Walk-through: Implementing security with users and roles in SQL Server

Complexity: Beginner Data Requirement: ArcGIS Tutorial Data Setup

This walk-through shows how to implement security for Web applications and GIS services. In this walk-through, users and roles are stored in a Microsoft SQL Server Express database. SQL Server is one of several options for users and roles. This option is often used when users of the server are on the Internet, but can also be used on local networks.

In this walk-through, you will install SQL Server Express if necessary, configure the user and role location in Manager, set permissions for a Web application and a GIS Web service, and enable security for GIS Web services.

CautionCaution:

This walk-through enables security for GIS Web services. Once you enable services security, you will need to manage permissions for all services. You should not enable security unless you are prepared to continue managing permissions.

These are the steps in this walk-through:

  1. Install prerequisites for walk-through.
  2. Configure the user and role location in Manager.
  3. Add users and roles.
  4. Secure a Web application.
  5. Set permissions for GIS Web services.
  6. Apply security to GIS Web services.

Install prerequisites for walk-through

You may need to install one or both of two items before you proceed with this walk-through:

  1. SQL Server Express: If Microsoft SQL Server Express is not yet installed (or you are not certain whether it is installed), follow the instructions at Install Microsoft SQL Server 2008 Express. Do only that section, not the following sections. Then return to this page and continue with the walk-through.
  2. SSL certificate: Access to secured GIS Web services in this walk-through requires that the Web server supports use of HTTPS, which requires that a Secure Sockets Layer (SSL) certificate be installed on the Web server. If you are not certain whether a SSL certificate is installed, follow the steps in Determining whether a SSL certificate is installed. If no certificate is installed, you must do one of the following:
    • Request a certificate from a certificate authority. This option is appropriate if your Web server is a production or public-facing Web server that will be used to serve applications or services to clients. See Obtaining and Installing a SSL Certificate from a Certificate Authority for information.
    • Create your own certificate for local use. This option is appropriate for development and testing only. See Using a self-signed SSL certificate for information and instructions.
    • Disable the requirement for SSL. This option is only appropriate for development machines. The token service installed with ArcGIS Server will not require HTTPS, and therefore passwords will be transmitted over the network in clear text, making them vulnerable to capture by anyone with access to the network. Clients may also display a warning to the user about nonsecure transmission of logins. To use this option, see the instructions at Secure connection (HTTPS/SSL) required for Token Service.

Configure the user and role location in Manager

After you have installed the prerequisites, use Manager to configure SQL Server Express as the user and role location.

Steps:
  1. Start ArcGIS Server Manager and log in.
  2. In Manager, expand the Security panel and click Settings.
  3. Click the Configure link.
    Security Settings wizard: Configure
  4. Choose SQL Server on the Location for Users dialog box that opens. Click Next.
  5. Enter the database server name in the Server text box on the dialog box for specifying settings for SQL Server.

    You can use localhost if SQL Server Express is installed on the local computer. For SQL Server Express, add \SQLEXPRESS to the end of the name, for example, localhost\SQLEXPRESS.

    NoteNote:

    If you changed the default SQL Server express instance name, replace SQLEXPRESS with the instance name you chose.

  6. Click Connect to display a list of available databases and options.
    If the connection fails, check to ensure your database server is running and available on the network and that the account you used to log in to Manager is allowed to administer the SQL Server.
    Security Settings wizard: SQL Server connection
  7. Optionally, check Use Trusted Connection to allow the account that runs ASP.NET to authenticate users and to check roles through Windows Authentication. You can optionally uncheck Use Trusted Connection if you have configured SQL Server with Mixed Mode Authentication and you want to enter a SQL database login. The trusted connection option is recommended when possible.
  8. Click the Create a new database option and type a name (such as aspnetdb). Verify that the option Add Everyone, Anonymous and Authenticated Users roles to database is checked. Click Next.
  9. In the panel for password recovery, leave the option unchecked. You can rerun the wizard later if desired to enter settings for the mail server, which is required to recover passwords. Click Finish. The wizard closes with the entry SQL Server users and roles displayed in the Location box.

Notice that security for services is set to Not Enabled. Do not enable security at this point. You will enable security in the last step in this walk-through. Enabling security is the last step because you first need to set permissions for your Web services. Once security is enabled, only users whose roles you have permitted can access the GIS Web services.

Add users and roles

Before you can assign permissions to applications or services, you need to add some users and roles.

Steps:
  1. In Manager, click the Security tab on the left side and click Users. No users are listed if you just created the database by following the steps above.
    Users list dialog
  2. In the Users panel, click the Add User link to display the dialog box for adding a new user.
  3. Enter the information for the new user. The following are suggestions, but you can enter your own user settings:
    • User name: staff1
    • Password: staff1$
    • Email: staff1@yourcompany.com
    • Security Question: What was your first pet's name?
    • Security Answer: Fido
      Add user dialog
    CautionCaution:

    By default, passwords must have at least seven characters, and at least one character must be nonalphanumeric (such as @, #, $, or %, but avoid using &).

