Provide better security restrictions with Portal for ArcGIS in terms of allowing access only to certain Windows AD groups of users or to specific LDAP common names (CN) and organizational units (OU) of users.
There appears to be a limitation with respect to the initial pool of individuals who can access Portal for ArcGIS to begin with. More specifically, it is not possible to restrict Portal to a specific set of Windows domain AD groups of users or to specific LDAP common names and organization units within a network using the out-of-the-box configuration settings available in the 10.2 release. What this means is that anyone who has a user account on the domain will be able to gain initial access to the Portal website. As a result, they will automatically get an account created when they initially request the site for the first time, which is Esri’s intended behavior. While all user accounts that get created this way are only assigned basic access (“User” privileges) by default, and while those new accounts can see only content that are assigned to their user account specifically or content that is meant to be shared publicly to all Portal users, it is not preferable to allow access to any user account simply because they have an account on the domain.
Despite the setting in Portal which enables you to disallow anonymous access to Portal, this only gets you so far in terms of being able to block access to the application from non-GIS users who are on the domain. In larger organizations especially, where there are hundreds or thousands of users on the domain, there are business cases where GIS administrators would not want just anyone to be able to access the Portal site and automatically generate an account for himself or herself.
The Technical Suggestion
Per the screenshot below, the following suggestions apply to the portal-config.properties file under the C:\Program Files\ArcGIS\Portal\etc directory:
If LDAP is the method of choice, the Portal application should honor the specified common names (CN) and organization units (OU) and therefore allow access only to the domain users within those defined entities. The first red box is intended to show that Portal access should only be allowed for user accounts who are within the GIS-ELECTRIC and GIS-GAS domain groups under the GIS_users common name on the domain.
If Windows is the method of choice, the Portal application should provide a new configuration line item such as idp.groups where administrators can specify Windows AD groups in a comma-separated format, for example. The second red box is intended to show that Portal access should only be allowed for user accounts who are within the GIS-ELECTRIC and GIS-GAS domain groups.