I am just looking for some advice on how everyone else deals with public and private maps in ArcGIS Portal.
We use Portal instead of Online as this gives us more flexibility with Server and also means we can go geocoding and processing on premise meaning we don't use any Online Credits.
How does everyone else go about securing maps and apps so they are only available internally within your organisation?
I would like some maps to be available internally but not to the general public. We don't have enough licences to provide every member of staff with a login. We also do publish some public maps so need the ability to do this meaning we can't hide all of our apps / maps behind our firewall.
If anyone could let me know how you overcome similar issues your help would be much appreciated.
You could share the maps with your organization (Portal) or groups. For sharing with public, share the items with everyone. Share items—Portal for ArcGIS | ArcGIS Enterprise
You have several options for sharing your items:
- Everyone—Sharing with everyone makes your item public; anybody who has access to the portal website can find and use it, and group owners can include it in their group content.
- Your portal—To ensure only members of your portal have access to an item, you can share it with just your portal.
- Groups—If you are a member of a group, you can share your item with that group. Sharing with specific groups restricts access to a smaller, more focused set of people.
- Everyone and a group—If you want to share thematic content with a subset of users or organize your content into a collection of items, but you also want everyone to have access to your item, you can share an item with a group and with everyone. This is especially appropriate for focused group work where all members benefit from seeing a list of specific content they can use for collaboration and exchange. For example, as a fire agency that produces burn maps, you want the general public to find and view the maps, but you also want members in the fire agency group to use the maps as templates for creating their own local versions.
- Groups and your portal or everyone—You can share an item with a larger audience (everyone or your portal) and also share it with a specific group. This allows you to categorize your item as especially relevant to a particular group while still making it available to others in your organization.
To learn more about how to secure your portal, see About configuring portal authentication to get started.
To reduce the vulnerability of your portal, you should follow best practices such as disabling anonymous access to the portal. Some of these recommendations are outlined in Security best practices.
Portal works well for what you want with the exception of fully public maps.
But that's what AGOL is for.
To let all users inside your firewalls access maps, you just share them to everyone and make sure you have anonymous access allowed. Of course, any user inside your firewall should already be authenticated on your network. And the general public shouldn't be allowed inside your firewalls so the term "everyone" on a Portal means everyone in the company.
This get trickier if you really want to publish public maps for the general population.
Your best bet is to publish those maps to AGOL. Again, published to everyone with anon access allowed.
And in this case, you're really publishing to everyone.
If you're going to allow the general public inside your firewalls, chances are you're going to be up against it with your IT guys. It would mean punching a hole in your firewalls that would destroy your security.
I understand that you can do this by standing up a Portal out in a DMZ zone. Then you have to deal with proxies, etc in order to securely communicate with your internal Portal. This is not a trivial setup.
Without a really compelling reason, it seems to me that AGOL is the obvious solution for any public facing maps.
I have a hard time even thinking up a scenario where I'd want to publish for the general public and not do it on AGOL.
Especially with the new 10.5.1 communication methods across Portals, AGOL, etc...
Best of luck, hope this helped some.
Paul Davidson is right about the firewall so if that is set up correctly then sharing to 'Everyone' means you are sharing only to users in your network domain. And the firewall should prevent users outside the firewall from seeing your Portal at all.
If your Portal is set up using a federated ArcGIS Server with DataStore then you are restricted to your named users if you want to control access to feature layers, web maps, and web map applications.
If you have access to a non-federated ArcGIS Server instance then you have finer access control. As an example, if you publish map services to the non-federated AGS instance you could then assign permissions to those map services using Windows Active Directory groups. Wire up the non-federated map services as "Map Images" in your portal and then include those in a web map. In Portal share the web map and associated "Map Images" to Everyone. The result is that the web map will render but the web map layers will only appear for those who were granted permission to the map services in the non-federated AGS instance.