Restrict the Pool of Portal Users to Specific Windows or LDAP Domain Groups

472
2
12-18-2013 05:35 AM
Status: Open
WilliamCraft
MVP Regular Contributor
The Idea
Provide better security restrictions with Portal for ArcGIS in terms of allowing access only to certain Windows AD groups of users or to specific LDAP common names (CN) and organizational units (OU) of users.
 
The Background
There appears to be a limitation with respect to the initial pool of individuals who can access Portal for ArcGIS to begin with.  More specifically, it is not possible to restrict Portal to a specific set of Windows domain AD groups of users or to specific LDAP common names and organization units within a network using the out-of-the-box configuration settings available in the 10.2 release.  What this means is that anyone who has a user account on the domain will be able to gain initial access to the Portal website.  As a result, they will automatically get an account created when they initially request the site for the first time, which is Esri’s intended behavior.  While all user accounts that get created this way are only assigned basic access (“User” privileges) by default, and while those new accounts can see only content that are assigned to their user account specifically or content that is meant to be shared publicly to all Portal users, it is not preferable to allow access to any user account simply because they have an account on the domain.  
 
The Challenge
Despite the setting in Portal which enables you to disallow anonymous access to Portal, this only gets you so far in terms of being able to block access to the application from non-GIS users who are on the domain.  In larger organizations especially, where there are hundreds or thousands of users on the domain, there are business cases where GIS administrators would not want just anyone to be able to access the Portal site and automatically generate an account for himself or herself.  
 
The Technical Suggestion
Per the screenshot below, the following suggestions apply to the portal-config.properties file under the C:\Program Files\ArcGIS\Portal\etc directory:

0EME0000000Tirv
 
If LDAP is the method of choice, the Portal application should honor the specified common names (CN) and organization units (OU) and therefore allow access only to the domain users within those defined entities.  The first red box is intended to show that Portal access should only be allowed for user accounts who are within the GIS-ELECTRIC and GIS-GAS domain groups under the GIS_users common name on the domain.  
 
If Windows is the method of choice, the Portal application should provide a new configuration line item such as idp.groups where administrators can specify Windows AD groups in a comma-separated format, for example.  The second red box is intended to show that Portal access should only be allowed for user accounts who are within the GIS-ELECTRIC and GIS-GAS domain groups.  
2 Comments
mattwilkie
I would like to see this same ability in ArcGIS Server itself and not just in Portal, and for exactly the same business reasons. We're only responsible for serving users in our own department, which represent perhaps only 15-20% of the total organization by staff numbers.

On the admin side it's a lot of overhead to wade through so much user and group noise, >80% for us,  to get to those you accounts or roles you need to do something with.

I think there's also a perfomance penalty being paid traversing the whole Active Directory tree/forest when only specific OUs are actually important.
ThomasColson

The problem with the way PTL queries AD, is, if in a big organization, it queries the ENTIRE forest, which, in a big org, can result in login waits of up to 20 minutes.