Sharing in ArcGIS Enterprise
The enforcement of policies defined with security.manager NEXT builds upon the concept of access control permission for services in ArcGIS Enterprise. In ArcGIS Enterprise portal or ArcGIS Server Manager you can permit to services based on group membership (federated ArcGIS Servers) or role membership (unfederated ArcGIS Server). Based on those permissions security.manager NEXT applies the policies you define.
The following sections describe the effect the sharing properties for a federated server, and service security settings for an unfederated server will have on policies enforcement of security.manager NEXT.
Federated ArcGIS Servers (Sharing Properties)
In ArcGIS Enterprise portal and ArcGIS Server Manager you can share elements like services with different groups:
-
Everyone, allows access without the need to login.
-
Organization, allows access for all users, who are signed in to the portal organization.
-
Specific groups, allows access for all users, who are signed in and assigned to one of the selected groups.
As soon as security.manager NEXT is activated you can implement more fine-grained access control. You can grant permissions to a portal group by referencing its ID as a role in a policy. This means that the enforcement of policies effectively depends on a user’s login state and group assignments.
security.manager NEXT defines two roles you can use in addition to the existing portal group IDs when writing policies. They allow assigning permissions to all anonymous users and all signed-in users.
| Shared in ArcGIS Enterprise with… | security.manager NEXT role name | Policy applies to… |
|---|---|---|
Everyone |
|
Every user, including anonymous users |
Organization |
|
Every user signed in to the portal organization |
Specific portal group |
Portal group ID |
Users assigned to the group |
|
If an item in ArcGIS Enterprise is shared with Everyone, policies are applied for role When selecting both sharing properties "Everyone" and portal organization, the map service is treated as shared with Everyone when applying policies. |
Unfederated ArcGIS Servers (Service Security)
In ArcGIS Server Manager you can make services available to certain users classes:
-
Public, allows access without the need to login.
-
Private → Allow access to all Users who are logged in, allows access for all users, who are signed in to ArcGIS Server.
-
Private → Allowed roles, allows access for all users who are signed in to ArcGIS Server and are assigned to any of the selected roles.
As soon as security.manager NEXT is activated you can implement more fine-grained access control. You can grant permissions to members of a role by referencing the role name in a policy. This means that the enforcement of policies effectively depends on a user’s login state and role assignments.
security.manager NEXT defines two roles you can use in addition to the existing ArcGIS Server roles when writing policies. They allow to assign service permissions to all anonymous users and all signed in users.
| Shared in ArcGIS Enterprise with… | security.manager NEXT role name | Policy applies to… |
|---|---|---|
Public |
|
Every user, including anonymous users |
Private → Allow access to all Users who are logged in |
|
Every user signed in to ArcGIS Server |
Private → Allowed roles |
Role names |
Users assigned to one of the roles |
|
If the security settings for a service in ArcGIS Server are set to Public, policies are applied for role |