Authentication for Save State Service

The default security mode of the Save State Service is the anonymous mode. In this mode, all app states are public, and it is not possible to restrict an app state to specific users. It is configured via the property security.mode and the value NONE.

security.mode=NONE

Controlling app state security with user roles

Every user logged in to map.apps has assigned certain roles. You can assign these roles in the user management system or the identity provider (e.g. Keycloak or con terra security.manager) that is connected with map.apps.

In map.apps, you can set the roles that will be interpreted as administrator roles by map.apps in the configuration file with the security.user.admin.roles property. The property’s default value is maAdmin. So all users having the role maAdmin are considered administrative users by map.apps that are allowed to create, view, edit, and delete apps.

The Save State Service implements the same concept for app states.

Define the role for administrative users of the Save State Service

To define the role for administrative users of the Save State Service, you can set the following property in the application.properties file of the Save State Service:

savestate.admin.role=maAdmin

In this example, users having the maAdmin role have full access to all app states, that means, they can create, view, edit, and delete any app state.

The property’s default value is also maAdmin. So by default, users having administrative permissions in map.apps are also administrators of the Save State Service.

Connect Save State Service to an identity provider

To retrieve roles for users, the Save State Service needs to be connected to the same identity provider used by map.apps. The Save State Service is configured analogously to map.apps in the Save State Service application.properties file. Refer to the map.apps documentation for more information.

The following is an overview about how to configure roles with different identity providers.

Keycloak

Relevant documentation:

ArcGIS Enterprise and ArcGIS Online

Roles assigned to users in AcGIS Enterprise or ArcGIS Online can be mapped to different role names via Identity Service. Relevant documentation:

security.manager Enterprise Edition

The assignment of roles is done in security.manager. Relevant documentation: