Please help to find a secure architecture for reconcile and post in ArcGIS Pro.
Details:
- branch versioning
- custom role of Version Administrator
Problem:
- Version Administrator can edit default protected version
Suggested workaround:
- using an addin with Version Administrator role.
Problem/Possible security issue:
- Need to store user name/password or token on a user machine
Mark,
We are in the same boat with a Protected Default. The solution we deployed uses ArcGIS Pro task using a python toolbox. This client-side toolbox collects information from the user & ArcGIS Pro (eg. which service to use (eg. UN), what version to push, whatever else your BAU workflows require). This information is pushed to a GP service which does the actual work. The GP service takes the information as input parameters and processes the request (eg. UN service url, has the version been reconciled in the past 15minutes). The credentials used in the service that has the version management privilege is stored on the server in the Windows Credential Manager and is accessed in python via the profile parameter (eg. gis=GIS(url=UN_url, username=u, password=p, profile=profile). These are setup when the ArcGIS Server software was being installed but can be done at anytime. Access to this service is controlled by an Enterprise Portal group and SSO.
The reason we did the GP service was to make it generic as possible in which it could be used with any branch versioned dataset.
There are many ways to do this. Good luck.
Hello @AnthonyRyanEQL Anthony,
Thank you again for your response.
We tried to use a GP service (as we have a portal - cannot have GP service - it is a web tool)
A GP service === standalone ArcGIS server
A web tool === portal with a federated ArcGIS Server
Unfortunately, there is a bug that will be (never) resolved
https://support.esri.com/en-us/bug/the-reconcile-versions-web-tool-fails-and-returns-the-e-bug-00014...
Do you use a web tool?
Is it better to use REST API VersionManagementTools? (can be found on ArcGIS Server - Site (root) > System > VersionManagementTools)
Is it better to use REST API VersionManagementServer? https://developers.arcgis.com/rest/services-reference/enterprise/version-management-service.htm
Mark,
We haven't used any OOTB web tools as they weren't available to us at the time of implementation.
Our GP service uses the VersionManagement REST API endpoint associated with the UN Feature Service to do the work relating to reconcile, check for conflicts and posting.
The GP service for posting to default is generic as it will handle any branch versioned dataset because the Feature Service url is passed in as a parameter and the VersionManagement endpoint is derived from that, etc.