Technical Stuff

30.04.2012 ArcGIS, Technical Stuff No Comments

ArcSDE DBO and SDE schemas on SQL Server

Geodatabases stored in SQL Server can be owned by a user named sde or a user who is dbo in the database. Let’s dig into this a little to figure out the differences.

First, a few facts about SQL Server logins, users, principals, schemas, and roles. If you already know this stuff, you can skip down to the next major section:

Logins, users, principals, schemas, and roles, oh my!

1. A login an entity that can gain access to the server. By server, I don’t mean the machine or the web server on the machine, I mean the ‘SQL Server Instance’.

SQL Server security is has two security realms: the server and the database. Logins give you access to the server and they come in two different flavors: Windows Authentication mode or SQL Server and Windows Authentication mode. Since logins gain access to the server, they also define permissions across the whole server (across multiple databases).

NOTE: Server level permissions like “ALTER ANY CREDENTIAL” AND “VIEW ANY DEFINITION” are the permissions assignable to logins.

2. A user is an entity that can gain access to a database. Users need access to the server before accessing a database, so they are mapped to logins by an SID property that both entities hold. As you can see, the terminology of logins and users should not be used interchangeably: Logins are for security of the server realm and users are for security of the database realm. Thus it’s possible to create orphaned users when they get out of sync with the logins on the server. If you move a database from one server to another, the users in the database will be orphaned until you remap them to valid logins on the other server.

NOTE: Database level permissions like “CREATE TABLE” and “BACKUP DATABASE” are the permissions assignable to users.

3. A principal is any entity that can be granted a permission. Since the logins and users we discussed above can be granted permissions, they are also principals. SQL Server has 6 types of server principals and 7 types of database principals, listed below:

Server Principals Database Principals
S = SQL login S = SQL user
U = Windows login U = Windows user
G = Windows group G = Windows group
R = Server role A = Application role
C = Login mapped to a certificate C = User mapped to a certificate
K = Login mapped to an asymmetric key K = User mapped to an asymmetric key
R = Database role

4. A schema is simply container of objects, such as tables, views, stored procedures, etc.

5. A role is a security principal that groups other principals. SQL Server provides nine fixed server roles, such as sysadmin and serveradmin.

Back to ArcSDE

Now that you know the very basics on SQL Server Security, let’s get back to your choice of setting up an SDE Schema geodatabase or a DBO Schema geodatabase.

SDE or DBO Selection

Multiple versus Single

In the screenshot above you’ll see that the SDE Schema can support a multiple spatial database instance, DBO does not, and multiple is better, right? Well, not so fast…

Beginning with version 9, ArcSDE started supporting both multiple and single models (prior to 9, you could only use multiple). Now that ArcSDE supports a single database model, the multiple model (though still supported) has been deprecated.

What’s the difference between them? In the multiple database model, the ArcSDE Admin’s user schema would sit in its own database called SDE. Meanwhile, user-defined data, like feature classes, raster tables, and nonspatial tables, would reside in other databases. It’s called a multiple model because multiple SQL Server databases are used to make one ArcSDE geodatabase. The single model puts everything in one database.

Note that you can still have multiple geodatabases on the same machine even if you opt for the (recommended) single model. SQL Server supports multiple databases within a single SQL Server instance. If you want to create more than one geodatabase when using the single spatial database model, just create them as separate SQL Server databases. Use the ArcSDE post installation wizard to create each one. (Run it multiple times.)

SDE versus DBO Ownership


If you create an SDE Schema geodatabase, it’s going to be owned by a user named “sde”. If you create a DBO Schema geodatabase, it’s going to be owned by the “dbo” user that ships with SQL Server. There’s no difference in the performance or functionality between the two types of geodatabase schemas, but they do have different security implications. Your choice is going to depend on how you administer databases.

DBO

If your server is not configured to support “SQL Server and Windows Authentication mode”, a Windows account named “sde” will be required to login as “sde”. The sde user can login as a Windows user or a SQL Server user, but only if mixed-mode authentication is turned on. Some people don’t want mixed-mode enabled. For them, DBO is easier to setup: no dedicated Windows account required.

Another reason to use DBO is that multiple Windows logins can map to the dbo user. You can make any user an SDE admin by adding them to the sysadmin or db_owner role. Each admin will have permission to perform ArcSDE tasks such as compress, and with Windows authentication, they can use their standard network username and password to do it. People tend to write down the sde password if they don’t use it everyday. Reusing Windows credentials can be more secure.

SDE

If the server needs to restrict SDE administrators to certain databases and not others, an SDE Schema will provide that. Unlike the dbo user, which usually has server-wide access to all databases, the sde user can be restricted to just a handful of permissions within a specific database. Thus, the SDE administrator for an SDE Schema geodatabase can be someone without the sysadmin or db_owner role. If you don’t want wide-spread permissions for geodatabase admins, use SDE Schema. The POST installation wizard will give “sde” only the minimum permissions it needs.

Well, that’s a LOT of words to explain one small configuration, but it’s an important choice with security implications you won’t know unless you understand both ArcSDE and SQL Server security. Hopefully you understand them now. Good luck!

