When a user makes a request for a GIS resource that consumes data from an Oracle database, ArcGIS Server can pass the identity of the user down to the database, giving it the ability to enforce access control based on the user's identity. This feature is currently not available for other database systems. This feature is currently only available for Map Services.
Note:
This workflow to integrate security with an Oracle database is deprecated at 10.7. Review Access and authorization in ArcGIS Server for recommended security configurations.
When database-level security is used, a user can be assigned permissions to tables (and/or columns and rows) in the database, in addition to or instead of permissions to ArcGIS Server web services. Follow the instructions below to configure integrated security for the Oracle database.
- Create a database account for the map author.
- Create database accounts for ArcGIS web service users.
- Author a document and publish it to ArcGIS Server.
- Enable database integrated security.
- Test integrated security.
Create a database account for the map author
To support integrated security, the author of the map document must have the required database privileges. You will need to define the database account used to author the map document. As the database administrator, create and assign permissions to the user who will author the map:
CREATE USER <map author> IDENTIFIED BY <map author password>
DEFAULT TABLESPACE <tablespace_name>
TEMPORARY TABLESPACE <temp_tablespace_name>;
GRANT CONNECT, RESOURCE TO <map author>;
Refer to Oracle documentation for additional information and requirements for creating users.
Create database accounts for ArcGIS web service users
For integrated security to work, each ArcGIS web service user must have a corresponding database account. As the database administrator, create database accounts for each user who will access ArcGIS web services. You will also need to grant connect privileges to each user through the map author database account.
CREATE USER <ArcGIS Web user> IDENTIFIED by <ArcGIS Web user>
DEFAULT TABLESPACE <tablespace_name>
TEMPORARY TABLESPACE <temp_tablespace_name>;
GRANT CONNECT,RESOURCE to <ArcGIS Web user>;
ALTER USER <ArcGIS Web user> GRANT CONNECT THROUGH <map author>;
Note:
Use lowercase when creating user names in the database, since ArcGIS Server passes user names in lowercase to the database. If you are using Microsoft Active Directory as your identity store, enclose the user name in double quotes. For example:CREATE USER "<domain name>\<user name>" IDENTIFIED by <user name>
For each database account created, grant privileges as desired to correspond to what the user is authorized to do within the Oracle geodatabase. As an example, two roles are defined below to grant permissions to ArcGIS web service users. The first role is defined to allow database selects (permission to view data) on two geodatabase layers and the second role to allow editing on a layer.
--Role for displaying boundary layers
CREATE ROLE sel_boundary_role NOT IDENTIFIED;
GRANT SELECT ON <map author>.States TO sel_boundary_role;
GRANT SELECT ON <map author>.Counties TO sel_boundary_role;
GRANT sel_boundary_role to <user one>;
-- Role for displaying transportation layer
CREATE ROLE sel_trans_role NOT IDENTIFIED;
GRANT SELECT,UPDATE,INSERT,DELETE ON <map author>.Roads TO sel_trans_role;
GRANT sel_trans_role to <user two>;
It is also possible to configure permissions on individual rows (features) and on columns (attribute fields) in the Oracle database. For details, refer to the Oracle database documentation.
Author a document and publishing it to ArcGIS Server
You can use ArcMap to create your document. When adding geodatabase resources, you will need to use the credentials of the map author database account described above. Publish the map document to ArcGIS Server. Be aware that map service capabilities such as WMS and KML will enforce the same security restrictions as with standard ArcGIS web services (SOAP/REST).
Enable integrated security for Oracle
After defining database accounts, you will need to create users and roles in the ArcGIS Server identity store that exactly match the Oracle users and roles. To add a new user, see Manage users in Manager. To add a new role, see Manage roles in Manager.
After creating users and roles in the ArcGIS Server identity store, you will need to configure ArcGIS Server to pass the user identity down to the Oracle database. To enable database integrated security, follow the steps below:
- Open the Administrator Directory (https://gisserver.domain.com:6443/arcgis/admin) and log in as the primary site administrator or a user with administrative access.
- Click system > properties > update.
- In the Properties text box, enter the JSON below:
{"pushIdentityToDatabase" : "true" }
- Click Update to save your changes.
Test integrated security
Create a web mapping application that consumes the ArcGIS web service created with support for integrated security. Open the web application in a web browser. Only the layers and features that the user were granted permissions to should display in the web application. You can repeat this test by creating a new web mapping application that uses the credentials of a different user.