Policy validation

In this tutorial you will learn how to activate policy validation for the action.

Currently, your workflow will sync all changes to the policy files without validation. This can lead to undesirable behavior. The --metadata-validation option for the secmanctl sync command checks

  • whether referenced layers exist and

  • whether field names used in restrictions are correct against the actual ArcGIS Server metadata.

It provides three levels of validation:

off

No additional policy validation is performed

warning

Validation is performed with warnings displayed but command continues

error

Validation is performed with warnings causing the command to abort

This tutorial was tested for ArcGIS Enterprise 11.5 in December, 2025.

Prerequisites

Check the preconditions for this tutorial:

  • VS Code is installed on your local machine.

  • You have a GitHub account.

  • You have administrative privileges to security.manager NEXT.

  • You have completed the GitHub Actions tutorial.

Add policy validation

Use the built-in metadata validation feature of secmanctl sync to validate policies against ArcGIS Server metadata.

  1. Open the sync-policies.yaml file.

  2. Search for secmanctl sync.

  3. Add the --metadata-validation option to abort the command if warnings are found.

        - name: Authenticate and sync policies with validation
      env:
        SM_USERNAME: ${{ secrets.ARCGIS_USERNAME }}
        SM_PASSWORD: ${{ secrets.ARCGIS_PASSWORD }}
        SM_SERVER_URL: ${{ secrets.ARCGIS_SERVER_URL }}
      run: |
        # Authenticate with ArcGIS Server and get token
        TOKEN=$(secmanctl login -d "$SM_SERVER_URL" -u "$SM_USERNAME" -p "$SM_PASSWORD" --plain)

        # Sync with metadata validation (warnings will cause command to fail)
        secmanctl sync -f policies -d "$SM_SERVER_URL" -t "$TOKEN" --metadata-validation error

  4. Save the file.

  5. Commit and push your changes.

Now, the action aborts if the validation fails. The metadata validation checks, e.g., if the referenced layers exist and field names are used correctly. But it cannot verify if the semantics of the policies are correct.

Verify configuration

Test the validation by committing and pushing a policy file with metadata errors.

  1. Open SampleWorldCities.json.

  2. Modify the file and add a metadata error like queries instead of query.

  3. Save the file.

  4. Commit and push your changes.

  5. Go to the GitHub Action menu in the browser and monitor the workflow. It should abort the sync command.

Test the workflow with a valid policy file.

  1. Fix the error in the SampleWorldCities.json.

  2. Change queries back to query to fix the validation error.

  3. Save the file.

  4. Commit and push your changes.

  5. Go to the GitHub Action menu in the browser and monitor the workflow. The sync command should not be aborted.

Summary

In this tutorial, you learned how to activate the policy validation to avoid publishing invalid policies.