Help Understanding ArcGIS Server 10 Security
I am interested in setting up some secure services in ArcGIS Server 10.0 sp3. I see that I have a choice of either sql or windows based security and it looks fairly straight forward to set it up, but I have several questions.
1) Is it true that for a given instance of AGS, you must choose either windows or sql security? It seems like different applications would have different security requirements and you should be able to configure security on a service by service basis if desired.
2) I am concerned by the following statement in AGS documentation -
"Near the end of this walk-through, you enable security for GIS Web services. Once you enable services security, only users whom you have authorized, based on their Windows group membership, will be able to access any services on your system. Also from this point on, you will need to manage permissions for all services. You should not enable services security unless you want to restrict all services to authorized users and you are prepared to continue managing permissions."
A similar statement can be found for sql security. So if I'm understanding correctly, if I want security for 1 service I must implement it for all services? Again, this does not seem like a user friendly, flexible way of managing services...
3) Here is my scenario - I have dozens of services that dont require security and a handful that do. I'd like to implement seucrity in such a manner that existing applications which use the un-secured services are not impacted. Of the several services which require security some of the applications would be on intranet and suited to windows authentication, but at least one is public facing and would require sql authentication. What are my options? What is best approach?
4) Does managing security get better at 10.1?
Re: Help Understanding ArcGIS Server 10 Security
Just to clarify a little, yes, you can only have one type of security implemented on a particular instance: either Windows Users & Groups or SQL Server. You're right in saying that these models have different applications. I have a strong preference for SQL Security because 1.) it allows the use of tokens (while Windows Users & Groups does not) and 2.) it allows anonymous access to services (while Windows Users & Groups does not).
If you really find you need both security models implemented in your ArcGIS Server setup, you have the option of adding another instance and applying a different security model. This is accomplished by using the c:\program files (x86)\arcgis\server10.0\dotnet\addinstance.exe utility. Once you've added another instance, you can apply a different security model to it, thus allowing you to have SQL on one and Windows on another. 10.1 does get much better in the granularity of configuration, allowing editor, publisher, and administrator levels of access, so that's a definite improvement.
Finally, yes, once you enable security, all your services instantly become subject to the security configuration enabled on that instance. If you neglect to configure security on some services, they will be completely unavailable until you add a valid role to their configuration. Thus, the security model is "opt out" rather than "opt in". In 10.1, the opposite is true. Security is enabled by default, but all users can view the services until you lock them down tightly. If you have only a handful of services that you want to secure, I recommend implementing the SQL security model as it does allow anonymous connections to designated services even after security is enabled.
Hope this helps!
Tags for this Thread