Bug: When revoking select privileges on a versioned feature class, the select privileges are not revoked from the versioned table's adds and deletes tables
When revoking privileges on a versioned feature class, the select privileges are not revoked from the versioned table's adds and deletes tables.
Even though the privileges are not revoked from the adds and deletes tables, users will not be able to select or edit the versioned table with ArcGIS. However, the users will continue to have access to the tables directly with SQL. This may be considered a security risk.
The cause of the problem resides in the ArcSDE function, which revokes privileges from objects. The adds and deletes tables are mistakenly skipped when privileges are revoked.
Explicitly revoke privileges on the versioned classes adds and deletes table using SQL or the DBMS's administration utilities.
For example, in Oracle, to revoke the privileges on a versioned tables adds and deletes table, one must first identify the table's registration_id and then revoke the privilege.
- Identify the versioned table's registration_id value in SQL*Plus. In the following example, the versioned table is named gas_mains.
SQL> SELECT registration_id FROM sde.table_registry WHERE table_name = 'GAS_MAINS';
- Explicitly revoke the SELECT privilege from the adds and deletes tables for the given user.
SQL> REVOKE SELECT ON a45 FROM brent;
SQL> REVOKE SELECT ON d45 FROM brent;