  4. No roles have been defined yet, so leave that aspect blank. Click Add to add the new user. Manager returns to the Users list and displays the new user.
  5. Add another user, such as engineer1. Make up your own values for password, and so forth. Optionally, you can add more users at this point.
  6. Click the Roles link in the Security section. No roles exist yet.
    Roles list
  7. In the Roles panel, click the Add Role link to display the dialog box for adding a new role.
  8. Type a name for the role, such as Staff. Then highlight the user you created earlier, such as staff1, and click the Add button to add it to the Role members list.
    Add role dialog
  9. Click Add Role to add the role and return to the Roles list. The new role appears in the list.
  10. Create one more role, such as Engineers, and add the second user you created earlier to this role.

    Notice that you can expand the roles list to show the members of the role.

    Roles list with members

  11. Optionally, add more users and roles. Always add each user to at least one role. Permissions for services and applications are based on roles, not individual users.

Secure a Web application

Now you will secure a Web application by limiting access to designated roles.

Steps:
  1. Create a new Web application in Manager.
    The application may be simple, with just a map service and no extra tools or tasks. You can follow the Creating a Web application tutorial if you need to create an application. You can use an existing application, but all users of the application are required to log in as users in a role you permit during the walk-through.
    • Since users will log in using a form on the Web page, you might want to protect the login by requiring users to use HTTPS to connect to the application. This is only possible if you installed an SSL certificate as discussed in the prerequisites. You can specify HTTPS for the application URL in Manager when you create the application by choosing https in the Advanced option in the first wizard panel.
  2. In Manager, click Applications to list the Web applications. Find the application you want to secure in the list.
    In the Permissions column, you can see the unlocked iconUnlocked icon for unsecured application. This indicates that the application is not restricted, so that users currently are not required to log in.
    Applications list dialog
  3. Click the permissions icon Unlocked icon for unsecured application, which displays the Permissions dialog box for the Web application.
  4. Check the box Enable security for this web application. This enables the lists of available and allowed roles.
  5. Highlight the Staff role (or other role you added above) in the Available Roles list. Click the Add button to add it to the list of Allowed Roles.
    Application permissions dialog
  6. Click Save to save the permissions and return to the list of applications. Notice that the permissions icon changes to a locked appearanceLocked icon for secured application , which shows that it now requires a login to access the application.
  7. Test the application by clicking its URL hyperlink in the list of Web applications.
    The application opens in a new browser window, and it is redirected to the Login page.
    Application login form
    Enter the user name and password for a user who is a member of the role you permitted (for example, the staff1 user added above). Upon successful login, the application proceeds to the ArcGIS Server Web application page.
  8. Click the Logout link on the Web application page.
    Application logout link
    The application returns to the Login page. Optionally, attempt to log in with another user login that is not permitted based on role membership. You are not allowed to log in. Close the application and return to Manager.

Set permissions for GIS Web services

In addition to securing Web applications, you can restrict access to GIS Web services using Manager. This section shows how to set permissions for services. These permissions are not actually enforced until you complete the following section on applying security to services. This workflow enables you to configure permissions for services, then apply security, so that users will continue to be able to access services throughout the security process.

This walk-through configures security so that, by default, services can be accessed without a login. Then you will set up some services to require a login. You will do this by restricting access to a folder to designated roles. This approach may be appropriate for a site with a mix of secured and open services. If your organization desires to restrict all services to require a login, you might want to use a different approach than the one below.

Steps:
  1. In Manager, ensure you have at least one service in your server's root folder. Add a service if no services exist yet. You can refer to the tutorial Publishing a map service to create the service.
  2. Add a folder to your server's services by clicking Manage Folders; in the drop-down list that appears, click Add.
    Add a service folder
    Type a folder name, such as SecureServices, in the Add Foldertext box. Click OK to add the folder.
  3. Add a service to the new folder. Use Publish a GIS Resource to add the service, being careful to specify the SecureServices folder as the location. (You can also use the Add New Service wizard, but ensure that the Services in list shows the SecureServices folder. You can also use ArcCatalog to add the service.) You can delete the service and folder after the walk-through if desired.
  4. Set permissions on the root folder to allow anyone to access services regardless of whether the user provides a login. This approach is appropriate if you want to allow all users by default but restrict certain services or folders to require a valid login. To set this permission, ensure the Services in box reads Server name (root), where Server name is your server's machine name (click the drop-down list to select this item if necessary). Then click Manage Folders, and from the drop-down list, choose Permissions (see graphic above for an illustration). The Permissions dialog box that opens displays the folder name (in this case, root).
  5. In the Permissions dialog box, choose the Everyone role and click Add.

