Operation
Administrative Access
Using security.manager NEXT requires administrative privileges to sign in to ArcGIS Enterprise. This can be achieved either by assigning a user to the default role Administrator in ArcGIS Enterprise portal. Or, if you want to keep the granted rights to a minimum, define a custom role in the portal and assign the following privileges to it:
- 10.7.x and 10.8.0
-
Grant one of the Administrative Privileges. The custom role can be tailored to the specific needs, as long as one administrative privilege is given.
- 10.8.1 and higher
-
Grant the administrative privilege Servers.
The user working with security.manager NEXT has to be assigned to the custom role.
It is possible that data (e.g. layer information) from a secured service cannot be displayed to you inside the Policy Explorer of the security.manager NEXT Manager UI. Instead, an indication that administrator privileges are missing is shown, although the privileges have been set recently before. In this case, please wait a few minutes until the current roles have been processed by the security.manager NEXT and then try again. |
ArcGIS Server Memory Settings
Activating security.manager NEXT on an ArcGIS Server service increases the memory footprint of the corresponding SOC process. The amount of additional memory required depends on the size of data the service delivers as well as the actual security policy defined within security.manager NEXT. For example, the enforcement of more complex spatial filter geometries may require more memory.
To prevent request processing errors caused by the lack of memory, the security.manager NEXT CLI as well as the Manager UI check the amount of memory that is available to a service when activating the security.manager NEXT SOI for a service.
For dedicated instances, the javaHeapSize
property value of the service itself is checked as it determines the maximal available memory for that service.
This is different for shared instances, where the javaHeapSize
property of the DynamicMappingHost
service (located in the System
services folder) specifies how much memory an instance of the shared instance pool can use at most.
In either case, if it is not defined yet, security.manager NEXT sets the value to 256 MB.
This ensures that the SOI will have enough memory available in most cases.
If javaHeapSize
is already defined, security.manager NEXT will leave the value untouched, even if it has a lower value.
Setting javaHeapSize
on a service overrides the default SOC maximum heap size that is defined for an ArcGIS Server machine.
This is usually set to 64 MB.
Please note that the effective maximal amount of memory a service or the instance pool may consume multiplies with the number of maximal instances defined.
Allow Offline Editing
By default, security.manager NEXT blocks replica-related operations on protected feature services. These operations are used to create local copies of data for offline use.
To allow replication of feature layer data, you have to enable the sync capability on the feature service. Additionally, you need to activate support for replica-related operations in the security.manager NEXT. You can activate replica support either
-
via the command line tool
secmanctl
by setting thesoi.supportReplicas
option totrue
in a service’s configuration file, or -
by checking Enable replica support (Advanced settings) when activating security.manager for a service in the Manager UI.
Limitations on Replica Support
Please note the following restrictions when defining permissions for sync-enabled feature layers:
In order to select data to be loaded into Collector for ArcGIS the user must have access to all layers of the regarding web map. Create a custom web map for each group of users if the set of accessible layers varies between groups. Important:
|
Integrated Windows Authentication
When operating security.manager NEXT in an environment with Integrated Windows Authentication (IWA) activated, you need to take care of some specifics in configuration and use.
ArcGIS Enterprise URLs
When installing security.manager NEXT you have to specify URLs to ArcGIS Server or ArcGIS Enterprise portal in the application.properties
file.
In an environment with Integrated Windows Authentication enabled, always use the URLs of the Web Adaptor, for example https://gis.example.com/arcgis
or https://gis.example.com/portal
, respectively.
Do not specify the direct URLs, which use the ports 6443
, 7443
, 6080
, and 7080
.
CORS settings
You need to activate Cross Origin Request Sharing support in the Microsoft Internet Information Services (IIS), when all the following conditions apply to your setup:
-
You are using an unfederated ArcGIS Server
and -
security.manager NEXT Manager UI is available under a different hostname than ArcGIS Server.
In this case CORS is required to allow the Manager UI (https://security.example.com/secman-next
, for example) to connect to the ArcGIS Server Administrator Directory (https://gis.example.com/arcgis/admin
, for example).
To activate CORS in IIS, follow these steps:
-
Install the IIS CORS Module if not done already.
-
In
C:\inetpub\wwwroot\<webadaptor>\Web.config
add the following configuration:<system.webServer> <cors enabled="true" failUnlistedOrigins="true"> <add origin="[ORIGIN_OF_SECURITYMANAGER]" allowCredentials="true" > </add> </cors> <system.webServer>
Replace [ORIGIN_OF_SECURITYMANAGER]
with the base URL of the Manager UI (omit the /secman-next
part).
For example if the Manager UI is accessible as http://security.example.com/secman-next
, insert https://security.example.com
.
Using the CLI with a federated ArcGIS Server
If you are using security.manager NEXT CLI from a host that allows you to login to portal with IWA, please note the following specifics:
-
Always activate the option
--iwa
when running any of the commands. -
When specifying an ArcGIS Server URL for the
-d
(--server-url
) option, always use the Web Adaptor URL. -
You still need to specify token to successfully run any command except
secmanctl login
. When runningsecmanctl login
, activate the option--iwa
, and don’t specify a username or password.
Using the CLI with an unfederated ArcGIS Server
If you are using security.manager NEXT CLI from a host that allows you to login to ArcGIS Server with IWA, please note the following specifics:
-
Always activate the option
--iwa
when running any of the commands -
When specifying an ArcGIS Server URL for the
-d
(--server-url
) option, always use the Web Adaptor URL. -
You don’t need to specify a token when running a command. Hence, you don’t need to employ the command
secmanctl login
at all.