Setting up users and roles in a custom provider

You can use a custom provider to store users and roles. Custom providers are created as standard ASP.NET membership and role providers. Providers may be available from software vendors or other sources for particular storage types. For example, an Oracle provider is available for using Oracle databases. Another example is an Active Directory Membership provider, available from Microsoft.

The provider must be created and configured outside Manager. Additionally, you must also configure the user and role stores before using the provider with Manager. The custom provider must implement the requirements for an ASP.NET provider. If the provider meets these prerequisites, it can be utilized as the user and role store.

Once you've obtained the custom provider, you must add it to Manager's configuration file to see the provider in Manager's Security dialog box. Add the provider configuration information to the web.config file at the /ArcGIS/Security Web application (by default this is at C:\Inetpub\wwwroot\ArcGIS\Security). The entries in this web.config file should be standard provider entries as would be used when configuring an ASP.NET application to use the provider. Specifically, the <membership> and <roleManager> elements must be added and appropriately configured. Any connection strings or other required information would also need to be added. The content of these elements will vary depending on how the provider works.

A walkthrough for setting up the Active Directory Membership Provider is available on the Enterprise GIS page in the ArcGIS Resource Center.

ArcGIS Server can allow users to recover lost passwords. If your provider supports recovering lost passwords, and you want to enable users to recover passwords, you must also add a mail settings section with SMTP mail server information to the web.config file. For details and examples, see this Microsoft reference page for the <smtp> element.

When you choose to use a custom provider in Manager, Manager copies these entries from this web.config file into the web.config files for the Web services application and for each Web application registered in Manager's application list.

Any custom provider should be thoroughly tested before being used with Manager. The best way to test a provider is to use it with a simple ASP.NET Web application with no ArcGIS Server components. If you can secure this application using roles, then you are ready to use the provider with ArcGIS Server. If the custom provider does not work properly, or is not configured correctly in Manager/Security/web.config, then security features will not work with ArcGIS Server services or Web applications.

Once you've tested the custom provider and added it to Manager's configuration file, perform the following steps to use it as the user and role store:

Steps:
  1. Expand the Security panel in Manager and click Settings.
  2. Click the Change link.
  3. Choose your custom provider from the list. (If the provider does not appear or an error occurs, recheck the provider settings in /ArcGIS/Security/web.config.)
  4. Click Next. No further configuration is necessary within Manager.
  5. Click Finish.
  6. Configure the token service for your ArcGIS Server. Users provide login credentials to your ArcGIS Web services with tokens obtained from the token service. You should set the server key, which encrypts tokens, and optionally the token time-out. For details and instructions, see Configuring the token service.

Whether Manager may be used to add, edit, or delete users or roles depends on the custom provider. If the provider implements the methods in the .NET API to manage users and roles, Manager enables editing operations for users or roles. If editing tools are not available, you must use tools compatible with the provider to manage users and roles. Refer to the provider vendor for management tools.

User names and roles in a custom provider must not contain commas (,) or semicolons (;). Your custom provider may have other characters that are not permitted in user names or roles.


8/22/2012