Our organization is actively testing an ArcGIS Enterprise solution and we plan to build many federated servers to host 'user managed data' (think file geodatabases or Enterprise geodatabases that are usually part of some sort of data standard and have a fairly defined data lifecycle). The federated servers may be setup based on our organization units (think a server for each major 'office' or 'program') and we plan to setup the federated servers with Restricted Publishing to prevent staff from 1 office to publish in another offices environment - reference: Administer a federated server—Portal for ArcGIS (10.6) | ArcGIS Enterprise
This is all fine so far, and allows us to restrict our publishers so they only have access to the server we have setup for them, however it seems that a member who is in a portal role that has the publish server-based layers privilege granted can publish to the hosting server.
A couple of our staff members (including myself) have inadvertently published to the hosting server and as a result, the memory utilization was quite high causing cascading performance impacts.
Hence the question:
Is there a way to setup the hosting server with 'restricted publishing' like you can a federated server?
Basically want to restrict any 'federated services' and designate this server exclusively for the hosted services.
Thank you for posting this question. When configuring a distributed enterprise environment, only one designated federated server can be configured as the hosting server. This is currently how the enterprise software is deployed. Such a configuration also requires use of the ArcGIS Data-store product to be configured with an ArcGIS Server and will be set as the managed database. To reiterate, you can have as many federated servers as you are able to allocate. However, there can be only one hosting server. In order to control publishing this would be done through the use of Portal Roles. I hope this information is helpful.
Thanks for the response. We do have 1 'federated/hosted' server setup with a back-end data store like you describe. We also have a few federated servers setup with 'restricted publishing' (controlled with portal groups).
The real issue we are running into is that users who are publishing to the 'restricted publishing federated server' are also technically allowed to publish "full featured services" (think 'non-hosted' feature services) to the hosting server.
So this question is.... Is there a way to restrict users from publishing "full featured services" to the hosting server if those users have the privilege to 'publish server based layers'?
similar to setting up a federated feature server with 'restricted publishing'. Maybe control permissions via a portal group?
To my knowledge, restricting users ability to publish to a particular machine is outside of the current security settings of the software. Perhaps this might be better accomplished at the domain level through either network rules or domain group policies.
Its possible to restrict publishing to a federated server by setting the server role to "Federated Server With Restricted Publishing" - Administer a federated server—Portal for ArcGIS (10.6) | ArcGIS Enterprise
We have tested that and works pretty well for federated servers. However.... There is no similar setting for a 'hosted server with restricted publishing'. Meaning all users who have the portal privilege to 'publish server based layers' can publish those server based layers to the hosting server.
This is not ideal if users publish 'server based layers' to the hosting server and is adding additional load to the system that it was not designed for. We want to keep the hosting server EXCLUSIVELY for hosted services, and no 'server based layers'.