Fallback policy

In this tutorial, you will learn to provide a policy that provides a default level of access to all users who don’t match any specific policies. This policy provides access to the Cities (0) layer, limited to just the field CITY_NAME.

This tutorial was tested for ArcGIS Enterprise 11.5 in December, 2025.

Prerequisites

This tutorial is based on the tutorials of Working with groups, where you define restrictions for different user groups. If you do this tutorial separately, use the result of that tutorial or keep in mind that your policy file might look different. The preconditions are the same for this tutorial.

  • security.manager NEXT is installed.

  • You can use five user accounts:

    • An administrative user account to administer security.manager and Portal.

    • 4 non-administrative user accounts to test the access:

      • Alex is in groupX

      • Bob is in groupY

      • Charlie is in both groupX and groupY

      • Dana is neither in groupX nor groupY

  • You can use the service SampleWorldCities for this tutorial. So, you can restrict access to the service.

Add a fallback policy

security.manager NEXT provides fallback policies that customize the default behavior. If no other policy matches a user’s roles, security.manager NEXT will apply all fallback policies that apply to the requested layer instead. They provide a safety net that defines minimum access levels instead of denying access completely.

Fallback policies

  • do not use the roles property.

  • are applied automatically when no other policy matches.

  • can include layers and restrictions like regular policies.

  • allow you to provide controlled default access.

Add a fallback policy

Extend the multi-group policy from the previous tutorial by adding a fallback policy. First, create a fallback policy that allows access to the Cities (0) layer.

  1. Open the policy configuration via Edit permissions in the Admin UI.

    While editing a policy, press Ctrl+Space to display available examples, descriptions, and code snippets.

  2. Add a new line after the "properties" section.

  3. Press Ctrl+Space and select fallbackPolicies.

  4. In the square brackets, press Ctrl+Space and select {"layers": [""]}.

    Now you created a fallbackPolicies array with a fallback policy template that needs to be parameterized.

  5. To apply the policy to layer Cities (0), add a 0 to the empty layers string.

You created a fallbackPolicies array that contains one fallback policy that allows access to the Cities (0) layer. Your policy now starts like this:

{
    "properties": {
        "groupX": "0123456789abcdef0123456789abcdef",
        "groupY": "abcdef0123456789abcdef0123456789"
    },
    "fallbackPolicies": [{
        "layers": [
            "0"
        ]
    }],
    "restrictions": {
        "cities_starting_with_s": {
            "type": "feature",

Add a field restriction

To restrict that access to only the city names, you need a field restriction.

  1. Move your cursor at the start of the existing "restrictions" object and add a new line.

  2. Type "cities_only_names": and select the Field restriction from the auto-completion list.

  3. To define that only access to field CITY_NAME is allowed, replace hiddenfields with allowedfields.

    Use allowedfields instead of hiddenfields when you want to show only a few specific fields. This approach is more secure as it explicitly defines what should be visible rather than what should be hidden.

    You cannot hide technically required fields with a field restriction. These include object ID fields, geometry fields, and display fields. For more details about field restriction limitations, see field restrictions.

  4. Inside the square brackets, replace "field_name" with "CITY_NAME".

Now, you have a fallback policy and a field restriction. Your policy now starts like this:

{
    "properties": {
        "groupX": "0123456789abcdef0123456789abcdef",
        "groupY": "abcdef0123456789abcdef0123456789"
    },
    "fallbackPolicies": [{
        "layers": [
            "0"
        ]
    }],
    "restrictions": {
        "cities_only_names":{
            "type": "field",
            "allowedfields": [
                "CITY_NAME"
            ]
        },
        "cities_starting_with_s": {

Reference the restriction

Finally, reference the field restriction at the fallback policy.

  1. Move the cursor to the fallback policy.

  2. Add a comma and a new line after the layers array.

  3. Add a restrictions array.

  4. Inside this array, add "cities_only_names" to reference the field restriction.

    Your policy should now look like this:

    {
    "properties": {
        "groupX": "0123456789abcdef0123456789abcdef",
        "groupY": "abcdef0123456789abcdef0123456789"
    },
    "fallbackPolicies": [{
        "layers": [
            "0"
        ],
        "restrictions": ["cities_only_names"]
    }],
    "restrictions": {
        "cities_only_names":{
            "type": "field",
            "allowedfields": [
                "CITY_NAME"
            ]
        },
        "cities_starting_with_s": {
            "type": "feature",
            "query": "CITY_NAME LIKE 'S%'"
        },
        "population": {
            "type": "feature",
            "query": "pop >= 1000000"
        },
        "USA": {
            "type": "spatial",
            "featuretypeurl": "https://services.conterra.de/server/rest/services/security_demos/World_Countries/FeatureServer/0",
            "featurequery": "NAME = 'United States'",
            "imageoperation": "arcgis-clipping"
        },
        "reduced_fields": {
            "type": "field",
            "hiddenfields": [
                "POP_CLASS",
                "POP_RANK"
            ]
        }
    },
    "policies": [
        {
            "layers": [
                "0"
            ],
            "roles": [
                "${groupX}"
            ],
            "restrictions": [
                "population",
                "USA",
                "reduced_fields"
            ]
        },
        {
            "layers": [
                "0"
            ],
            "roles": [
                "${groupY}"
            ],
            "restrictions": [
                "cities_starting_with_s"
            ]
        },
        {
            "layers": [
                "1"
            ],
            "roles": [
                "${groupY}"
            ]
        }
    ]
}

  5. Click on Save changes and restart.

Verify configuration

To verify the previous configuration, go to the SampleWorldCities service and test it with Dana.

  1. Open a private browser.

  2. Go to the ArcGIS REST Services Directory and log in as user Dana who has neither access to groupX nor groupY.

  3. Navigate to the service metadata of the SampleWorldCities service.

  4. Click on the Cities (0) layer which is the only layer that user can see.

  5. Go to the Fields section.

  6. You will only see

    • OBJECTID which is required as ID.

    • Shape which contains the geometry.

    • CITY_NAME which you allowed access to by the fallback policy.

  7. Log in as the other users to see that nothing changes.

Summary

In this tutorial, you learned how to define a fallback policy for users, if their roles do not match any policy. You learned to use allowedfields instead of hiddenfields as a more secure approach to define visible fields.

For further details, refer to Fallback policies in the reference.

In the tutorial Dynamic restrictions using user attributes you will learn to configure user-based restrictions.