Arcgis servers should respect portal security

1744
5
08-02-2019 10:57 AM
JeffTimm
Occasional Contributor

When portal came out I was very excited because for years had to deal with the Arcgis Server security where you could assign permissions to folders or services. Unfortunately this only applied to users.  If you were a publisher or admin all security went out the window.

Here is my suggestion: Now that we have Federated Arcgis Servers that use Portal security I think the servers security model should actually mimic portal security instead of the following:

“If a custom role is created with any administrative privileges, ArcGIS Server will grant members within that role full administrative access. This includes rights to publish any service type directly to ArcGIS Server and the ability to view and access all services. Consider the security risks before creating a custom role for any member that includes administrative privileges.”

This limits the assignment of any Admin rights, even minor ones, in our environment where there is sensitive data.  Those added checkboxes in custom roles just sit there and taunt me.

5 Comments
JeffTimm

Example of the taunting checkboxes

JeffTimm

even one checkbox in this section and every service is exposed.

PaulHoefflerGISS

A couple years back we had an emergency-response situation where the Assign members privilege needed to be enabled for some publishers in a custom role, and discovered the effective permissions-bleed that is now documented. Note that this also affects ArcGIS Online (where we were working).

Some "Administrative" privileges are more in line with the Publisher role, such as Publish web tools, which makes the issue all the more confusing for users.

PaulHoefflerGISS

One additional note, we were told at that time that the ArcGIS Server security model is very simple and that it would not be possible to extend the granular privileges from Portal to Server, beyond what's already available for federated servers. Hopefully that has changed since, or may change.

JeffTimm

I know this is an old thread but I still would like to see this.  If the ArcGIS server security model is very simple maybe it should be modernized to match portal capabilities.