Operation

Administrative Access

Using security.manager NEXT requires administrative privileges to sign in to ArcGIS Enterprise. This can be achieved either by assigning a user to the default role Administrator in ArcGIS Enterprise portal. Or, if you want to keep the granted rights to a minimum, define a custom role in the portal and assign the following privileges to it:

10.7.x and 10.8.0

Grant one of the Administrative Privileges. The custom role can be tailored to the specific needs, as long as one administrative privilege is given.

10.8.1 and higher

Grant the administrative privilege Servers.

The user working with security.manager NEXT has to be assigned to the custom role.

ArcGIS Server Memory Settings

Activating security.manager NEXT on an ArcGIS Server service increases the memory footprint of the corresponding SOC process. The amount of additional memory required depends on the size of data the service delivers as well as the actual security policy defined within security.manager NEXT. For example, the enforcement of more complex spatial filter geometries may require more memory.

To prevent request processing errors caused by the lack of memory, the security.manager NEXT CLI as well as the Manager UI check the amount of memory that is available to a service when activating the security.manager NEXT SOI for a service. For dedicated instances, the javaHeapSize property value of the service itself is checked as it determines the maximal available memory for that service. This is different for shared instances, where the javaHeapSize property of the "DynamicMappingHost" service (located in the System services folder) specifies how much memory an instance of the shared instance pool can use at most.

In either case, if it is not defined yet, security.manager NEXT sets the value to 256 MB. This ensures that the SOI will have enough memory available in most cases. If javaHeapSize is already defined, security.manager NEXT will leave the value untouched, even if it has a lower value.

Setting javaHeapSize on a service overrides the default that is defined for an ArcGIS Server machine ("SOC maximum heap size"). This is usually set to 64 MB.

Please note that the effective maximal amount of memory a service or the instance pool may consume multiplies with the number of maximal instances defined.

Allow Offline Editing

By default security.manager NEXT blocks replica-related operations on protected feature services. These operations are used to create local copies of data for offline use.

To allow replication of feature layer data, you have to enable the sync capability on the feature service. Additionally, you need to activate support for replica-related operations in the security.manager NEXT. You can activate replica support either

Limitations on Replica Support

Please note the following restrictions when defining permissions for sync-enabled feature layers:

  • When editing features of a replicated data set those permissions apply, that were defined when the replica was created.

  • When synchronizing a replica, changes in permissions, that were made after the replica was created, have no effect.

  • If you want to prevent synchronization of existing replicas, an ArcGIS Server Administrator has to delete them on the server.

In order to select data to be loaded into Collector for ArcGIS the user must have access to all layers of the regarding web map. Create a custom web map for each group of users if the set of accessible layers varies between groups.

Important:

  • Field restrictions on replicated data sets are not supported. In case a field restriction is defined in the corresponding policy, replica creation is disabled.

  • Replicas containing data of layers or tables that are part of an n-to-m relationship may expose data ignoring access restrictions you defined on the related data. Users might be able to modify data they are not supposed to have access to. As a consequence, you should refrain from publishing data with n-to-m relationships if it is intended to be used in Collector for ArcGIS.