External access to Feature Service in a Federated Environment?

tigerwoulds · ‎05-20-2020

We are running a Federated 10.7.1 environment. We're using Windows Active Directory as our Identity Store. One of our clients will need access to edit a feature service. The feature service is referencing data stored in a SQL Server SDE. Right now, the only way I'm seeing to allow this is to create an external AD account, import that account in Portal and give it a Creator user type. Is there any way to give an external person access to edit a feature service without A) Creating an external AD account and B) Using up one of our Portal user licenses?

Also, it would be ideal if that person couldn't actually login to our Portal if they came across it. Are there any other options or workflows for configuring limited external access to a service in a federated environment?

Thanks!

DerekLaw · ‎05-28-2020

Hi Tiger,

> Is there any way to give an external person access to edit a feature service without A) Creating an external AD account and B) Using up one of our Portal user licenses?

Answer is "no" to both as far as I know. Sorry. Since you've configured your ArcGIS Enterprise identity store to your Windows Active Directory (AD), anyone that you want to become a member of your Portal must also be a registered user in your Windows AD, and this means they need to be in a Portal editor role.

> Also, it would be ideal if that person couldn't actually login to our Portal if they came across it.

This is not possible because it contradicts the security model as described in my response above.

Hope this helps,

View solution in original post

tigerwoulds · ‎05-26-2020

Derek Law‌ Do you have any ideas here? Or know someone that might have a suggested workflow?

Thanks!

DerekLaw · ‎05-28-2020

Hi Tiger,

> Is there any way to give an external person access to edit a feature service without A) Creating an external AD account and B) Using up one of our Portal user licenses?

Answer is "no" to both as far as I know. Sorry. Since you've configured your ArcGIS Enterprise identity store to your Windows Active Directory (AD), anyone that you want to become a member of your Portal must also be a registered user in your Windows AD, and this means they need to be in a Portal editor role.

> Also, it would be ideal if that person couldn't actually login to our Portal if they came across it.

This is not possible because it contradicts the security model as described in my response above.

Hope this helps,

RachelSears · ‎05-26-2020

Is this client part of an organization that has their own Portal or ArcGIS Online organization? If so, you could set up a distributed collaboration between both Portals.

About distributed collaboration—Portal for ArcGIS (10.8) | Documentation for ArcGIS Enterprise

tigerwoulds · ‎05-26-2020

Unfortunately no, they will be using the feature service in a GeoCortex viewer.

tigerwoulds · ‎07-03-2020

Hi Rachel! We now have an instance where the client has their own instance of Portal set up. I posted a question about this but maybe you could answer? https://community.esri.com/thread/255767-is-distributed-collaboration-the-correct-workflow-for-exter...