Release Notes 1.7

What’s New

Definition of multiple fallback policies

security.manager NEXT now supports the definition of multiple fallback policies. This enables you to define fallback policies for each layer individually. In this context, the JSON format used to define policies has been changed. Therefore, please pay attention to the update notes below.

Alternative enforcement of spatial restrictions on map images

You can now define spatial restrictions on map images in a way that the image clipping is done by ArcGIS Server. You can use the new parameter imageoperation to select which type of clipping you want to use. The advantage is that labels now remain fully visible. Furthermore, you can now enforce spatial restrictions individually per layer on map images.

If you use less complex restriction geometries, the ArcGIS clipping can lead to a big performance gain.

Language switch in Manager UI

You can now switch languages in the Manager UI. The selected language will be preserved for the next time you access the Manager UI. If no language is pre-selected, the Manager UI will open in the language that is set in your ArcGIS Enterprise Portal preferences.

Experimental support of OGC API Features (OGC-Features)

From this release on security.manager NEXT includes experimental support for OGC API Features. This functionality is disabled by default and shall not be used in production. If you want to activate OGC API Features, please get in touch.

Update Notes

If you skip several versions during the update, please also follow all update notes of the intervening versions.

Breaking change for queries used in feature restrictions and spatial restrictions (since 1.7.1)

Policies allow to define feature restrictions and spatial restrictions to limit access to features of a layer. Both types of restrictions require you to define a query that may contain references to attributes of the requesting user like this:

Referencing the user attribute 'level' in a query
{
    ...
    "restrictions": {
        "user_level_only": {
            "type": "feature",
            "query": "LEVEL <= ${user.level}"
        }
    }
}

security.manager now checks that user attributes only resolve to SQL literal values when they are replaced in query expressions. If you have to accept user attribute values resolving to anything else than SQL literals, you must now explicitly mark them as insecure inside the query. Otherwise user requests will fail with errors. See section Accepted User Attributes for details.

Policy JSON Schema Update

If you edit policies in a JSON editor with the help of the policy JSON schema, and you want to make use of the new policy features, the schema needs to be updated. To do so, please update the URL to https://raw.githubusercontent.com/conterra/policies-json/1.7.0/schema/policies.schema.json, or use the schema provided in folder [SECMAN_DIR]/resources/policies.schema.json of the security.manager NEXT distribution.

Policies should begin with

{
    "$schema": "https://raw.githubusercontent.com/conterra/policies-json/1.7.0/schema/policies.schema.json",
    ...
}

or

{
    "$schema": "[SECMAN_DIR]/resources/policies.schema.json",
    ...
}

Property fallbackPolicy deprecated

Please use the new fallbackPolicies array property to define fallback policies from now on. The fallbackPolicy property has been marked as deprecated and will no longer be supported in one of the future versions of security.manager NEXT.

We therefore recommend that you convert existing fallback policies to the new syntax as described below:

Old

{
    "fallbackPolicy": {
        "layers": ["1"]
    }
}

New

{
    "fallbackPolicies": [
        {
            "layers": ["1"]
        }
    ]
}

Warnings

OGC API Features

With ArcGIS 11.0 and 11.1, on services with activated security.manager NEXT, unauthorized layer information can be exposed via the OGC API Features endpoint. Please deactivate OGC API Features on those services.

Further information can be found under limitations.

Changelog

1.7.1

Fixed Security Issues

SECNEXT-442

Non-literal values are not rejected

1.7.0

Fixed Security Issues

SECNEXT-415

Mask image may be shown at wrong position when exporting a map

New Features

SECNEXT-286

Allow to switch languages in Manager UI

SECNEXT-287

Automatically derive language of Manager UI from Portal profile

SECNEXT-317

Radio button for filter

SECNEXT-323

Allow definition of fallback policies per layer

SECNEXT-328

Allow layer filtering for OGC API Features

SECNEXT-329

Enforce feature restriction on OGC API Features

SECNEXT-330

Enforce spatial restrictions for map services on the server side

SECNEXT-364

Allow editing of feature layers in Pro without setting true curve property to false

SECNEXT-417

Improve auto-completion in policy schema

Fixed Issues

SECNEXT-389

[UI - Resources View] Annotation layers not displayed

SECNEXT-390

Profile image is not shown after language switch

SECNEXT-392

[Manager UI] Loading spinner offsets entry in neighbouring column

SECNEXT-408

Feature server metadata reports blocked operations as supported

SECNEXT-419

[FieldMaps] Cannot add attachments on layers with feature restriction policies

SECNEXT-420

Service does not respond when UIS is not available

SECNEXT-421

applyEdits fails if a feature and an attachment with globalIds are added in the same request when a feature restriction is set