As part of current architecture we are implementing using ESRI portal, we seek your support on understanding weather ESRI support such implementation scenarios or not.
We have multiple ArcGIS servers distributed across different domains, each server is related to group of teams managing specific tasks and have access to specific data, all the servers are federated with the same ESRI portal and using LDAP SSO authentication from active directory which is reflected on the Arc servers successfully.
The issue is we need an admin user for each Arcserver which can administrate the related actions on his assigned Arc-server only, without the ability to administrate the portal or see any data from all the other Arcserver admins.
At the same time Portal admins are more of a super admins they should be able to assign users to be admins on each server or revoke such permissions and administrate ESRI portal, still they shouldn’t be able to access or view any data or applications accessed/ published by other admins on the portal.
We seek the confirmation from ESRI experts whether such approach can be implemented using custom roles privileges? or not (even if it will carry some customization on the portal itself- or workarounds)
I think the approach you are describing would be best segmented into two requirements.
One problem I see with this approach is an "administrator" could just add themselves to the corresponding group for fine access control on the Server site if they were wanting to access those resources unless you disallow adding/removal of group membership, so I'm not sure if those two (in combination) would fit your requirements exactly.
Hope that helps!