Privileges for using ArcGIS with a PostgreSQL database

Privileges determine what a user is authorized to do with the data and the database. Assign privileges based on the type of work the person does within the organization.

As a PostgreSQL database administrator, you create group roles based on what people need to do in the database, grant privileges to the group roles, and add individual login roles to each group role. The table below lists the minimum required privileges for common types of database users for which you would create group roles: data viewers, data editors, and data creators.

Note that these privileges apply to using ArcGIS with a PostgreSQL database and supported PostgreSQL database service offerings. If you need to know the privileges required to use a geodatabase, see Privileges for geodatabases in PostgreSQL.

The following table lists three groups of users and the minimum privileges they require to query, edit, or create data from ArcGIS.

Type of userRequired privilegesPurpose

Data viewer

CONNECT

This privilege allows you to connect to the database.

The CONNECT database privilege is granted to the public role by default. If you revoke CONNECT from public, you must explicitly grant it on specific databases to all roles that need to connect to that database.

USAGE on schemas that contain data to which data viewers need access

This privilege allows access to data in specific schemas.

If your database uses the PostGIS geometry type for spatial data storage, roles require SELECT privileges on the PostGIS spatial_ref_sys table and the geometry_columns view.

These privileges are required to read PostGIS geometry columns.

If your database uses the PostGIS geography type for spatial data storage, roles require SELECT privileges on the PostGIS spatial_ref_sys table and the geography_columns view.

These privileges are required to read PostGIS geography columns.

SELECT on specific datasets

This allows viewers access to specific tables and feature classes in the schemas to which they have access.

Data editor*

Data editors require the same privileges as data viewers, plus these additional privileges.

INSERT, UPDATE, and DELETE on specific datasets

You can grant any combination of INSERT, UPDATE, and DELETE privileges depending on what editors need to do. Therefore, you might create multiple group roles and grant the appropriate privileges to each. For example, you might have a full_edit group role that has all three privileges plus SELECT on the tables group members need to edit and an updates_only group role that has only SELECT and UPDATE privileges on the tables members need to edit.

Data creator

Data creators require the same privileges as data viewers plus this additional privilege.

Each login role that creates data requires AUTHORIZATION on its own schema. Note that the schema name must match the login role name and that group roles cannot share a schema.

AUTHORIZATION ensures that all the objects created in the schema are owned by that user.

*To edit data, publish editable feature service layers that reference the data in your PostgreSQL database.