Permissions for federated server seem to be not working

1301
3
Jump to solution
10-26-2017 03:51 AM
GMVGMV
by
New Contributor II

Hello!

 

Lets say I have 3 services: service1, service2 and service3 (each with 2 layers, but I don't think it matters). For each service I have editor tracking enabled. My Server is federated with Portal, so each time I publish a service it gets automatically added as an item in Portal. Server and Portal are version 10.5.

I want to properly assign permissions for each user, say: user1 has access to service1, service2 and service3, and user2 does not (while both have access to some other services). Both users are level 2 users, so they can edit data in all 3 services.

As long as I know such permissions are set in arcgis manager ([Arcgis Server]/arcgis/manager) and in case of federated server in Portal (it is possible to do that over Arcgis Server api, but any changes are reflected on respective Portal item). Also I am aware, that an item in Portal can be shared with a group, not with a role.

I tested 3 slightly different options, this is how:

I created a map (lets call it map1) as administrator, and I do not share it with anyone.

Now I open My Content on Portal, click Add Item->From the Web. I paste url of service2, and I get a popup similar to the one in the attachment. I choose "Store credentials" and fill in my administrator password - I expected only administrator can access that service. I named the created item "service2_stored".

Now I add service3 the same way as service2 in previous point, but I choose to not store credentials of my admin account. This way I created item service3_notStored.

Next I open map1 in mapviewer ([Portal for Arcgis]/arcgis/home/webmap), click on Add->Search for Layers->Find "service1" in "My Content" (this is item automatically added to Portal when I published service), and it was never shared with anyone. Then I add service2_stored and service3_notStored in a similar way.

Now I log in as user2 and open map1 in mapviewer - I just copy the link from the browser, I did not bother to look for it in My Content. First suprise it that user2 can access map1 at all - I expected some sort of insufficient permission error. Even more astounding, user2 was able to access and edit data in service1 and service3_notStored - although I never granted ANYONE permission to do it, on the Server or Portal. Now the interesting part is that I was not able to access service2_stored, which is exactly what I wanted. My question is, why does this work differently when I store credentials???

I wanted to add all services the way I explained service2_stored, but now I realized when I do it, the editor tracking assigns username and password I stored. If I could just switch it, so it stores user who actually made the changes, it would be enough to solve my problems.

Still, I think something is not working properly here. Did I forget about some step?

Regards.

0 Kudos
1 Solution

Accepted Solutions
GMVGMV
by
New Contributor II

I guess I should close the topic, as it turned out the problem was due to my mistake.

To achieve my initial goal I had to create new custom roles (aforementioned Admin, Editor and Advanced). It turned out that I misunderstood options during creating role:

I thought if I select them user will be able to see content only if it is shared with him, not see literally all services in the system. When I unchecked these options previously visible services disappeared.
Maybe this will help someone.
BR

View solution in original post

0 Kudos
3 Replies
DerekLaw
Community Moderator

Hi GMV,

Your post is a little confusing, because I am not clear on your workflow. But I will try and address some of your individual statements:

> I want to properly assign permissions for each user, say: user1 has access to service1, service2 and service3, and user2 does not (while both have access to some other services). Both users are level 2 users, so they can edit data in all 3 services.

This statement seems to contradict itself. You say that user 2 does not have access to services 1-3, so it cannot be able to edit any of them.

> Now I open My Content on Portal, click Add Item->From the Web. I paste url of service2, and I get a popup similar to the one in the attachment. I choose "Store credentials" and fill in my administrator password - I expected only administrator can access that service. I named the created item "service2_stored".

Q: How was security set for service 2? It is not clear if this service is from a federated or non-federated Server site.

Once you save credentials to access a secured service with the Portal item, then any Portal member who has access permissions to the item, will be able to access its content, because you saved credentials with it.

> Now I add service3 the same way as service2 in previous point, but I choose to not store credentials of my admin account. This way I created item service3_notStored.

