Is your organization in need of more flexible fine-grained security over your ArcGIS Server apps?
Geocortex Access Control provides fine-grained permissions that allow you to go beyond the out-of-the-box permissions of ArcGIS Server and control who can see the layers, fields and features of your services.
In this Tech Tip, we’ll give you a deep dive on how permission inheritance works. Specifically, we are going to focus on how Geocortex Access Control inherits permissions from ArcGIS Server, how inheritance works within the Designer, and we’ll show you what happens when you combine permissions in the fields. Check it out below!
“What’s up everybody? I’m Aaron Oxley, I’m a Technical Sales Specialist, and in this Tech Tip, we are looking at permission inheritance in Geocortex Access Control.
So, Access Control inherits permissions from ArcGIS Server, we’ll take a quick look at that, then we will take a look at how inheritance works within Access Control, and lastly we’ll look at what happens when you combine permissions in filters; which one takes precedents. Let’s check it out!
So, this service is the one we will be working with throughout this tech tip, ‘AccessControl’.
I’ve got it here in portal, I’ve got the rest end-point over here and then I’ve got the Geocortex Viewer that uses this service.
ArcGIS Server permissions control all or nothing access to the service, whether it’s using classic token security or Windows integrated, or if it’s federated with Portal, it doesn’t matter how your ArcGIS Server is secured, Geocortex Access Control will inherit whatever permissions you already have in place.
For example, my ArcGIS Server is federated with my Portal, so I control basic security for this service in Portal, with this share button. This one is available to everyone in my portal, but not everyone everyone, and we can see that here at the rest end point.
When I am not logged in, I can go in go into this hosted folder and I don’t see the Access Control service. If I log in and go back into the hosted folder, there it is.
So, that gets inherited. In a nutshell, if something is denied at the ArcGIS Server level, that gets inherited and there is no way to override it, if something is allowed it at the ArcGIS Server level that also gets inherited, but you can override it, so that’s the first thing to keep in mind.
Now there’s also inheritance within Access Control. When you configure permissions, you don’t need to apply permission to every level and field.
Here’s the Access Control Designer and here is the service, let’s go ahead and apply a permission to all layers and tables.
We will apply it to all users and let’s say denied and save that.
Let’s come back and refresh this app and now we don’t get any data. Now, back in the Designer, so all these layers inherent that denied permission, but if I apply the visible to the single layer, that will override the inherited permission.
So, let’s do ‘Service Requests’, we’ll apply again to ‘All Users’. This time visible, let’s save that and go back to the Viewer. We’ll refresh this one, and there they are.
Now, within a layer, we can control access to fields, so these fields have all inherited the visible permission from the layer, but if I apply a denied permission to one of these fields, it will override that permission.
So, I’ll add one to Email, all users, this time denied, let’s save that. We’ll come back and refresh the Viewer again.
Now, if I select a service request, in the map tip, we can see the Email field is blank and that’s true for all of these.
What I’m getting at here, a child element automatically inherent permissions from their parent element, but if a child element has its own permission, that overrides the inherited permission.
Now, we’ve been applying permissions to all users, which is actually one of three built-in groups that comes with Geocortex Access Control, the others are anonymous users and authenticated users. These groups are included to make it easy to manage the basic security, but most permissions are going to be for your existing users and groups.
So, what happens when there’s multiple permissions applied?
For example, a permission may be applied to an individual user, as well as a group, that the user is a member of and maybe even more permissions on those built-in groups that I just mentioned.
So, if those permissions conflict, if one says ‘Allow’ and another one says ‘Deny’, which one wins? Flip a coin? Rock paper scissors? No, there is an order of precedence, and I think the easiest way to remember is that the smallest permissions get top priority, like a pyramid.
So, first up, the permissions for all users get applied, the anonymous Users, and authenticated Users, the built-in groups get permissions first, then the permissions for the ArcGIS Groups, those are applied. And lastly, specific user permissions.
Now, importantly, as these are applied, from the bottom to the top, every permission, will override permissions at the lower levels, regardless of they are allowing or denying access. Let’s take a quick look.
We’ll go back and let’s ‘Remove all permissions from this service’, save that. And now we’ll add a permission. Let’s focus on this Service Requests layer, let’s add a permission starting out with all users and let’s say denied, save that. Back to the Viewer, and we’ll refresh, and we cannot see the service requests.
Now, if we come back to the Designer, and add another permission, this time for authenticated users, and we’ll leave that as visible, because I am signed in into this Viewer as Technical Sales, I am an authenticated user and I can see those service requests.
Back into the Designer, let’s add another permission. This time for an ArcGIS Group, I’ve got one called Technicians, and I know that my Technical Sales account is a member of that group.
Let’s do denied again, save that, and refresh the map, and we can no longer see service requests.
Back in the Designer one more time. Let’s add another permission for a user this time and we’ll apply it to the Technical Sales user that I’m signed in as, and this time, visible, save and refresh the map. I’m sure you can guess what happens here.
Once again, we have access to the Service Requests layer, so we’ve covered how ArcGIS Server permissions are inherited by Access Control, how inheritance works within Access Control, and how combined permissions and filters work when there is a conflict.
One other important piece about inheritance, if you’re using advanced permissions, these are actually applied after all permissions have been evaluated and they are applied in the opposite direction.
They start at the field level, and progress up to the service level. If you’re using advanced permissions, that’s important to keep in mind. But that’s it! Permissions inheritance.
Hopefully this video helps with configuring and managing your permissions. If you have any questions or just want to know more, let us know. Email firstname.lastname@example.org, and if this video is helpful for you, please ‘Like’, ‘Share’, ‘Subscribe’, and check out our other videos. Thanks for watching!”
Want to take an even closer look at Geocortex Access Control? Click the button below for more product information, or to book a demo.