Is This Content Helpful?
We're glad to know this article was helpful.
When connecting to a geodatabase in SQL Server, certain users are able to see all unregistered tables and views, despite not having been granted SELECT permission to them. However if one of these objects is selected, an error message is returned and the user is unable to see any data or properties of these tables or views. This behavior is present in ArcGIS for Desktop 10.2.1 with Utilities & Telcom Update Patch 5 (UTUP5), 10.4, 10.4.1, and ArcGIS Pro 1.2.
Users created with the Create Database User geoprocessing tool are granted VIEW DEFINITION permission so that they will be able to see a list of other users and roles in User/Role dialog box (accessed from the Privileges dialog box). VIEW DEFINITION permission allows users to see SQL Server database metadata including things like lists of users in that database, and lists of database objects like tables and views.
A fix was made in ArcGIS 10.4 for BUG-0000917818 (to improve performance of connections to large geodatabases for non-DBO users). To improve connection performance, ArcGIS was changed to rely on the database system catalog to filter tables, which is considerably faster than checking permissions on each table in the database. However, users with VIEW DEFINITION permission see the views and tables in the database system catalog tables, even if they do not have access to their contents.
This behavior will be addressed in the next release of ArcGIS. If you are using ArcGIS Pro 1.2, ArcGIS for Desktop 10.4, 10.4.1, or 10.2.1 with UTUP5 and you are experiencing this behavior, you can revoke VIEW DEFINITION permission from the affected user. Be aware that revoking this permission means the user will no longer see a list of available users or roles in the ArcGIS Desktop User/Role dialog box. Object privileges can be managed in this dialog box by manually typing the name of the user or role, but all the available user or role names will not appear in the dialog box.