Issue with Windows Authentication and User/Role Permissions
Hi,
We use windows authentication on our sites, we use Roles established by our IT department to allow/deny users permissions to various sites.
We wanted to allow several users access to see a feature service (and to edit this service) by adding the users in to the existing site and granting visibility to the layer in question and simultaneously denying the overarching Role access to this service so all other users do not see it at all. (in the hope of not having to build/copy a new site)
I see in the Admin Guide that if there is a Deny permissions toggled on anywhere this will override any other allow permssion..
Is there any way round this? Ideally I would love to see the User permissions override the Role permissions so if the user is allowed access specifically to a different set of info and they happen to also be in a role that is denyed access that the individual permissions take precidence over the role permissions..
Has anyone got round this or should i be adding this as an enhancement request?
Thanks,
Gina
-
Hi Gina,
Since the feature layer is a "containered object" (for lack of a better term), we can set the permissions as you describe.
At this time it is not possible to have an allow permission override a deny permission on a single object.
However, on a child object you may do this. So, for your site, set the Deny permission for the role on the FeatureServer service, and then set the Allow permission(s) on the layer within that service for the users who can edit the layer.
Deny permissions will override any Allow permissions set above them in the site hierarchy. Since you want to secure a layer within a service we can do it. We cannot currently do this sort of security configuration on a single-level object, like the print templates, but work is underway to add this functionality somehow.
Regards,
-Malcolm
0 -
Hi Malcolm,
Thanks for the assistance, I 'think' I have followed your instructions but I am still having trouble with the Role permissions overiding the user permissions. (we are using windows authentication)
To clarify, I added an ArcGIS Feature Layer to a site, the Service called "GF" and the feature layer itself (layer I want editable to some users) called "Ground Floor Signage"
I have then modified permissions for the Role (this role also contains the users that I want to have permissions to edit the layer) to deny access up at the service level "GF"
I have then modified the individual Users permissions to allow access at the lower feature layer level "Ground Floor Signage"
When I apply this and re open the viewer - get an error message "Error Loading Map Services: The following Map Services failed to load: "GF" "
It seems that the Role Denial up at the service level is still overriding the user grant permission on the lower level feature layer. Or have I misunderstood your description and not done this correctly?
Thanks very much,
Gina
0
Please sign in to leave a comment.
Comments
2 comments