ArcGIS REST API

Update Security Configuration

Description

This operation can be used to update the portal's security settings, such as whether or not enterprise accounts are automatically registered as members of your ArcGIS organization the first time they accesses the portal.

The security configuration is stored as a collection of properties in a JSON object. The following properties are supported:

  • allowedProxyHosts (introduced at 10.3)
  • enableAutomaticAccountCreation
  • disableServicesDirectory
  • defaultRoleForUser (introduced at 10.4)
  • defaultIDPUsernameSuffix (introduced at 10.5.1)
  • defaultUserTypeIdForUser (introduced at 10.7)

Note:
The webgisServerTrustKey is automatically generated during the federation process and used for communication with federated ArcGIS Server(s). This key should not be modified.

Request Parameters

ParameterDetails
securityConfig

The JSON object containing the below listed properties.

Parameter Properties

ParameterDetails
allowedProxyHosts

This property restricts what hosts the portal can access directly. This restriction applies to several scenarios, including when the portal accesses resources from a server that does not support Cross Origin Resources Sharing (CORS) or when saving credentials used to access a secure service. By default, this property is not defined and no restrictions are applied. Use the format (.*).domain.com to allow access to all machines within a specified domain.

Syntax: A comma-separated list of hostnames.

enableAutomaticAccountCreation

The automatic account creation flag. This determines the behavior for unregistered ArcGIS Enterprise accounts the first time they access the portal. The default value for the property is false. When set to false, first time users are not automatically registered as members of your ArcGIS organization, and must have the same access privileges as other nonmembers. For these accounts to sign in, an administrator must register the enterprise accounts using the Create User operation. When the value is set to true, the portal will add Enterprise accounts automatically as a member of your organization.

Values: true | false

disableServicesDirectory

This property controls whether the HTML pages of the services directory should be accessible to the users. The default value for this property is false, meaning the services directory HTML pages are accessible to everyone.

Values: true | false

defaultRoleForUser

This property sets which role the portal automatically assigns to new accounts. By default, new accounts are assigned to account_user. Other possible values are account_publisher or the ID of one of the custom roles defined in your organization. To obtain a custom role ID, login to the portal sharing directory and navigate to Portals > Self > Roles where you can copy the custom role ID you wish to use.

Values: account_user | account_publisher | <custom role ID>

defaultIDPUsernameSuffix

This property appends an underscore and specified suffix to a new Enterprise accounts that will login via SAML. This applies to accounts created automatically and accounts created manually through the portal website. This allows usernames for Enterprise users in your portal to match Enterprise usernames in ArcGIS Online. This is needed if editor tracking is enabled on a feature service that is edited by Enterprise users from both ArcGIS Online and your portal.

For example, if the defaultIDPUsernameSuffix property is specified as 'energy', the enterprise usernames created for SAML logins will append _energy to the username. See examples below.

  • rsanchez username becomes rsanchez_energy
  • rsanchez with an email address used as a username becomes rsanchez@domain.com_energy
defaultUserTypeIdForUser

This property sets the default user type the portal automatically assigns to new accounts. These user types must be compatible with the defaultRoleForUser that has been specified.

Values: fieldWorkerUT | GISProfessionalStdUT | GISProfessionalBasicUT | GISProfessionalAdvUT | creatorUT | editorUT | insightsAnalystUT

Note:

Be aware that when enableAutomaticAccountCreation is set to true, enterprise accounts are added as members of your organization not only when the user browses to your portal web site, but also when they view embedded web maps from your portal, or view a web map or web application from a link. This could result in a rapid increase in the number of accounts in your portal.

Example Usage

https://server.domain.com/gis/portaladmin/security/config/update
securityConfig={"disableServicesDirectory":false,"enableAutomaticAccountCreation":true, "defaultRoleForUser": 12aBC3D4EF5ghIJ, "webgisServerTrustKey": "xxx..."}

JSON Response Syntax

{
  "enableAutomaticAccountCreation": true|false,
  "disableServicesDirectory": true|false,
  "defaultRoleForUser": "account_user"|"account_publisher"|<custom role ID>,
		"defaultLevelForUser": 1|2,
		"webgisServerTrustKey": "xxx..."
}