Administration of Protected Services
Services to be protected by security.manager are created and managed in the tab > Protected Services of the Administrator.
The columns of the table contain the following information:
- Name
-
The name of the service issued by the Administrator for this service. The name is incorporated in the URL generated by security.manager for the service.
- Active
-
States whether the service is active (usable) or inactive (inaccessible).
- Type
-
Type of service (WMS, WMTS, WFS, WFS-T, WCS, ARCGIS-SERVER, URL, INSPIRE View Service, INSPIRE Feature Download Service).
Whenever a service is hosted on an ArcGIS Server, select the ARCGIS-SERVER option, even if other service types from the list shall be protected. Otherwise, not all functionalities that are implemented for ArcGIS Server based services can be used. - Service URL to protect
-
Base URL of the service to be protected.
security.manager is not able to prevent direct access to this URL. It is up to the Administrator to provide this protection. For further information, see Protecting against direct access. - Authentication Methods
-
The methods of authentication configured for this protected service (WSS, httpauth, guest, saml, sso, token, agstoken).
- Group
-
The name of the group to which this protected service belongs. Users of this group that are assigned to one of the roles sM_Administrator or sM_GroupAdministrator can edit this protected service.
- Changed by
-
Name of the user performing the most recent change to this protected service.
- Changed at
-
Timestamp of the most recent change.
Creating a New Protected Service
To add a new protected service, click Protected Services > Create.
The following settings can be made:
- Name
-
The name of the service issued by the Administrator for this service. The name is incorporated in the URL generated by security.manager for the service.
- Active
-
Select or clear this box to activate or suspend the service. If the checkbox is empty, the service configuration and associated rights still exist, but no access is possible.
- Description
-
A description of the service.
- Type
-
The service type. The available choices are: WMS, WMTS, WFS, WFS-T, WCS, ARCGIS-SERVER and URL.
| Whenever a service is hosted on an ArcGIS Server, the ARCGIS-SERVER option should be selected, even if other service types from the list shall be protected. Otherwise, not all functionalities that are implemented for ArcGIS Server based services can be used. |
- Service URL to protect
-
This is the base URL where the unprotected service can be accessed.
| Ensure that the Service URL is valid and accessible to security.manager. For example, the URL must not point to a sub-resources of the selected service. Otherwise, requests to the protected service will fail. |
- Authentication Methods
-
security.manager supports various types of authentication. The individual methods are activated or deactivated using the appropriate checkboxes.
- XtraServer security Integration
-
If the selected service type is "WFS" or "WMS", the checkbox "XtraServer security integration" appears at the bottom of the view. See also Fine grained security control on interactive instruments XtraServer WFS.
- Username / Password
-
If authentication is required to access a service to be protected, enter the username and password of a user who has access to the service. security.manager then uses HTTP Basic Authentication by default to authenticate itself to the service to be protected with the specified login information.
- Use ArcGIS Token Authentication
-
If the service to be protected is an ArcGIS server, you can use this option to specify that security.manager uses ArcGIS Token Authentication instead of HTTP Basic Authentication to authenticate to the ArcGIS server (or to Portal for ArcGIS if Server and Portal are federated) using the login information specified preceding. This mechanism allows security.manager to secure ArcGIS Server services that are not public.
- Server Key
-
Server Key generated by Portal for ArcGIS during the federation process. For more information, see Single Sign-On with Portal for ArcGIS and ArcGIS Online.
Editing Protected Services
To edit the settings for a protected service, click the corresponding service name in the Protected Services tab. The name of a protected service cannot be changed.
| Changes to the ServiceURL to protect render any policy models generated for this service ineffective, because they cannot be linked to the protected service any more. |
In addition to the properties available when creating a protected service, the following information is displayed:
-
The group to which this protected service is assigned
-
User and date of creation
-
User and date of last change
-
Links to assigned policy sets
The buttons at the end of the dialog allow you to:
-
save the changes made to this protected service
-
delete this service (note that the relevant policy sets are retained)
-
create a gate to this service (see Administration of gateways)
-
return to the previous dialog.
Fine grained security control on interactive instruments XtraServer WFS
security.manager and interactive instruments' XtraServer WFS and WMS implementation allow for a more tightly coupled security solution. If you are running an interactive instruments XtraServer behind a security.manager instance, mark the associated protected service to utilize XtraServer’s advanced security features. When activated, the XtraServer specific operations "access" and "dereference" are authorized by XtraServer itself rather than doing this by security.manager. Filter expression obligations are also authorized by XtraServer instead of security.manager. In effect this implies XtraServer communicates with security.manager PDP (Policy Decision Point) and HTTP traffic basically passes security.manager untouched.
Additional information about this topic can be found in the XtraServer documentation.
