Any way to secure access to portal and control who can create a group?

LoriSemmes · ‎11-14-2013

We are using active directory and a federated server configuration. Currently anybody who hits our Portal url becomes a user in Portal, is there a way to prevent that? Any best practices? Also, is there any way to configure security to who can create a group? Our biggest problem is if we only have so many "named user" licenses and anybody can get into portal by clicking a link how do we control that across the Enterprise with thousands of employees.

JacobBoyle · ‎11-15-2013

this might be a good starting point.

http://technet.microsoft.com/en-us/library/cc770968(v=WS.10).aspx

LoriSemmes · ‎11-15-2013

Thank you I am looking at this as an option for portal access. Once a user has portal access is there any way to restrict access to who can create a group?

WilliamCraft · ‎12-12-2013

Any member of the Portal can create groups. Group owners decide who can find their groups, if others can request to join, and who can contribute content. They also have control over items shared to the group and can invite others to join, even if their group doesn't accept membership requests. Members with the Administrator role can do any of this as well.

Source: http://resources.arcgis.com/en/help/main/10.2/index.html#/Creating_groups/017s00000076000000/

To answer your Group-related question directly, there is not a way to restrict who can create groups. Once you're in, you're in.

As far as restricting access to Portal, there is an option to allow anonymous access versus not, but that only gets you so far. As you mentioned, once a person hits the Portal URL then their domain account automatically generates a new account. I was not able to restrict the pool of users in my domain to a specific set of AD groups; I tried doing this by using the LDAP configuration and specifying a container name (CN) in the LDAP string but I was not successful. Portal wouldn't respect the filter I tried to add; though this type of configuration works in other non-Esri software such as GeoPortal.

Anyways, another option for you might be to modify the web.config file of the Portal web adaptor to restrict access to a specific set of AD groups. So, if a domain user who isn't in one of those groups tries to request the Portal URL then they would get a 401 or 403 error. This is not something that Esri supports most likely, but it's technically possible. It's not elegant either, but if you wanted to get really clever then you could re-direct those failed requests to another page of your choice. As a reference, I'm talking about something like this: http://stackoverflow.com/questions/3195608/net-set-active-directory-security-via-web-config-only. The redirect capability might also be feasible with the IIS Redirect Module.