Q2: Again, it is not clear on how security was set for service 3?

In this case, when a Portal member who has access permissions to the Portal item attempts to access its content, they will be prompted to provide login credentials to view service 3.

> Next I open map1 in mapviewer ([Portal for Arcgis]/arcgis/home/webmap), click on Add->Search for Layers->Find "service1" in "My Content" (this is item automatically added to Portal when I published service), and it was never shared with anyone. Then I add service2_stored and service3_notStored in a similar way.

Q3: Did you explicitly save the web map? If so, did you share this saved web map so user2 has permissions to access it?

> Now I log in as user2 and open map1 in mapviewer - I just copy the link from the browser, I did not bother to look for it in My Content. First suprise it that user2 can access map1 at all - I expected some sort of insufficient permission error. Even more astounding, user2 was able to access and edit data in service1 and service3_notStored

Again, not clear on your specific workflow.

Q4: Was this is the same web browser, but a different tab? I suspect that perhaps the administrator login was cached in the browser.

> I wanted to add all services the way I explained service2_stored, but now I realized when I do it, the editor tracking assigns username and password I stored.

This is expected behavior.

Hope this helps,

GMVGMV
by
New Contributor II

Ok, I will try to explain the situation + workflow a bit better. Of course my environment is the same:

One ArcGIS Server (where I publish the services) federated with one Portal for ArcGIS (where I have items).

 

I have 3 users (all level 2 in Portal)

 

  • Admin
  • Editor
  • Advanced

 

I have two services:

  • Service1
  • Service2

 

My environment is:

  • ArcGIS for server federated with Portal with data for Services coming from a registered Data Store (database).

 

What I want to achieve?

To have a Web Map: Map where I want to add Service1 and Service2. Although Service2 should only be visible and editable by Advanced. Furthermore, I want to have editor tracking for those services.

 

What I did in order to achieve that?

Using Admin, I published Service1 and Service2. I shared Service1 to Editor and Advanced, and Service2 only to Advanced. I created a map where I added Service1 and Service2.

 

What I see?

I log in as Editor and I see/can edit Service1 (I want this) and Service2 (I don't want this), I log in as Advanced and I see/can edit Service1 and Service2 (those are fine). I expect to see/edit only with Advanced.

 

Because that was not working I tried the following:

Instead of using the Service2 straight ahead from the Portal Item which is automatically generated because of the Server being federated, I grab the Service definition URL from the Server and I try to create a new Portal item from it.

When I do so, I have the two possibilities shown in the attachment, so just out of curiosity I published Service2_credentials and Service2_no_credentials following both of the options from the attachment.

After adding those, again, I shared Service2_* only with Advanced.

Following, I added Service2_* to Map.

 

My surprise now is that altough Service2, Service2_credentials and Service2_no_credentials have the same Sharing rules.

Now I log in as Editor to the map and I see/can edit:

  • Service1 (expected)
  • Service2 (not expected)
  • Service2_no_credentials(not expected) - it does not prompt me for credentials; maybe it uses Editor, even though it is not shared with Editor?
  • I cannot see and I cannot edit Service2_credentials (expected).

 

Thus, I said, weird but perfect. Let's just keep Service2_credentials. However, I recognized that by doing so, editor tracking will always be assigned to the "saved credentials", so we are not tracking the real editor. I know that this is expected behaviour, but that is why we cannot use this particular method.

 

I'm wondering if there's any way to obtain what I want.

 

Thanks for the reply.

0 Kudos
GMVGMV
by
New Contributor II

I guess I should close the topic, as it turned out the problem was due to my mistake.

To achieve my initial goal I had to create new custom roles (aforementioned Admin, Editor and Advanced). It turned out that I misunderstood options during creating role:

I thought if I select them user will be able to see content only if it is shared with him, not see literally all services in the system. When I unchecked these options previously visible services disappeared.
Maybe this will help someone.
BR

View solution in original post

0 Kudos