ArcGIS Server integrated security
Integrated security refers to a security model where the identity of the end user issuing a command or request is available to all tiers of the system, giving each tier the ability to enforce access control based on the identity of the end user.
At ArcGIS Server 10, integrated security is available in Web applications that consume ArcGIS Web services through Internet connections. ArcGIS Server automatically transmits a Web user's identity from the Web application down to the ArcGIS SOM and SOC processes via the ArcGIS Web Service Handler (WSH).
If the ArcGIS Web service consumes data from an Oracle database, the Web user's identity can be passed down to the database as well. This feature is currently not available for other database systems.
Configuring integrated security
If security is enabled on ArcGIS Server, the Web user's identity is automatically passed down to the ArcGIS Web service. The ArcGIS SOM and SOC process will then be able to enforce access control based on the user identity.
When configuring database level security, each user is assigned permissions to tables (and/or columns and rows) in the database, rather than assigned to roles/groups as in ArcGIS Server. To configure integrated security for the Oracle database, you will need to do the following:
- Create a database account for the Map author.
- Define the ArcGIS Web Service users.
- Author a document and publish it to ArcGIS Server.
- Enable database integrated security.
Defining the Map author
To support integrated security, the author of the Map document must have the required database privileges. You will need to define the database account used to author the Map document. As the database administrator, create and assign permissions to the user who will author the map:
CREATE USER <map author> IDENTIFIED BY <map author password> DEFAULT TABLESPACE <tablespace_name> TEMPORARY TABLESPACE <temp_tablespace_name>; GRANT CONNECT, RESOURCE TO <map author>;
Refer to Oracle documentation for additional information and requirements for creating users.
Defining database accounts for ArcGIS Web service users
For integrated security to work, each ArcGIS Web service user must have a corresponding database account. As the database administrator, create database accounts for each user who will consume the ArcGIS Web services. You will also need to grant connect privileges to each user through the map author database account.
CREATE USER <ArcGIS Web user> IDENTIFIED by <ArcGIS Web user> DEFAULT TABLESPACE <tablespace_name> TEMPORARY TABLESPACE <temp_tablespace_name>; GRANT CONNECT,RESOURCE to <ArcGIS Web user>; ALTER USER <ArcGIS Web user> GRANT CONNECT THROUGH <map author>;
Note:CREATE USER "<domain name>\<user name>" IDENTIFIED by <user name>
For each database account created, grant privileges as desired to correspond to what the user is authorized to do with the Oracle geodatabase. Refer to What are user permissions for details on setting user permissions.
As an example, two roles are defined below to grant privileges to ArcGIS Web service users. The first role is defined to allow database selects (privilege to view data) on two geodatabase layers and the second role to allow editing on a layer.
--Role for displaying boundary layers CREATE ROLE sel_boundary_role NOT IDENTIFIED; GRANT SELECT ON <map author>.States TO sel_boundary_role; GRANT SELECT ON <map author>.Counties TO sel_boundary_role; GRANT sel_boundary_role to <user one>; -- Role for displaying transportation layer CREATE ROLE sel_trans_role NOT IDENTIFIED; GRANT SELECT,UPDATE,INSERT,DELETE ON <map author>.Roads TO sel_trans_role; GRANT sel_trans_role to <user two>;
It is also possible to configure permissions on individual rows (features) and on columns (attribute fields) in the Oracle database. For details, refer to the Oracle database documentation.
Authoring a document and publishing it to ArcGIS Server
You can use ArcMap or any other ArcGIS client to create your document. When adding geodatabase resources, you will need to use the credentials of the Map author database account described in Defining the Map author. Publish the Map document to ArcGIS Server using any ArcGIS Server client. Be aware that Map service capabilities such as WMS and KML will enforce the same security restrictions as with standard ArcGIS Web services (SOAP/REST).
Enabling integrated security for Oracle
After configuring the Oracle database, you will need to enable security on ArcGIS Server. While configuring ArcGIS Server security, you will need to create users and roles that exactly match the Oracle users and roles created in the previous sections. For instructions on configuring ArcGIS Server security, see Configuring Security Overview.
After configuring ArcGIS Server security, you will need to enable ArcGIS Server database integrated security. When this feature is enabled, ArcGIS Server passes the identity that it receives from the Web Service Handler to the Oracle database. To enable database integrated security, open the file Server.dat located in the folder <ArcGIS Installation Directory>\server\system\ with a text or XML editor. Locate the <Properties> element within the file. Inside this element, add a new property element as follows:
<Properties> <PushIdentityToDatabase>true</PushIdentityToDatabase> ... </Properties>
After updating the Server.dat file, save and close it. Restart the ArcGIS Server Object Manager process to apply this change.
Testing integrated security
Using ArcGIS Server Manager or the Eclipse/NetBeans IDE, create a Web mapping application that consumes the ArcGIS Web service created with support for integrated security. View the deployed Web application in a Web browser. Only the layers/features that the user was granted privileges to should display in the Web application. You can repeat this test by creating a new Web mapping application that uses the credentials of a different ArcGIS Web user.
Note:The ArcGIS Web service must be consumed via an ArcGIS Server Internet connection. You must also provide an ArcGIS Web user name and password to connect to the service.