+ Reply to Thread
Results 1 to 5 of 5

Thread: Help Understanding ArcGIS Server 10 Security

  1. #1
    Zorba Conlen
    Join Date
    Mar 2012
    Posts
    42
    Points
    1
    Answers Provided
    1


    0

    Default Help Understanding ArcGIS Server 10 Security

    Hi,
    I am interested in setting up some secure services in ArcGIS Server 10.0 sp3. I see that I have a choice of either sql or windows based security and it looks fairly straight forward to set it up, but I have several questions.
    1) Is it true that for a given instance of AGS, you must choose either windows or sql security? It seems like different applications would have different security requirements and you should be able to configure security on a service by service basis if desired.

    2) I am concerned by the following statement in AGS documentation -

    "Near the end of this walk-through, you enable security for GIS Web services. Once you enable services security, only users whom you have authorized, based on their Windows group membership, will be able to access any services on your system. Also from this point on, you will need to manage permissions for all services. You should not enable services security unless you want to restrict all services to authorized users and you are prepared to continue managing permissions."

    A similar statement can be found for sql security. So if I'm understanding correctly, if I want security for 1 service I must implement it for all services? Again, this does not seem like a user friendly, flexible way of managing services...

    3) Here is my scenario - I have dozens of services that dont require security and a handful that do. I'd like to implement seucrity in such a manner that existing applications which use the un-secured services are not impacted. Of the several services which require security some of the applications would be on intranet and suited to windows authentication, but at least one is public facing and would require sql authentication. What are my options? What is best approach?

    4) Does managing security get better at 10.1?

    Thanks

  2. #2
    Domenico Ciavarella

    Join Date
    Mar 2010
    Posts
    2,677
    Points
    458
    Answers Provided
    71


    1

    Default Re: Help Understanding ArcGIS Server 10 Security

    1) if you need windows authentication and sql/custom authentication you need create 2 instance ags ( see http://help.arcgis.com/en/arcgisserv...00pt000000.htm )
    2) with sql/custom you have three special roles
    "...These special roles can be added to your roles when you store them either in Microsoft SQL Server or in a custom provider. The Anonymous role enables you to designate one or more GIS Web services to be open to users who do not supply credentials (via a token). The Authenticated users role allows any user who provides correct credentials (via a token) to access the service. The Everyone role allows any user, whether authenticated or not, to access the service. When these special roles exist, no users are actually added to the roles..." so if you want have default free service you can use one of these roles in root services.
    with windows users you can use windows authetication or sql server/custom for store roles. For Windows authentication you need disable anonymous while with sql server/custom store roles, you have available special roles if you use the method token.
    Remember that security is given using roles.
    3) Remember that ags implements security on service so your application must impersonate user or use login pass-thought (however to do) for use service (token or window authentication) so you can decide in base your need.
    4) see http://resourcesbeta.arcgis.com/en/h...05m5000000.htm
    Studio A&T srl

    Domenico Ciavarella

    ESRI Certified
    Enterprise Geodatabase Management Associate 10.1
    Web Application Developer Associate 10.1

    My ArcGIS.com

    Blog: NicoGis

  3. #3
    Zorba Conlen
    Join Date
    Mar 2012
    Posts
    42
    Points
    1
    Answers Provided
    1


    0

    Default Re: Help Understanding ArcGIS Server 10 Security

    Domenico,
    Thanks for your response. I'm still processing your comments, but this seems like some useful information and links.

    Cheers

    Zorba

  4. #4
    William Diehl
    Join Date
    Jan 2011
    Posts
    32
    Points
    16
    Answers Provided
    2


    2

    Default Re: Help Understanding ArcGIS Server 10 Security

    Zorba,

    Just to clarify a little, yes, you can only have one type of security implemented on a particular instance: either Windows Users & Groups or SQL Server. You're right in saying that these models have different applications. I have a strong preference for SQL Security because 1.) it allows the use of tokens (while Windows Users & Groups does not) and 2.) it allows anonymous access to services (while Windows Users & Groups does not).

    If you really find you need both security models implemented in your ArcGIS Server setup, you have the option of adding another instance and applying a different security model. This is accomplished by using the c:\program files (x86)\arcgis\server10.0\dotnet\addinstance.exe utility. Once you've added another instance, you can apply a different security model to it, thus allowing you to have SQL on one and Windows on another. 10.1 does get much better in the granularity of configuration, allowing editor, publisher, and administrator levels of access, so that's a definite improvement.

    Finally, yes, once you enable security, all your services instantly become subject to the security configuration enabled on that instance. If you neglect to configure security on some services, they will be completely unavailable until you add a valid role to their configuration. Thus, the security model is "opt out" rather than "opt in". In 10.1, the opposite is true. Security is enabled by default, but all users can view the services until you lock them down tightly. If you have only a handful of services that you want to secure, I recommend implementing the SQL security model as it does allow anonymous connections to designated services even after security is enabled.

    Hope this helps!
    -William

  5. #5
    Zorba Conlen
    Join Date
    Mar 2012
    Posts
    42
    Points
    1
    Answers Provided
    1


    0

    Default Re: Help Understanding ArcGIS Server 10 Security

    William, thanks for the info. This helps clarify.

+ Reply to Thread

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts