Error “Failed to create features. Insufficient permissions”

Error Message

While making edits on a feature class with a domain user that is part of multiple Active Directory groups, the following error is returned:

Failed to create features. Insufficient permissions

Active Directory authentication enables domain-joined clients on either Windows or Linux to authenticate to SQL Server using their domain credentials.

Active Directory authentication has the following advantages over SQL Server authentication:

• Users authenticate via single sign-on, without being prompted for a password.
• By creating log-ins for Active Directory groups, you can manage access and permissions in SQL Server using Active Directory group memberships.
• Each user has a single identity across your organization, so you don't have to keep track of which SQL Server logins correspond to which people.
• Active Directory enables you to enforce a centralized password policy across your organization.

Because of all these advantages, the organization creates multiple Active Directory groups where the domain credentials of each individual member could be added in multiple Active Directory groups.

When multiple Active Directory groups are user-mapped with a SQL Server enterprise geodatabase, along with the stand-alone login of domain users which are user-mapped with SQL Server enterprise geodatabase, there is a possibility that all Active Directory groups and standalone log-ins would be assigned with different set of permissions on the geodatabase.

If there is a domain user that is part of multiple Active Directory groups, then the domain account would be assigned with a different set of permissions on the geodatabase.

Cause

As the same domain user is added to multiple Active Directory groups, and as each Active Directory group is being assigned with different set of permissions, along with the stand-alone log-ins of domain users, ArcGIS Pro or ArcMap cannot determine from which Active Directory group / domain user the permissions should be inherited.

Solution or Workaround

The best solution for this problem is to make sure that one domain user is not a part of multiple Active Directory groups and the stand-alone logins of domain users are not added to active directory groups.