28.02.2012 Design and Development, Technical Stuff No Comments

Setup Visual Studio 2010 Remote Debugging – Step by Step

Every Visual Studio developer has probably come across the need of Remote Debugging at some point during development. I too faced that situation, and found only a few (not entirely helpful) references via Google.

Since I’ve spent the last few days on this issue, and Remote Debugging now works in my environment, I thought it best to document the process. Here’s a step-by-step approach to help someone in need.

Steps to enable remote debugging on a local machine:

  1. Create a local user account with administrator privileges. (e.g. rmdbgr/pwd123)
  2. Share the web application directory (e.g. Foo.Bar) with full control as accessible from the remote machine.
  3. Enable the custom web server option in web application properties (which is below “Web” tab).

Steps to enable remote debugging on a remote machine:

  1. Setup the required development environment. (IIS, .NET Framework, ASP.NET, etc.)
  2. Install the Microsoft Visual Studio 2010 Remote Debugger.
  3. Create an administrator user account on the remote machine with the same username and password. (e.g. rmdbgr/pwd123)
  4. Go to services.msc and start the “Visual Studio 10 Remote Debugger” service with rmdbgr user.
  5. Create an IIS7 virtual directory for the shared web application which is in the local machine.

Start remote debugging:

  1. Run the VS2010 IDE on the local machine as rmdbgr user.
  2. Open the solution and run the project in debug mode.

Possible issues and troubleshooting:

  • If the “The network BIOS command limit has been reached.” error arises, check out this article: http://support.microsoft.com/kb/810886
  • If any security error arises, try disabling the firewall on both machines and try again.
12.02.2012 ArcGIS, GIS, Technical Stuff No Comments

ArcGIS Server Subdomain Configurations

Let’s suppose you install ArcGIS Server on machine “foobar1″ and it serves out tiles from http://foobar1/arcgisoutput/.

Secondly, you have a subdomain that points to this machine and you want ArcGIS server to respond accordingly:

gisstuff.example.net --> ROUTES TO ------------> foorbar1
ArcGIS Server ---------> STILL RESPONDS WITH --> foorbar1 ???

Here, the ArcGIS website is getting requests through the subdomain. (Your router takes care of that) However, the ArcGIS HTTP responses do not point to the right address. They are still pointing to the machine itself without “knowing” of the router’s configuration.

http://foobar1/arcgisoutput/ --> IS RETURNED, INSTEAD OF --> http://gisstuff.example.com/arcgisoutput/

For this problem, (or any other reason you need to control the response URLs) look in ArcGIS Server’s configuration file at \server\system\Server.dat (Windows OS)

The Server.dat file maintains the server’s properties. The server object manager (SOM) reads the contents of this file at its startup and is configured accordingly … Be sure to restart the SOM service after editing this file.

For more info, see the web help HERE and HERE. There’s a lot you can configure with ArcGIS Server, you just have to know where to go. Good luck!

18.11.2011 Information Technology, News, Technical Stuff No Comments

Smart Pen Demonstration

Here’s a Smart Pen demonstration for collecting field data. This is a custom app we designed for a specific utility data workflow, but the application is readily configurable to use in other industries.

20.07.2011 ArcGIS, GIS, Technical Stuff 1 Comment

Warning: Can’t edit versioned workspace, check that you have proper permissions on the version.

This is the message we started seeing after an ArcMap crash today.

Warning: Can't edit versioned workspace, check that you have proper permissions on the version.

I’m sure there’s more than one trigger for it, but in our case, ArcMap did not release a table from ArcSDE load only mode. We verified this with the following SQL statement; it prints all the Oracle tables in load only mode:

-- Lists all Oracle tables that are in load only mode
SELECT a.owner OWNER,
  a.TABLE_NAME TABLE_NAME
FROM sde.table_registry a,
  sde.layers b
WHERE BITAND(b.eflags,1074790400)  = 1074790400
AND a.owner                        = b.owner
AND a.TABLE_NAME                   = b.TABLE_NAME;

Once you know which tables are in load only mode, use sdelayer on the command line to change them. You can also use sdelayer to get the current mode of a table (in lieu of the SQL above).

REM Describe the current mode for a featureclass/table
REM See http://help.arcgis.com/en/geodatabase/10.0/admin_cmds/support_files/datamgmt/sdelayer.htm
sdelayer -o describe -l {owner.featureclass,shape} -u myUserName  -p myPassword

REM Change the mode for a featureclass/table.
sdelayer -o {load_only_io | normal_io} -l owner.featureclass,shape -u myUserName -p myPassword

Good luck!

See also: http://support.esri.com/en/knowledgebase/techarticles/detail/35676

18.07.2011 Design and Development, Technical Stuff No Comments

Where is Microsoft.Expression.Interactions?


Is your project missing a reference to Microsoft.Expression.Interactions or System.Windows.Interactivity?

Download and install the Microsoft Expression Blend SDK for Silverlight 4. It’s in there.

27.06.2011 Design and Development, Technical Stuff No Comments

Xcode 4 Installed – Okay, How do you start it?


Quick tip:

When you installed Xcode 4, you might have expected it to show up in the Places > Applications folder. It doesn’t – At least not by default.

Xcode is installed in Devices > Macintosh HD > Developer > Applications … assuming that your main partition is named “Macintosh HD” and you accepted the default installation parameters.

read more