custom identity stores deprecated

08-08-2019 03:40 AM
New Contributor III

It looks like custom identity stores are deprecated in 10.7+

Set up a custom identity store using ASP.NET—ArcGIS Server Administration (Windows) | ArcGIS Enterpr... 

What will be a suitable alternative moving forward to connect ArcGIS server to my custom applications identity/roles store?  My specific needs are to restrict access to services based on membership of roles that are stored inmy database.  I'm assuming the identify of the user can be managed jointly somehow.

It looks like I could replicate changes in my store by pushing them into ArcGIS via the rest API, but this seems fragile.

Thanks for the advice, Matt

1 Reply
Occasional Contributor III

In addition to the link you provided, this one also mentions the removal, but provides no reasoning or justification, which only makes the situation all the more frustrating as we watch the investment in our custom providers go to waste:

What's new in ArcGIS Server 10.8—Documentation | Documentation for ArcGIS Enterprise 

Custom identity stores are a very valuable feature that allow us to link map service permissions to application permissions.  In this way, we only have to maintain a single ACL.  Without it, we have to maintain duplicate ACLs: one for application permissions, and the other for map service permissions because the latter does not imply the former.  This alone is an administrative headache, but these ACLs will undoubtedly get out of sync which only compounds the problem, especially if you have to manage multiple, separate installations.

Unless these are brought back, developing some automated tool that translates the application ACL to ArcGIS Server via the REST API on a periodic or ad hoc basis is about as good as it's going to get...which is too bad, because it's already been proven that it could be so much better.

0 Kudos