I am trying to add 3 (Admin, District, User) level of authentication access in the form of 3 Dynamic AGS Secure Service Layers and Tiled AGS Secure Service Layers within the same DEV WAB web map. I'm using the local layer widget to add these services to the map. My problem is when adding several different level of access layers, when I login as a Admin the Layer List Widget also displays the layers of the District level in the operational layers. The Admin level role in AGS Manager does not have access to these services so I don't know why it is displaying the layers. When logging in as the District level it doesn't show the layers for the Admin level layers. Is this a known bug between the two widgets in regards to multiple secure services?
Hey Robert Thanks for responding!
Sorry I need to be more clear. I'm not using AGOL or Portal User and Roles. I'm just wrapping ArcGIS Server Secure Services into the DEV WAB through the Local Layer Widget. So when I mean Admin its just the top level of access to the specific arcgis server dynamic layers. It's not a actual arcgis server admin account it's just one division of the three tiers of access. So see the attached photo. The top is the District operational layers that appear on login. The bottom shot is when coming in as the admin. The thing is the "admin" role doesn't have access to these individual dynamic or tiled services listed here. So the Layer List just lists all the layers that are within the Local Layer Widget window regardless that the Admin role doesn't have access to these district layers as they are seperate arcgis server services. Any thoughts?
I still think this has something to do with how WAB/JS api handles token requests through ArcGIS Server. Can create a webmap that has these layers and see if using the web map handles the authentication differently then the LL Widget?
I believe that is the case, its the way LL handles the services. I tested Portal and it didn't have this issue. So my workaround is that I will create three web maps for each level. That will guarantee that it will work with LL as we haven't moved to using Portal to manage our AGS security yet. So far no issues in my tests of the three maps and services
Thanks for the help!
Portal to manage security?
I would carefully plan and challenge your reasoning as to why you would want Portal to manage security. (aka Federated). I avoid this method if possible due to portal - named user cost structure (vs Server core). e.g. 300 users that need access to a secure layer would require ... 300 named users. (and named users are not cheap). (you only get 50 Portal Named users with an Advanced level server purchase). There are of course options to group users and use Groups as named users etc.. but there are several rabbit holes with that method depending on what the overall business needs are.
I totally agree. My company is small so for internal use of a Portal user role structure would work, but for hosting client data and users I believe we will ultimately use AD for our authentication purposes in the future. I wish ESRI didn't make the structure that way for the behind the firewall old version of ArcGIS Online, but that the way its going. Maybe in the future the Portal User Strucuture will be free, but most likely not
Could this be an issue with the Local layer widget specifically? (Id suspect it is just as Robert mentioned) - I dont use LL and it all works.
Ive ran web applications that use WAB consuming Web Maps in Portal (public) which contain several MapServer and FeatureAccess Services. The authentication happens on the ArcGIS Web adaptor level.. ActiveDirectory. And ArcGIS Server is Windows Auth using AD, thru must go through web adaptor for authentication.
depending on the user and their role.. that is the layers they see (based on which ArcSOC service security role is set and the layer resides in). Not using Local Layer widget.. it all works fine.
Also, further note, is that if any user is part of the ADMIN or PUBLISH role for ArcGIS Server, regardless of the role settings on that MapServer/FeatureServer (even if No roles are selected) - they will see ALL layers.
Only bug I found was IF the last layer (or First) has specific roles applied (beyond the 'Allow access to all users who are logged in' ... that any user not apart of the role .. the entire web app would fail to load the layers.
there are some workarounds for that of course.