Can Portal items be managed by security category?

TimMinter · ‎02-04-2016

Our organization operates under a business rule that requires data / information security categorization and appropriate treatment of the information based on its assigned category. Has anyone found a way to categorize a Portal item (e.g. a hosted feature layer) and then be able to manage what Portal capabilities can and can't be used with that item based on its categorization (e.g. category 3 item cannot be shared to everyone)?

A use case could be a scenario where business units add their confidential layer to a shared, collaboratively managed map. The Emergency Manager could have a panoptic view of the data (see all layers on the map), while the business units could only see their own confidential data and all other layers that can be shared across the business units.

Maybe this is an upcoming capability in ArcGIS Online and/or Portal for ArcGIS? Maybe it exists now, and I just haven't found it?

thx,

tim

MatthewBaber · ‎02-04-2016

Portal security is based on user not item. The way items are shared within organizations is then more dynamic instead of static hierarchy.

To accomplish what you are asking for may require an org restructure of your portal. The creation of specific groups and roles that define what each individual or groups of individuals can do with items shared to the groups of which they are a part. It is possible, for instance, to share an item to a singular group whom's members can only view (or other capabilities to your discretion the individual or group level) and not share the content from that group. This would be your "category 3" use case.

Basing security on identity allows portal to integrate with other identity based security systems such as Active Directory, and fundamentally allows for higher levels of customized security that much of our user base require. It is possible that in the future some itemized security might be introduced, but as it stands now this doesn't exist in the way you've described it.

I really hope this helps.

View solution in original post

MatthewBaber · ‎02-04-2016

Portal security is based on user not item. The way items are shared within organizations is then more dynamic instead of static hierarchy.

To accomplish what you are asking for may require an org restructure of your portal. The creation of specific groups and roles that define what each individual or groups of individuals can do with items shared to the groups of which they are a part. It is possible, for instance, to share an item to a singular group whom's members can only view (or other capabilities to your discretion the individual or group level) and not share the content from that group. This would be your "category 3" use case.

Basing security on identity allows portal to integrate with other identity based security systems such as Active Directory, and fundamentally allows for higher levels of customized security that much of our user base require. It is possible that in the future some itemized security might be introduced, but as it stands now this doesn't exist in the way you've described it.

I really hope this helps.

TimMinter · ‎02-04-2016

Thanks for confirming the current capabilities Matthew Baber, good info. Do you know if security by item is on the AGO / Portal development roadmap at this point?

We'd love to be able to set staff free and allow them to exercise their best professional judgement when using Portal. At the same time, we think that it's appropriate to try to help them avoid realizing some of their risks when sharing items categorized at a certain information security level (e.g. jail time, noteworthy fines, etc.). Kind of like providing a bridge over a river, including the guardrails.

tim

edit: next time i should proof-read before I click that big button...

MatthewBaber · ‎02-05-2016

Hi Tim,

I am unaware of any plans at this time to implement this type of security. If you log a support ticket through your MyEsri account - you can put in a request for future development.

Best,

Matt