows Authentication mode or SQL Server and Windows Authentication mode. Since logins gain access to the server, they also define permissions across the whole server (across multiple databases).

NOTE: Server level permissions like “ALTER ANY CREDENTIAL” AND “VIEW ANY DEFINITION” are the permissions assignable to logins.

2. A user is an entity that can gain access to a database. Users need access to the server before accessing a database, so they are mapped to logins by an SID property that both entities hold. As you can see, the terminology of logins and users should not be used interchangeably: Logins are for security of the server realm and users are for security of the database realm. Thus it’s possible to create orphaned users when they get out of sync with the logins on the server. If you move a database from one server to another, the users in the database will be orphaned until you remap them to valid logins on the other server.

NOTE: Database level permissions like “CREATE TABLE” and “BACKUP DATABASE” are the permissions assignable to users.

3. A principal is any entity that can be granted a permission. Since the logins and users we discussed above can be granted permissions, they are also principals. SQL Server has 6 types of server principals and 7 types of database principals, listed below:

4. A schema is simply container of objects, such as tables, views, stored procedures, etc.

5. A role is a security principal that groups other principals. SQL Server provides nine fixed server roles, such as sysadmin and serveradmin.

Back to ArcSDE

Now that you know the very basics on SQL Server Security, let’s get back to your choice of setting up an SDE Schema geodatabase or a DBO Schema geodatabase.

Multiple versus Single

In the screenshot above you’ll see that the SDE Schema can support a multiple spatial database instance, DBO does not, and multiple is better, right? Well, not so fast…

Beginning with version 9, ArcSDE started supporting both multiple and single models (prior to 9, you could only use multiple). Now that ArcSDE supports a single database model, the multiple model (though still supported) has been deprecated.

What’s the difference between them? In the multiple database model, the ArcSDE Admin’s user schema would sit in its own database called SDE. Meanwhile, user-defined data, like feature classes, raster tables, and nonspatial tables, would reside in other databases. It’s called a multiple model because multiple SQL Server databases are used to make one ArcSDE geodatabase. The single model puts everything in one database.

Note that you can still have multiple geodatabases on the same machine even if you opt for the (recommended) single model. SQL Server supports multiple databases within a single SQL Server instance. If you want to create more than one geodatabase when using the single spatial database model, just create them as separate SQL Server databases. Use the ArcSDE post installation wizard to create each one. (Run it multiple times.)

SDE versus DBO Ownership

If you create an SDE Schema geodatabase, it’s going to be owned by a user named “sde”. If you create a DBO Schema geodatabase, it’s going to be owned by the “dbo” user that ships with SQL Server. There’s no difference in the performance or functionality between the two types of geodatabase schemas, but they do have different security implications. Your choice is going to depend on how you administer databases.

DBO

If your server is not configured to support “SQL Server and Windows Authentication mode”, a Windows account named “sde” will be required to login as “sde”. The sde user can login as a Windows user or a SQL Server user, but only if mixed-mode authentication is turned on. Some people don’t want mixed-mode enabled. For them, DBO is easier to setup: no dedicated Windows account required.

Another reason to use DBO is that multiple Windows logins can map to the dbo user. You can make any user an SDE admin by adding them to the sysadmin or db_owner role. Each admin will have permission to perform ArcSDE tasks such as compress, and with Windows authentication, they can use their standard network username and password to do it. People tend to write down the sde password if they don’t use it everyday. Reusing Windows credentials can be more secure.

SDE

If the server needs to restrict SDE administrators to certain databases and not others, an SDE Schema will provide that. Unlike the dbo user, which usually has server-wide access to all databases, the sde user can be restricted to just a handful of permissions within a specific database. Thus, the SDE administrator for an SDE Schema geodatabase can be someone without the sysadmin or db_owner role. If you don’t want wide-spread permissions for geodatabase admins, use SDE Schema. The POST installation wizard will give “sde” only the minimum permissions it needs.

Well, that’s a LOT of words to explain one small configuration, but it’s an important choice with security implications you won’t know unless you understand both ArcSDE and SQL Server security. Hopefully you understand them now. Good luck!

Esri Developer Summit Wrap-up

We had a great time at this year’s Dev Summit. It’s a huge conference with a lot of concurrent sessions. There’s no way we could cover it all, but here are some of the highlights:

A Few Esri Announcements

1. ArcGIS API for JavaScript 2.8 is out.

2. An update to Public Information Map was released too. This template is a little known gem for Esri JavaScript developers. It has features (like client side clustering) not in the core API, and it was written with input from the Esri JavaScript dev team. If you are looking for guidance on ArcGIS JavaScript best practices, Public Information Map is a good sample to check out.

3. ArcGIS Runtime is coming to Windows, Mac, Linux, and mobile platforms. No longer is Esri going to split the platform into “Desktop” and “Non-Desktop” categories. The goal now is to have a core C++ runtime that enables ArcGIS on everything from Android and iOS to Redhat servers and Windows desktops. Seeing demos of ArcGIS on Linux and OSX was really cool. And oh yeah, the map rendering was crazy fast!

Discussions with Esri and SitePen

1. Esri gave us a one-on-one demo of Business and Community Analyst products. In case you didn’t know, both have a ton of public and Esri owned data (about 13 gigs). Sure, it’s possible to download, organize and continuously update public domain datasets to do some of the analysis already in these products, but data warehousing is only part of what Business and Community Analyst offer. You also get:

• An extensive Flex application to discover and explore all that data. Flex was a good choice here. The app has charting and reporting capabilities that would have been hard to build without a rich client like Flex.
• A complete server REST API. If you want different applications than what you’ll find out-of-the-box, this API empowers you to build them. Mobile apps, Desktop apps, Web apps, whatever.

