Managing policies using the Manager UI

Sign-in

To start the Manager UI open https://<tomcat-host>/secman-next in a browser.

If you are running security.manager NEXT with a federated ArcGIS Server, the browser will direct you to the ArcGIS Enterprise portal login. If you are signed in to portal already, you will be redirected to the Manager UI. Otherwise, sign in to portal with an account that has at least one administrative privilege. While signing in, portal may require you to acknowledge that security.manager is allowed to access the login account data. Afterwards you will be redirected to the Manager UI as a logged in user.

When running security.manager NEXT with an unfederated ArcGIS Server, you will be prompted to sign in by the Manager UI. Enter username and password of an ArcGIS Server user who is assigned to a role of type Administrator. You are then logged in to the Manager UI.

Missing permissions may result in the Service Manager or Rights Explorer areas not being visible or containing incomplete information. In this case, make sure in the portal or ArcGIS Server Manager that the account used has the necessary permissions. The Primary Site Administrator account (PSA) of the ArcGIS Server does not meet these conditions.

Service Manager

Activate or deactivate security.manager

After the initial installation, security.manager NEXT has no effect on the accessibility of services. It must be activated for every single service where it shall control access. This is why all services of the selected ArcGIS Server initially appear with a security.manager deactivated symbol in the Service Manager. The grey lock indicates that security.manager is not activated for the actual service.

To activate security.manager on a service, click service menuActivate security.manager. You can now select to Enable replica support under Advanced settings.

When you click on Activate, security.manager NEXT does the following:

  1. Set disableCaching: true on the service in order to make sure that service metadata will get filtered according to defined policies.

  2. Set javaHeapSize: "256" on the service.
    If the property was already set, it will not be changed, even if it is set differently. See ArcGIS Server Memory Settings for details about memory handling for dedicated and shared instances.

  3. Enable the SOI on the service.

  4. Restart the service.
    If the service was stopped before activation, it is not started automatically.

On successful activation, the lock symbol turns to security.manager activated, and access control is applied. Administrative users still have full access to the service resources without limitations. But all other users will not get access to any service resource until you define a policy with a permission that explicitly grants access.

Deactivate security.manager by clicking service menuDeactivate security.manager. The service settings (disableCaching, javaHeapSize, enable replica support) are not reset. Policies are not purged but become inactive.

When you activate security.manager again, the settings are again checked and adjusted as described above, in case they have been reset by any other means. On activation, inactive policies become active again.

Activate or deactivate the security.manager only through the Manager UI or the CLI. Do not make any changes to the SOI via the ArcGIS Server Manager or the ArcGIS Enterprise portal, as this can lead to unexpected behavior.

Edit permissions

When security.manager is activated on a service, regular users initially do not have access to any layers or features. Only if you define a policy that grants permission to a layer of a service, users get access to service resources like layers and features. With the Service Manager you can define policies on a service — although we recommend to use the CLI. The CLI in combination with a policies working directory allows to quickly bring your ArcGIS Server into a defined, reproducible state.

Defining policies inside the Service Manager can still be useful for testing or managing a smaller ArcGIS Server site.

To define a policy giving permission to access resources of a service

  1. Make sure security.manager is activated for this service.

  2. Click service menuEdit permissions.

  3. Enter or modify a JSON policy in the dialog.
    Alternatively you can drag and drop an existing JSON file including a valid policy onto the dialog.

  4. Apply the policies with Save changes and restart.

If the service was started it will be restarted, and the new policies become effective.