Hello!
Lets say I have 3 services: service1, service2 and service3 (each with 2 layers, but I don't think it matters). For each service I have editor tracking enabled. My Server is federated with Portal, so each time I publish a service it gets automatically added as an item in Portal. Server and Portal are version 10.5.
I want to properly assign permissions for each user, say: user1 has access to service1, service2 and service3, and user2 does not (while both have access to some other services). Both users are level 2 users, so they can edit data in all 3 services.
As long as I know such permissions are set in arcgis manager ([Arcgis Server]/arcgis/manager) and in case of federated server in Portal (it is possible to do that over Arcgis Server api, but any changes are reflected on respective Portal item). Also I am aware, that an item in Portal can be shared with a group, not with a role.
I tested 3 slightly different options, this is how:
I created a map (lets call it map1) as administrator, and I do not share it with anyone.
Now I open My Content on Portal, click Add Item->From the Web. I paste url of service2, and I get a popup similar to the one in the attachment. I choose "Store credentials" and fill in my administrator password - I expected only administrator can access that service. I named the created item "service2_stored".
Now I add service3 the same way as service2 in previous point, but I choose to not store credentials of my admin account. This way I created item service3_notStored.
Next I open map1 in mapviewer ([Portal for Arcgis]/arcgis/home/webmap), click on Add->Search for Layers->Find "service1" in "My Content" (this is item automatically added to Portal when I published service), and it was never shared with anyone. Then I add service2_stored and service3_notStored in a similar way.
Now I log in as user2 and open map1 in mapviewer - I just copy the link from the browser, I did not bother to look for it in My Content. First suprise it that user2 can access map1 at all - I expected some sort of insufficient permission error. Even more astounding, user2 was able to access and edit data in service1 and service3_notStored - although I never granted ANYONE permission to do it, on the Server or Portal. Now the interesting part is that I was not able to access service2_stored, which is exactly what I wanted. My question is, why does this work differently when I store credentials???
I wanted to add all services the way I explained service2_stored, but now I realized when I do it, the editor tracking assigns username and password I stored. If I could just switch it, so it stores user who actually made the changes, it would be enough to solve my problems.
Still, I think something is not working properly here. Did I forget about some step?
Regards.
Solved! Go to Solution.
I guess I should close the topic, as it turned out the problem was due to my mistake.
To achieve my initial goal I had to create new custom roles (aforementioned Admin, Editor and Advanced). It turned out that I misunderstood options during creating role:
Hi GMV,
Your post is a little confusing, because I am not clear on your workflow. But I will try and address some of your individual statements:
> I want to properly assign permissions for each user, say: user1 has access to service1, service2 and service3, and user2 does not (while both have access to some other services). Both users are level 2 users, so they can edit data in all 3 services.
This statement seems to contradict itself. You say that user 2 does not have access to services 1-3, so it cannot be able to edit any of them.
> Now I open My Content on Portal, click Add Item->From the Web. I paste url of service2, and I get a popup similar to the one in the attachment. I choose "Store credentials" and fill in my administrator password - I expected only administrator can access that service. I named the created item "service2_stored".
Q: How was security set for service 2? It is not clear if this service is from a federated or non-federated Server site.
Once you save credentials to access a secured service with the Portal item, then any Portal member who has access permissions to the item, will be able to access its content, because you saved credentials with it.
> Now I add service3 the same way as service2 in previous point, but I choose to not store credentials of my admin account. This way I created item service3_notStored.
Q2: Again, it is not clear on how security was set for service 3?
In this case, when a Portal member who has access permissions to the Portal item attempts to access its content, they will be prompted to provide login credentials to view service 3.
> Next I open map1 in mapviewer ([Portal for Arcgis]/arcgis/home/webmap), click on Add->Search for Layers->Find "service1" in "My Content" (this is item automatically added to Portal when I published service), and it was never shared with anyone. Then I add service2_stored and service3_notStored in a similar way.
Q3: Did you explicitly save the web map? If so, did you share this saved web map so user2 has permissions to access it?
> Now I log in as user2 and open map1 in mapviewer - I just copy the link from the browser, I did not bother to look for it in My Content. First suprise it that user2 can access map1 at all - I expected some sort of insufficient permission error. Even more astounding, user2 was able to access and edit data in service1 and service3_notStored
Again, not clear on your specific workflow.
Q4: Was this is the same web browser, but a different tab? I suspect that perhaps the administrator login was cached in the browser.
> I wanted to add all services the way I explained service2_stored, but now I realized when I do it, the editor tracking assigns username and password I stored.
This is expected behavior.
Hope this helps,
Ok, I will try to explain the situation + workflow a bit better. Of course my environment is the same:
One ArcGIS Server (where I publish the services) federated with one Portal for ArcGIS (where I have items).
I have 3 users (all level 2 in Portal)
I have two services:
My environment is:
What I want to achieve?
To have a Web Map: Map where I want to add Service1 and Service2. Although Service2 should only be visible and editable by Advanced. Furthermore, I want to have editor tracking for those services.
What I did in order to achieve that?
Using Admin, I published Service1 and Service2. I shared Service1 to Editor and Advanced, and Service2 only to Advanced. I created a map where I added Service1 and Service2.
What I see?
I log in as Editor and I see/can edit Service1 (I want this) and Service2 (I don't want this), I log in as Advanced and I see/can edit Service1 and Service2 (those are fine). I expect to see/edit only with Advanced.
Because that was not working I tried the following:
Instead of using the Service2 straight ahead from the Portal Item which is automatically generated because of the Server being federated, I grab the Service definition URL from the Server and I try to create a new Portal item from it.
When I do so, I have the two possibilities shown in the attachment, so just out of curiosity I published Service2_credentials and Service2_no_credentials following both of the options from the attachment.
After adding those, again, I shared Service2_* only with Advanced.
Following, I added Service2_* to Map.
My surprise now is that altough Service2, Service2_credentials and Service2_no_credentials have the same Sharing rules.
Now I log in as Editor to the map and I see/can edit:
Thus, I said, weird but perfect. Let's just keep Service2_credentials. However, I recognized that by doing so, editor tracking will always be assigned to the "saved credentials", so we are not tracking the real editor. I know that this is expected behaviour, but that is why we cannot use this particular method.
I'm wondering if there's any way to obtain what I want.
Thanks for the reply.
I guess I should close the topic, as it turned out the problem was due to my mistake.
To achieve my initial goal I had to create new custom roles (aforementioned Admin, Editor and Advanced). It turned out that I misunderstood options during creating role: