GeoEvent Configuration: Data Store Connections w/Tokens

Blog Post created by eironside-esristaff Employee on Sep 25, 2019

NOTE: This post deserves a more in depth conversation that I hope to expand on in the near future.


Sometimes organizations want to use token authentication in their GeoEvent Data Store connections.  This allows GeoEvent to connect to an ArcGIS Enterprise or ArcGIS Server system without entering credentials into the GeoEvent Manager user interface.  This approach works perfectely fine when testing Data Store connections and proving out the system, but it should not be viewed as a long term solution.  Tokens issued by ArcGIS Enterprise/Server are only valid for a maximum of two (2) weeks. Once a token expires, a new one must be generated and provided to GeoEvent. While this process can be scripted (see Jake Skinner's article on scripting using the GeoEvent Admin API or my article on using he GeoEvent Admin API).


Since the lifespan of tokens cannot be controlled nor extended it is recommended that credentials be used when creating Data Stores in ArcGIS GeoEvent Server. Most customers will do one of the following. Please note that choosing one of the following depends on your use case and an understanding of how GeoEvent accesses content (Items) on an ArcGIS Enterprise system (please see this article on Integration for more information).


Single Admin User

When creating a Data Store in GeoEvent, use the credentials of the GeoEvent Administrator.  Since this person is the primary user of GeoEvent, it makes sense for them to own and maintain the connection and the content. In this case, any items in the Portal that are utilized by GeoEvent will need to be either public or owned by the GeoEvent Administrator.

‘Headless’ or 'Application' User for GeoEvent

In the remote system, create a new user that represents the GeoEvent application itself.  When creating a Data Store in GeoEvent, use these GeoEvent Application credentials.  If more than one person manages/maitains GeoEvent, each of these users will need to be able to log into the Enterprise system (not GeoEvent, because the credentials are cached in the Data Store connection for them) in order for them to own and maintain the content. In other words, any items in the Portal that are utilized by GeoEvent will need to be either public or owned by the GeoEvent Application user.


Data Store Connection Per GeoEvent Admin

If there are multiple GeoEvent Administrators and they don't want to share an account in the Enterprise, or comingle their Items in Enterprise then you will have to create a GeoEvent Data Store connection for each GeoEvent Administrator.  Each GeoEvent administrator will have their own sandbox of items they can use. GoeEvent Admins will not be able to see other user's Enterprise items, so long as they use their dedicated Data Store connection.  You will need to enforce an honor policy that everyone only uses their Data Store connection that contains their credentials, since there is no way to restrict access to a Data Store connection within GeoEvent.