2. We talked with the Geocoding team for at least an hour this year. Custom geocoders are probably not the most entertaining of topics, but Esri’s team could not have been nicer or more helpful with our questions.

3. Meeting Dojo co-founder Dylan Schiemann was really cool. JavaScript is tough to program, having lots of pitfalls to avoid. SitePen specializes in JavaScript best practices and pushing the envelope of what modern browsers can handle. Dylan presented Top Ways Dojo Can Improve Your Mapping App and talked with us one-on-one about JavaScript best practices on Wednesday night.

4. I think we were the first to give feedback on ArcGIS for Open Street Map version 2. The tools work pretty well for editing OSM nodes and ways as long as you enable a map topology to keep them connected. Using the tool marks your edits with created_by = ArcGIS Editor for OpenStreetMap (2.0).

Some of our Favorite Sessions

Speed Geeking was a good idea: 10 presentations, 5 minutes each. I hope they do more of this next year.

Dave Bouwman, DTS Agile, was entertaining as always: Getting Real-Time: Node.js and Socket.io

Dylan Schiemann, SitePen, had a packed house: Top Ways Dojo Can Improve Your Mapping App

– Robert Claypool, Sr. Software Developer, GISbiz

ArcGIS Server Subdomain Configurations

Let’s suppose you install ArcGIS Server on machine “foobar1″ and it serves out tiles from http://foobar1/arcgisoutput/.

Secondly, you have a subdomain that points to this machine and you want ArcGIS server to respond accordingly:

gisstuff.example.net --> ROUTES TO ------------> foorbar1
ArcGIS Server ---------> STILL RESPONDS WITH --> foorbar1 ???

Here, the ArcGIS website is getting requests through the subdomain. (Your router takes care of that) However, the ArcGIS HTTP responses do not point to the right address. They are still pointing to the machine itself without “knowing” of the router’s configuration.

http://foobar1/arcgisoutput/ --> IS RETURNED, INSTEAD OF --> http://gisstuff.example.com/arcgisoutput/

For this problem, (or any other reason you need to control the response URLs) look in ArcGIS Server’s configuration file at \server\system\Server.dat (Windows OS)

The Server.dat file maintains the server’s properties. The server object manager (SOM) reads the contents of this file at its startup and is configured accordingly … Be sure to restart the SOM service after editing this file.

For more info, see the web help HERE and HERE. There’s a lot you can configure with ArcGIS Server, you just have to know where to go. Good luck!

The “ArcGIS Viewer for Silverlight 1.0″ is ready for public download.

The ArcGIS Viewer for Silverlight 1.0 was released yesterday for public download. For details on what’s been added since the last release (beta 2), check out the What’s New topics on Esri’s website.

Warning: Can’t edit versioned workspace, check that you have proper permissions on the version.

This is the message we started seeing after an ArcMap crash today.

Warning: Can't edit versioned workspace, check that you have proper permissions on the version.

I’m sure there’s more than one trigger for it, but in our case, ArcMap did not release a table from ArcSDE load only mode. We verified this with the following SQL statement; it prints all the Oracle tables in load only mode:

-- Lists all Oracle tables that are in load only mode
SELECT a.owner OWNER,
  a.TABLE_NAME TABLE_NAME
FROM sde.table_registry a,
  sde.layers b
WHERE BITAND(b.eflags,1074790400)  = 1074790400
AND a.owner                        = b.owner
AND a.TABLE_NAME                   = b.TABLE_NAME;

Once you know which tables are in load only mode, use sdelayer on the command line to change them. You can also use sdelayer to get the current mode of a table (in lieu of the SQL above).

REM Describe the current mode for a featureclass/table
REM See http://help.arcgis.com/en/geodatabase/10.0/admin_cmds/support_files/datamgmt/sdelayer.htm
sdelayer -o describe -l {owner.featureclass,shape} -u myUserName  -p myPassword

REM Change the mode for a featureclass/table.
sdelayer -o {load_only_io | normal_io} -l owner.featureclass,shape -u myUserName -p myPassword

Good luck!

See also: http://support.esri.com/en/knowledgebase/techarticles/detail/35676

Readable Field Names in the ArcGIS Viewer for Flex Edit Widget

You might have noticed that the ArcGIS Viewer for Flex Edit Widget does not have configuration options for field labels, and so, by default you will get something like this:

ALTERNATE_NAME, ALTERNATE_NO, CREATED_ON, PROJECT_ID, and PROJECT_STAGE are not exactly readable, but how do you change them?

read more

ArcGIS API for Android – Setup Instructions for Windows OS

This article will walk you through the steps to get started with the ArcGIS API for Android on Windows 7.¹

I’ll assume you know some of the very basics – e.g. you can download Eclipse and get it running on your own!

1. The ArcGIS API for Android is in public beta was released back in October of 2011. To participate, register at betacommunity.esri.com (it’s free).
2. Install the Java Runtime Environment (JRE) and Java Development Kit (JDK).²

read more

1. This should work just as well for Vista or XP, but I have not tested them. [↩]
2. Watch out on the installer for JRE. It will opt you into installing Yahoo Toolbar, McAfee Security and other stuff if you aren’t careful. [↩]