Named Users?

Hi Lucas,

"I understand that if I create a map using Portal, I can make that site available to anyone in my organization without additional named user accounts.  However, if I only want certain people or groups in my organization to see the map, each person needs to be a named user.  Is that right?"

Yes, that is correct.

"To keep the maps locked down so they're only accessible by the appropriate Division, I'd basically need everyone in the Department (>6,000 employees) to have their own name user accounts?"

I would suggest that you discuss your requirements with your local Esri account manager to assist in addressing this requirement. Another approach you may want to consider: instead of having your Portal end users go to the Portal website to find map information products, you could aggregate your Portal content into 7 groups (one per Division). Then leverage the Group Gallery function or embed the Group into a web page used by each Division. In this way, your Portal end users would only be aware of the content in the Group that concerns them and would not even be aware of the content in the other Groups. Please see this help doc "Share groups" for more info.

Hope this helps,

Thank you.  That helps.

Derek,

  If they have ArcGIS Server could they apply security to the map service(s) through a Windows domain group?  So anyone in their agency could get to the portal web site but only those in the windows group would see the restricted data.  Not perfect but no named users needed in this model.

Hi Randy,

I'm not exactly sure what your workflow is, as the description in your post is somewhat vague. I suppose you could create a web map that references secured web services, then share the web map with "everyone". In which case, the web map would be visible 'publicly' in your Portal for ArcGIS instance. Therefore, you would not need to be a named user to see and access the web map. But when an end user attempts to view the web map, the secured web services would prompt the user to provide credentials to see their content. Is this what you are looking for?

Hope this helps,

Hi Randy and Derek,

FYI, I tried this workflow where I created a Portal map application that consumed ArcGIS for Server (AGS) services secured using Web Tier authentication.  The Portal site is unfederated so I don't have to use named user accounts.  What I found was if the Portal application references any services the user is not permitted to access, the map application won't load.  For example, if the map includes 1 or more secured services and I am not permitted to view some or all of them, then the application fails to load any services.  I could be doing something wrong (I'm new to all of this) but that's what I've found.  Hopefully I didn't miss anything but let me know if more details are needed.

Hi Lucas,

Not sure I understand what you mean when you say:

> "The Portal site is unfederated so I don't have to use named user accounts."

Portal for ArcGIS always uses named user accounts, whether a Server site is federated with it or not.

> "What I found was if the Portal application references any services the user is not permitted to access, the map application won't load.  For example, if the map includes 1 or more secured services and I am not permitted to view some or all of them, then the application fails to load any services."

Can you please elaborate? Does the web app not load at all? If this is the case, what do you see? Is there an error message? Can you provide a screen capture? Or do you mean that the web app loads, but none of the secured web services display in the web app?

Hi Derek,

What I meant by unfederated is Portal and AGS are set up so service authentication is handled by AGS and, therefore, each user accessing a web application does not need a named user account.  In a federated model, Portal uses named user accounts to authenticate whether a user can access a web application and it's services.  I may be using the term "unfederated" incorrectly but that's how I've seen it referred to in other posts.  You're right that Portal still uses a named user account but only for the person building the web applications.

The web app loads, including the basemap, but none of the services load.  For example, if I have an app that references 2 services and I'm permitted to see one but not the other, Portal won't load either one.  FYI, I've only tested this where both services are coming from the same AGS and, as stated above, AGS is handling the service authorization using web tier authorization and IIS.

Hi Lucas,

I just personally tested the following to try and replicate the behavior you're reporting:

In the Portal for ArcGIS map viewer, I added 2 web services: one was secured (service A), one was not secured (service B). Both web services are from the same ArcGIS Server site configured with web tier authentication and the Server site is not federated with Portal. Saved the web map and accessed Web AppBuilder (embedded in Portal) to create a new web app for the web map. When I launch the web app, I am prompted to provide credentials for the secured web service (service A), when I don't provide correct credentials or click Cancel, service B still loads in the web app.

So I don't see the issue you've reported:

"The web app loads, including the basemap, but none of the services load."

Perhaps you've misconfigured a security setting somewhere?

Please check you settings with the help topic: Securing web services with Integrated Windows Authentication—Documentation (10.3 and 10.3.1) | ArcGI...

Thanks for the reply.  I wouldn't be surprised if there's a setting off somewhere.  I've been having a lot of trouble getting Portal installed correctly.  I looked over the link you sent but all of those settings are correct.  At least I now know this set up should work.  I'll submit a ticket to ESRI Support and see if they can help figure out what the issue is.