    The Everyone role moves to the Allowed Roles list. It is not necessary to add any other roles because Everyone covers all users, whether they provide a login or not. Note the warning that security for services is not enabled; you will enable security in the next section. Click Save to save the permissions list.

    Setting service permissions

  6. Restrict permissions on the folder you created earlier. In the Services in list, choose the folder (SecureServices), click Manage Folders, then click Permissions.
  7. On the Permissions dialog box, click the Everyone role in the Allowed Roles list and click Remove. The role is moved to the Available Roles list.
  8. Next, click a role to allow, such as Staff. You can add multiple roles as allowed if desired. Click Save to save the permissions list.

The permissions are now configured for services. However, security is not yet enforced. In other words, at this point, any user can still access services in the SecureServices folder without supplying a login. The next section enables security, which enforces the access permissions you have configured.

Apply security to GIS Web services

The final step for securing GIS Web services is to apply security to the services. This step restricts GIS Web services so that only users whose roles you have permitted can access the services. Until you perform this step, any permissions you have applied are not actually in effect, and anyone can access any service. You should not do the steps here until you have configured permissions as described in the previous section.

Warning: Once you enable security for services, you cannot disable it in Manager (see the Server Help page Information on manually disabling security if necessary). Security for services should be a one-way process. If you are not ready to enable security for GIS Web services, you can skip this section of the walk-through.

Steps:
  1. In Manager, click the Security tab on the left, then click Settings.
  2. In the Security Settings panel, read the information under Security for GIS Services. Notice that security is set to Not Enabled when you install ArcGIS Server.
    Enable security for services
  3. Click Enable. A message cautions you to set permissions before enabling security for services. Click the Enable Security for Services button to confirm. You return to the Security Settings panel, and the indicator now shows that security is enabled.
  4. Click the Services tab on the left side of Manager. In the list of services, the permissions icons now appear as a locked icon Locked icon for secured services. If you see an icon with a red exclamation markWarning icon for secure service with no roles permitted, it indicates that the service has an empty permissions list. These services are inaccessible to all users until at least one role is added to each service's Allowed Roles list.
  5. To verify that security for services is in effect, use ArcCatalog to connect to your services. Start ArcCatalog, either on your local machine or on a machine that can access the Web server for ArcGIS Server.
  6. In ArcCatalog, expand the GIS Servers node in the Catalog tree. Double-click the Add ArcGIS Server item.
  7. On the Add ArcGIS Server dialog box, click Use GIS Services. Click Next.
  8. In the next panel, click Internet as the type of connection and enter your server's URL, for example, http://myserver/arcgis/services. For this connection, leave the Authentication dialog box blank. Click Finish. The dialog box closes and a new connection appears in your GIS Servers list, such as arcgis on myserver.
  9. Expand this node. See the service at the root of your server. However, the folder that you secured in the previous connection (SecureServices) is not visible. Since you permitted the Everyone role to access the root folder, services in the root and any folders that did not override its settings are visible to all users, even without a login. Since you did not connect with an appropriate login, the SecureServices folder is not available to this connection.
  10. Add another GIS Server connection in ArcCatalog, using steps 6 to 8 above. Enter the same server URL, but for step 8, enter the user name and password in the Authentication section of the connection dialog box. Use the login you created above for the user (for example, staff1) in the role for which you permitted use of the SecureServices folder. Click Finish to add the connection.
    Connecting to secured services in ArcCatalog
  11. Expand this connection (for example, arcgis on myserver [2]). You can now see the SecureServices folder, along with any services and folders permitted to Everyone.
  12. Close ArcCatalog and Manager when finished.

Your Web services are now secured. Services permitted to specific roles are available only to users in those roles. As you have seen, you can open services to users who do not supply a login by adding the Everyone role to the list of allowed roles for the service or containing folder.

You can use secured services in various clients, including ArcGIS Desktop, Web ADF applications, and JavaScript API applications. To add a secured service to a Web ADF application, add a new ArcGIS Server Internet connection, enter the appropriate user name and password in the Identity text box on the connection dialog box in Manager or Visual Studio.

If desired, you can remove any services, folders, users, or roles created during this walk-through. Keep in mind that once you enable security for services, you must manage permissions for all folders and services. If you add a service but do not add any permitted roles, it is inaccessible to all users (a warning icon Warning icon for secure service with no roles permitted is displayed to alert you of this problem). One way to ensure at least a default set of permissions is to add permissions to the containing folder at the root or subfolder. Services inherit the permissions of their containing folder, making it simpler to configure security for services.


11/18/2013