Restrict administrative permissions on certain mapservices

RiverTaig2 · ‎03-16-2017

Currently an ArcGIS Server site administrator can go into Manager and have full control over all map services. What I would like to do is enable a more fine-grained role based security model so that some map services can be administered by certain users, but others cannot. For example, my Transportation group should be able to administer services relevant to it, but not services logically owned by the Landbase group.

JonathanQuinn · ‎03-16-2017

Unfortunately, administrators in a site can administer any service in the site, which is the same for publishers. I'd suggest you check to see if an idea exists on the Ideas site and if not, create one.

If you federate Portal and Server, and you have multiple federated Servers that each department should publish to, you have the option to restrict publishing based on groups. Then it uses the sharing model in Portal to control security, and you can add members to different groups to control who publishes to what server. This is outlined in the Fine-grained access control of federated servers section in the documentation on federating.

View solution in original post

ScottFierro2 · ‎03-16-2017

So a start would be applying folder level permissions within Manager. http://server.arcgis.com/en/server/latest/publish-services/linux/about-gis-server-folders.htm

RiverTaig2 · ‎03-17-2017

Am I right in thinking though that the folder permissions you can set only apply to users being able to consume those map services? What I need to do is control who can administer the service (e.g. start and stop them and maybe add capabilities such as enabling an SOE operation on them).

JonathanQuinn · ‎03-17-2017

Right, exactly. Permissions only apply to consuming services. You may be able to control access to folders using an SOI, but I'm not sure.

ScottFierro2 · ‎03-17-2017

So right and by administer I guess what exactly is it they need to be able to do? Delete a service or change published parameters?

Most published parameters can be edited by a user with publishing rights. So now it's just down to the ability to start/stop a service or delete it?

If it's either of those it sounds like stuff you could download the server admin toolkit (https://www.arcgis.com/home/item.html?id=12dde73e0e784e47818162b4d41ee340) nest an admin level account inside of some python and then build out tools for each group to use. More effort on your end obviously but seems like a doable solution since it's not a native option in ArcServer.

I was thinking more down the line of custom AD groups in which users are granted a role but even that is limited because ArcServer lacks the custom defined roles such as what is in ArcGIS Online. So even if you built a custom AD group populated with users and locked that folder down with the AD group if that group is assigned to the admin role on the server they get it on everything regardless.

So it'd be multiple ArcServers with different users given admin or as Jonathan said consider an SOI.

JonathanQuinn · ‎03-16-2017

Unfortunately, administrators in a site can administer any service in the site, which is the same for publishers. I'd suggest you check to see if an idea exists on the Ideas site and if not, create one.

If you federate Portal and Server, and you have multiple federated Servers that each department should publish to, you have the option to restrict publishing based on groups. Then it uses the sharing model in Portal to control security, and you can add members to different groups to control who publishes to what server. This is outlined in the Fine-grained access control of federated servers section in the documentation on federating.