Operation

Administrative Access

Using security.manager NEXT requires administrative privileges to sign in to ArcGIS Enterprise if a federated ArcGIS Server should be protected.

This can be achieved either by assigning a user to the default role Administrator in ArcGIS Enterprise portal. Or, if you want to keep the granted rights to a minimum, define a custom role in the portal and assign the required privilege Servers to it. The user working with security.manager NEXT has to be assigned to the custom role.

It is possible that data (e.g. layer information) from a secured service cannot be displayed to you inside the Policy Explorer of the security.manager NEXT Manager UI. Instead, an indication that administrator privileges are missing is shown, although the privileges have been set recently before. In this case, please wait a few minutes until the current roles have been processed by the security.manager NEXT and then try again.

ArcGIS Server Memory Settings

Activating security.manager NEXT on an ArcGIS Server service increases the memory footprint of the corresponding SOC process. The amount of additional memory required depends on the size of data the service delivers as well as the actual security policy defined within security.manager NEXT. For example, the enforcement of more complex spatial filter geometries may require more memory.

To prevent request processing errors caused by the lack of memory, the security.manager NEXT CLI as well as the Manager UI check the amount of memory that is available to a service when activating the security.manager NEXT SOI for a service. For dedicated instances, the javaHeapSize property value of the service itself is checked as it determines the maximal available memory for that service. This is different for shared instances, where the javaHeapSize property of the DynamicMappingHost service (located in the System services folder) specifies how much memory an instance of the shared instance pool can use at most.

In either case, if it is not defined yet, security.manager NEXT sets the value to 256 MB. This ensures that the SOI will have enough memory available in most cases. If javaHeapSize is already defined, security.manager NEXT will leave the value untouched, even if it has a lower value.

Setting javaHeapSize on a service overrides the default SOC maximum heap size that is defined for an ArcGIS Server machine. This is usually set to 64 MB.

Please note that the effective maximal amount of memory a service or the instance pool may consume multiplies with the number of maximal instances defined.

Allow Offline Editing

By default, security.manager NEXT blocks replica-related operations on protected feature services. These operations are used to create local copies of data for offline use.

To allow replication of feature layer data, you have to enable the sync capability on the feature service. Additionally, you need to activate support for replica-related operations in the security.manager NEXT. You can activate replica support either

Limitations on Replica Support

Please note the following restrictions when defining permissions for sync-enabled feature layers:

  • When editing features of a replicated data set, those permissions apply, that were defined when the replica was created.

  • If you have changed the permissions after the creation of replicas, you should first delete all replicas on the server. This way you avoid, that replicas — created based on obsolete policies — might modify your database unwantedly.

  • If a policy for a service defines some layers as readonly and others as editable then the synchronization applies only for editable layers. Readonly layers won’t receive any changes made on the server, once a replica is created. The synchronization for these "mixed" setups is only possible if the service supports "synchronization per layer".

In order to select data to be loaded into ArcGIS Field Maps the user must have access to all layers of the regarding web map. Create a custom web map for each group of users if the set of accessible layers varies between groups.

Note, that Offline Map Areas defined on a web map in Portal for ArcGIS in advance are not supported. Areas to be taken offline have to be defined in the ArcGIS Field Maps app.

Important:

  • Field restrictions on replicated data sets are not supported. In case a field restriction is defined in the corresponding policy, replica creation is disabled.

  • Replicas containing data of layers or tables that are part of an n-to-m relationship may expose data ignoring access restrictions you defined on the related data. Users might be able to modify data they are not supposed to have access to. As a consequence, you should refrain from publishing data with n-to-m relationships if it is intended to be used in ArcGIS Field Maps.

Integrated Windows Authentication

When operating security.manager NEXT in an environment with Integrated Windows Authentication (IWA) activated, you need to take care of some specifics in configuration and use of security.manager NEXT.

Configuration of the Manager UI

If you want to use the Manager UI in an IWA environment, you must adapt the Manager UI configuration.

Follow the instructions in this section to ensure you can use the Manager UI in the browser.

ArcGIS Enterprise URLs

When installing security.manager NEXT you must configure URLs for ArcGIS Server and the ArcGIS Enterprise Portal. When doing so, always use the Web Adaptor URLs in the application.properties, e.g. https://gis.example.com/server or https://gis.example.com/portal. Do not use the URLs that contain ports 6443 and 7443 or 6080 and 7080.

CORS settings: Manager UI

Add the following setting to the application.properties:

cors.request.trustedServers=https://<portal-webadaptor-host>,https://<server-webadaptor-host>

Replace <portal-webadaptor-host> and <server-webadaptor-host> with the actual hostnames and ports of the respective Web Adaptors.

Example
cors.request.trustedServers=https://gis.example.com/portal,https://gis.example.com/server

This ensures that the browser provides the necessary authentication information when sending requests to the Portal and/or ArcGIS Server through the Manager UI.

CORS settings: Web Adaptor

The following settings are only required if security.manager NEXT is not reachable under the same hostname (origin) as the ArcGIS Server Web Adaptor or the ArcGIS Portal Web Adaptor.

In this case, enable Cross Origin Request Sharing (CORS) in Microsoft Internet Information Services (IIS). This ensures that the Manager UI, which you access in the browser for example as https://security.example.com/secman-next, can communicate with the ArcGIS Server e.g. https://gis.example.com/server/ or ArcGIS Enterprise Portal e.g. https://gis.example.com/portal/.

Perform the following steps for every ArcGIS Server Web Adaptor and every ArcGIS Portal Web Adaptor where IWA is enabled:

  1. Install the IIS CORS Module if it is not already installed.

  2. Add the following configuration to the file C:\inetpub\wwwroot\<webadaptor>\Web.config:

    <system.webServer>
    <cors enabled="true" failUnlistedOrigins="true">
      <add origin="[ORIGIN_OF_SECURITYMANAGER]"
          allowCredentials="true" >
      </add>
    </cors>
<system.webServer>

    Replace [ORIGIN_OF_SECURITYMANAGER] with the base URL of the Manager UI (omit the /secman-next part). For example if the Manager UI is accessible as http://security.example.com/secman-next, insert https://security.example.com.

Using the CLI

When using the security.manager NEXT CLI in an IWA environment, you must consider some specifics when running commands. Depending on whether you interact with a federated ArcGIS Server or an unfederated ArcGIS Server, adjust the options as described in the following subsections.

Federated ArcGIS Server

If you use the security.manager NEXT CLI from a host where you can log in to the portal with IWA, note the following specifics:

  1. When specifying an ArcGIS Server URL for the -d (--server-url) option, always use the Web Adaptor URL.

  2. When running secmanctl login, activate the option --iwa, and don’t specify a username or password to retrieve an access token.

  3. When running secmanctl groups, activate the option --iwa, and don’t provide the --token option.

  4. For the commands secmanctl apply and secmanctl sync you need to provide the --token option but not the --iwa option.

Unfederated ArcGIS Server

If you use the security.manager NEXT CLI from a host where you can log in to ArcGIS Server with IWA, note the following specifics:

  1. Activate the --iwa option when running commands.

  2. When specifying an ArcGIS Server URL for the -d (--server-url) option, always use the Web Adaptor URL.

  3. You do not need to provide a token when running commands. Therefore secmanctl login is not required.

Upgrade of ArcGIS Enterprise from 10.x to 11.x

This section describes how to deal with the major version change of ArcGIS Enterprise from 10.x to 11.x

There is no SOI that supports both ArcGIS 10 and ArcGIS 11 simultaneously. Therefore, the security.manager NEXT SOI must be upgraded alongside ArcGIS Enterprise, which is described below.

If you install ArcGIS Enterprise 11 on a separate server, you can backup existing policies on your ArcGIS Enterprise 10 installation and restore them on the new ArcGIS Enterprise 11 installation with the security.manager NEXT CLI.

In-place upgrade

The upgrade of security.manager NEXT alongside ArcGIS Enterprise from 10.x to 11.x particularly concerns the SOI. Please perform the security.manager NEXT upgrade after the ArcGIS Enterprise upgrade. All services with security.manager activated will temporarily not be able to start after the ArcGIS- and before the SOI update.

  1. Backup existing policies on the ArcGIS Enterprise 10 installation so you can restore them in case of a loss of policies during the upgrade process.

  2. Perform the ArcGIS Enterprise Upgrade from 10.x to 11.x.
    As a result, all services with security.manager activated will be stopped. These services won’t be able to start before the SOI is updated.

  3. Sign in to ArcGIS Server Manager and navigate to the Site section. Open the Extensions area.

  4. Delete the installed SOE file for ArcMap (file name: ct-security-soi-arcmap.soe) via the Delete extension action.
    This is obsolete, as there is no ArcMap Runtime in ArcGIS 11.x anymore.
    Please note that when you delete the wrong SOE file, this will result in a loss of policies.

  5. Perform an upgrade of the installed SOE file for ArcGIS Pro via Edit extension action.

  6. Verify that the version of the upgraded extension shown in the column Display Name contains the version 1.11.0

  7. Sign in to the security.manager NEXT Manager UI and verify that security.manager is activated on all desired services in the Service Manager, indicated by the security.manager activated icon.
    You should also check that your policies are still present by clicking service menuEdit permissions for those services. If not, they can be restored with the policy backup.

  8. Start all desired services in the ArcGIS Server Manager.