hello,
the mystery is continuing.
I found out why everyone is able to create a dataset (but this still does not answer why it is this like). After creating a new geodatabase by postinstallation the public role of the sql database is permittet (insert, update, delete, execute) on all tables starting with "GDB_...". So it seems that the SDE Postinstallation automatically grants all these permissions to the public role of the geodatabase. In my opinion this is a big mistake. Also it diverges to the quota of #1 in my first post.
Why is it this way, what can I do against this (except revoking those permissions per table per database)?
And I have a further point to discuss.
7)
I want to use Windows Groups instead of single Users to acces the Database. I created three roles (dataViewer, dataEditor, dataCreator) in the geodatabase with the specific permissions they need. Then I created also three windows groups and added some users. Users participating in editors or creators group also participate in the viewer group to get the select permissions. In the SQL instance I add the groups as logins and assign each group the specific database role.
Then I start ArcCatalog from another mashine and connect to the database. A User only being in the Viewer group only is able to view (select) contents (and of course create datasets as mentioned above). A User beeing in the creators group (and also on viewer group) is able to create datasets and feature classes (but just within datasets they own). Now automatically they were granted to edit their data (update, delete, insert). Well it could make sense that users who creates data are also permitted to edit it but theres nothing in esri documentation telling this. The overview of right for the dataCreator implies (in my mind) that the creator will only be able to create data but not to edit it. Also also I cannot create data in datasets of other users because I am not the owner. Well I thought a creator is able to create everything and everywhere.... (I know that in ArcCatalog I can change permissions but this way is extremly uncomfortable for many users)
The last user, the editor, should just edit Data. But hes also allowed to create data like the dataCreator. After I did this I can see in the Database that a new User is added to the database (of the logged in user, not the group) and a schema has also been added. Why is SDE doing this automatically and why is it doing this anyhow? I cannot find this workflow in esri documention. Due to this the dataEditor and the dataCreator have still the same permissions. Thats not normal!
I really hope that someone (also someone from esri) can explain me everything or most of my questions. The SDE behavior is very confusing me.
Thanks a lot.