Sharing in ArcGIS Enterprise

The enforcement of policies defined with security.manager NEXT builds upon the concept of access control permission for services in ArcGIS Enterprise. In ArcGIS Enterprise portal or ArcGIS Server Manager you can permit access to services based on group membership for federated ArcGIS Servers, or role membership for unfederated ArcGIS Server, respectively. Based on those permissions security.manager NEXT applies the policies you define.

The following sections describe the effect the sharing properties for a federated server, and service security settings for an unfederated server will have on policies enforcement of security.manager NEXT.

Federated ArcGIS Servers (Sharing Properties)

In ArcGIS Enterprise portal and ArcGIS Server Manager you can share elements like services with different groups:

  • Everyone, allows access without the need to login.

  • Organization, allows access for all users, who are signed in to the portal organization.

  • Specific groups, allows access for all users, who are signed in and assigned to one of the selected groups.

As soon as security.manager NEXT is activated you can implement more fine-grained access control. You can grant permissions to a portal group by referencing its ID as a role in a policy. This means that the enforcement of policies effectively depends on a user’s login state and group assignments.

security.manager NEXT defines two roles you can use in addition to the existing portal group IDs when writing policies. They allow assigning permissions to all anonymous users and all signed-in users.

Shared in ArcGIS Enterprise with…​ security.manager NEXT role name Policy applies to…​

Everyone

enhancedSecurity_any

Every user, including anonymous users

Organization

enhancedSecurity_authenticated

Every user signed in to the portal organization

Specific portal group

Portal group ID

Users assigned to the group

Public services

When a token is provided for public services, the roles are evaluated correctly. Depending on the client, however, the token may be missing, in this case the enhancedSecurity_any role is evaluated instead. This can also happen if you use the FeatureLayer preview in Portal for ArcGIS.

Unfederated ArcGIS Servers (Service Security)

In ArcGIS Server Manager you can make services available to certain users classes:

  • Public, allows access without the need to login.

  • Private → Allow access to all Users who are logged in, allows access for all users, who are signed in to ArcGIS Server.

  • Private → Allowed roles, allows access for all users who are signed in to ArcGIS Server and are assigned to any of the selected roles.

As soon as security.manager NEXT is activated you can implement more fine-grained access control. You can grant permissions to members of a role by referencing the role name in a policy. This means that the enforcement of policies effectively depends on a user’s login state and role assignments.

security.manager NEXT defines two roles you can use in addition to the existing ArcGIS Server roles when writing policies. They allow to assign service permissions to all anonymous users and all signed in users.

Shared in ArcGIS Enterprise with…​ security.manager NEXT role name Policy applies to…​

Public

enhancedSecurity_any

Every user, including anonymous users

Private → Allow access to all Users who are logged in

enhancedSecurity_authenticated

Every user signed in to ArcGIS Server

Private → Allowed roles

Role names

Users assigned to one of the roles

If the security settings for a service in ArcGIS Server are set to Public, policies are applied for role enhancedSecurity_any only, even for logged-in users. Map services with security settings set to Private are accessible only for logged-in users. In this case, policies are applied for all roles.