Administration of Protected Services

Services to be protected by security.manager are created and managed in the tab > Protected Services of the Administrator.

overview en

The columns of the table contain the following information:

Name

The name of the service issued by the Administrator for this service. The name is incorporated in the URL generated by security.manager for the service.

Active

States whether the service is active (usable) or inactive (inaccessible).

Type

Type of service (WMS, WMTS, WFS, WFS-T, WCS, ARCGIS-SERVER, URL, INSPIRE View Service, INSPIRE Feature Download Service).

Whenever a service is hosted on an ArcGIS Server, select the ARCGIS-SERVER option, even if other service types from the list shall be protected. Otherwise, not all functionalities that are implemented for ArcGIS Server based services can be used.
Service URL to protect

URL of the service to be protected.

security.manager is not able to prevent direct access to this URL. It is up to the Administrator to provide this protection. For further information, see Protecting against direct access.
Authentication Methods

The methods of authentication configured for this protected service (WSS, httpauth, guest, saml, sso, token, agstoken).

Group

The name of the group to which this protected service belongs. Users of this group that are assigned to one of the roles sM_Administrator or sM_GroupAdministrator can edit this protected service.

Changed by

Name of the user performing the most recent change to this protected service.

Changed at

Timestamp of the most recent change.

Creating a New Protected Service

To add a new protected service, click Protected Services > Create.

create 1 en

The following settings can be made:

Name

The name of the service issued by the Administrator for this service. The name is incorporated in the URL generated by security.manager for the service.

Active

Select or clear this box to activate or suspend the service. If the checkbox is empty, the service configuration and associated rights still exist, but no access is possible.

Description

A description of the service.

Type

The service type. The available choices are: WMS, WMTS, WFS, WFS-T, WCS, ARCGIS-SERVER and URL.

Whenever a service is hosted on an ArcGIS Server, the ARCGIS-SERVER option should be selected, even if other service types from the list shall be protected. Otherwise, not all functionalities that are implemented for ArcGIS Server based services can be used.
Service URL to protect

This is the URL where the protected service can be accessed.

Authentication Methods

security.manager supports various types of authentication. The individual methods are activated or deactivated using the appropriate checkboxes.

create 2 en
XtraServer security Integration

If the selected service type is "WFS" or "WMS", the checkbox "XtraServer security integration" appears at the bottom of the view. See also Fine grained security control on interactive instruments XtraServer WFS.

Username / Password

If authentication is required to access a service to be protected, enter the username and password of a user who has access to the service. security.manager then uses HTTP Basic Authentication by default to authenticate itself to the service to be protected with the specified login information.

Use ArcGIS Token Authentication

If the service to be protected is an ArcGIS server, you can use this option to specify that security.manager uses ArcGIS Token Authentication instead of HTTP Basic Authentication to authenticate to the ArcGIS server (or to Portal for ArcGIS if Server and Portal are federated) using the login information specified preceding. This mechanism allows security.manager to secure ArcGIS Server services that are not public.

create 3 en
Server Key

Server Key generated by Portal for ArcGIS during the federation process. For more information, see Single Sign-On with Portal for ArcGIS and ArcGIS Online.

Editing Protected Services

To edit the settings for a protected service, click the corresponding service name in the Protected Services tab. The name of a protected service cannot be changed.

Changes to the ServiceURL to protect render any policy models generated for this service ineffective, because they cannot be linked to the protected service any more.

In addition to the properties available when creating a protected service, the following information is displayed:

edit en
  • The group to which this protected service is assigned

  • User and date of creation

  • User and date of last change

  • Links to assigned policy sets

The buttons at the end of the dialog allow you to:

  • save the changes made to this protected service

  • delete this service (note that the relevant policy sets are retained)

  • create a gate to this service (see Administration of gateways)

  • return to the previous dialog.

Fine grained security control on interactive instruments XtraServer WFS

security.manager and interactive instruments' XtraServer WFS and WMS implementation allow for a more tightly coupled security solution. If you are running an interactive instruments XtraServer behind a security.manager instance, mark the associated protected service to utilize XtraServer’s advanced security features. When activated, the XtraServer specific operations "access" and "dereference" are authorized by XtraServer itself rather than doing this by security.manager. Filter expression obligations are also authorized by XtraServer instead of security.manager. In effect this implies XtraServer communicates with security.manager PDP (Policy Decision Point) and HTTP traffic basically passes security.manager untouched.

Additional information about this topic can be found in the XtraServer documentation.

Access for Group Administrators

Besides normal administrators also group administrators are allowed to access the Protected Services tab in the Administration application. However, only those services that belong to the group administrator’s group are displayed.

groupadmin en