English

Bug: ArcGIS explicitly grants privileges on the st_geometry domain index object in Oracle

Description

Granting privileges on feature classes stored with st_geometry in Oracle through ArcGIS or the ArcSDE command sdetable -o grant explicitly grants privileges on the st_geometry attribute's domain index (spatial index).

When granting privileges on tables with st_geometry attributes in Oracle that have a spatial index, the privileges on the domain index object, which are not necessary and can allow users direct access to the object, are granted.

Code:
D:\>sdetable -o grant -t streets -U editors -A SELECT,UPDATE,INSERT,DELETE -i sde:orac
le10g

ArcSDE 9.3.1 for Oracle10g Build 333 Tue May 5 12:00:43 2009
Attribute Administration Utility
-----------------------------------------------------
Permissions successfully granted on table streets.


Checking what privileges have been granted in Oracle as the data owner shows those privileges have also been granted on the domain index.

Code:
SQL> SELECT table_name, grantee, privilege FROM user_tab_privs_made ORDER BY table_name;

TABLE_NAME GRANTEE PRIVILEGE
---------- ------- ---------
...
S88_IDX$ EDITORS DELETE
S88_IDX$ EDITORS SELECT
S88_IDX$ EDITORS INSERT
S88_IDX$ EDITORS UPDATE
...

Cause

Internally, the ArcSDE process is mistakenly granting the privileges on the domain index object.

Workaround

If this is an issue for one's organization, to work around the issue, grant privileges on tables with st_geometry objects and spatial indexes by way of SQL.

Code:
SQL> GRANT ALL ON streets TO editors;

Grant succeeded.