Sharing in ArcGIS Enterprise

The enforcement of policies defined with security.manager NEXT builds upon the concept of sharing items (especially services) in ArcGIS Enterprise.

In ArcGIS Enterprise portal and ArcGIS Server Manager you can share elements like services with different groups:

  • "Everyone", allows access without the need to login.

  • Organization, allows access for all users, who are signed in to the portal organization.

  • Specific groups, allows access for all users, who are signed in and assigned to one of the selected groups.

As soon as security.manager NEXT is activated you can implement more fine-grained access control. You can grant permissions to a portal group by referencing its ID as a "role" in a policy. This means that the enforcement of policies effectively depends on a user’s login state and group assignments.

security.manager NEXT defines two roles you can use in addition to the existing portal group IDs when writing policies. They allow to assign permissions to all anonymous users and all signed in users.

Shared in ArcGIS Enterprise with…​ security.manager NEXT role name Policy applies to…​

"Everyone"

enhancedSecurity_any

Every user, including anonymous users

Organization

enhancedSecurity_authenticated

Every user signed in to the portal organization

Specific portal group

Portal group ID

Users assigned to the group

If an item in ArcGIS Enterprise is shared with "Everyone" and a specific group at the same time, ArcGIS Enterprise assumes granted access to the item without limitation, because "Everyone" is active.

This might cause unexpected effects in some clients, as any user might be treated as anonymous, even if logged in properly. security.manager NEXT might not be able to identify and authenticate the logged in user.

It is recommended not to mix "Everyone" with any other share status and to handle any permissions on items shared with "Everyone" with the role enhancedSecurity_any.