ESRI portal custom rules supporting multiple Admins on a distributed Arc servers federated to the same ESRI portal

11-26-2020 01:12 AM
New Contributor

Hello everyone,

As part of current architecture we are implementing using ESRI portal, we seek your support on understanding weather ESRI support such implementation scenarios or not.

We have multiple ArcGIS servers distributed across different domains, each server is related to group of teams managing specific tasks and have access to specific data,  all the servers are federated with the same ESRI portal and using LDAP SSO authentication from active directory which is reflected on the Arc servers successfully.

The issue is we need an admin user for each Arcserver which can administrate the related actions on his assigned Arc-server only, without the ability to administrate the portal or see any data from all the other Arcserver admins.

At the same time Portal admins are more of a super admins they should be able to assign users to  be admins on each server or revoke such permissions and administrate ESRI portal, still they shouldn’t be able to access or view any data or applications accessed/ published by other admins on  the portal.

We seek the confirmation from ESRI experts whether such approach can  be implemented using custom roles privileges? or not (even if it will carry some customization on the portal itself- or workarounds)


0 Kudos
2 Replies
Esri Contributor

Hi @AhmedAbdelNasser,

I think the approach you are describing would be best segmented into two requirements.

  1. Restrict administrative/publishing access to a specific federated ArcGIS Server site.
    • I believe this can be accomplished by using fine-grained access control on the federated server site: Fine-grained access control of federated servers
    • This would be dependent on group membership, not a custom role, so a member could potentially belong to multiple groups and allowed to administer multiple ArcGIS Server sites that are federated with the Portal.
  2. Create a Portal for ArcGIS "administrator" role that only has the privileges to manage user group membership.

One problem I see with this approach is an "administrator" could just add themselves to the corresponding group for fine access control on the Server site if they were wanting to access those resources unless you disallow adding/removal of group membership, so I'm not sure if those two (in combination) would fit your requirements exactly.

Hope that helps!

-- Chris Pawlyszyn
New Contributor

Thanks Christopher,

Will check further the mentioned urls and will keep this post updated.


0 Kudos