If you plan to federate your ArcGIS Server site with Portal for ArcGIS, be aware that the way you administer your ArcGIS Server site will change after your federate. The key differences to administering a federated server are noted below.
Security differences
When you federate an ArcGIS Server site with a portal, the portal's security store controls all access to the server. This impacts how you access and administer the federated server.
Users, roles, and permissions
When you federate, any users, roles, and permissions that you previously configured on ArcGIS Server services are no longer valid. Access to services is instead determined by portal members, roles, and sharing permissions.
Similar to ArcGIS Server, the portal offers user, publisher, and administrator levels of privilege. The portal additionally includes a custom role that is considered a user role by the federated server. You should set up and check these permissions in your portal before you expose your federated server to end users.
At the time of federation, items are automatically created in the portal for all existing ArcGIS Server services. These items are owned by the administrator who performs federation. After federation, ownership can be reassigned to existing portal members as desired. Any items or services added to the portal after federation are explicitly owned by the member who created them.
When federated, the ability to isolate access to the server is eliminated. For example, anyone with publisher privileges can publish to any federated server. However, you can update a federated server's security configuration to restrict administrative and publisher access. See Fine-grained access control of federated servers below for details.
User role
Members who are assigned this role can connect to and use ArcGIS Server services. When connected to a federated server as a user, any services shared with the user or a group the user is a member of can be viewed and consumed. Users see a customized view of the portal website, can use the organization's maps, apps, layers, and tools, and join groups owned by the organization. Users can also create maps and apps, add items, share content, and create groups.
Publisher role
Publishers can only work with services that they have created in the portal. They cannot modify or delete other publishers' services. For example, when connected to the federated server in ArcMap, only services published by the publisher will display. Publishers have user privileges and can also perform analysis on layers in maps.
Anyone with publisher privileges can publish to any federated server. Services published to a federated server are automatically added as items in the portal. Hosted services published directly to the portal appear as items in the portal and as services on the hosting server.
Administrator role
Administrators have user and publisher privileges, and they have permissions to all services hosted by the federated server. Administrators also have privileges to manage the portal and all of its members. A portal must have at least one administrator. However, there are no limits on how many can administer an organization. For example, if a portal has five members, all five members can be administrators.
Custom role
Custom roles include a specific set of privileges defined by the administrator. For example, you might have access to maps and apps, but cannot create groups. Or you might have privileges to publish features but not tiles. Custom roles are not supported by a federated server; any custom role defined with any level of privileges is treated as a user role.
Fine-grained access control of federated servers
You can update a federated server to restrict publishing and administrative access. Once updated, all portal administrators will still have administrative privileges on the server. Portal members with publisher privileges will not be granted publishing access to the server by default. Instead, publisher access to the server is controlled by a group named [federated server name]_Publishers or the item [federated server name]_Publishers. To gain publisher privileges to the server, the portal member must be either a member of the [federated server name]_Publishers group or a member of a group that the [federated server name]_Publishers item has been shared with. Likewise, additional administrative access to the server is controlled by a group named [federated server name]_Administrators or the item [federated server name]_Administrators. A portal member must be either a member of this group or a member of the group that the item has been shared with to gain administrative access to the server.
Fine-grained access control is configured in the ArcGIS Portal Directory. Once you have federated a server with your portal, follow the steps below to update the server to enable this control.
- Log in to the ArcGIS Portal Directory as a portal member with administrative privileges. The URL to the Portal Directory is in the format https://portal.domain.com/arcgis/portaladmin.
- Go to Federation > Servers and click the server you would like to edit.
- Click Update.
- On the Server role drop-down menu, choose Federated Server With Restricted Publishing.
- Click Update Server.
- You will now see the [federated server name]_Administrators and [federated server name]_Publishers groups as well as the corresponding items in the My Content page. These will be owned by the portal member who updated the server.
Connect to Manager
You can connect to Manager only if your portal account is assigned to the administrator or publisher role. You cannot log in to Manager using an account assigned to the user role. You also cannot log in using the site's primary site administrator account. When you connect, you should use a URL that uses HTTPS and includes the fully qualified domain name of the server:
- If you are connecting directly to ArcGIS Server, the URL is formatted https://gisserver.domain.com:6443/arcgis/manager. If the site includes multiple GIS servers, this will be the URL of the machine you specified for the Administration URL when federating your site.
- If you are connecting through ArcGIS Web Adaptor, you'll need to ensure administrative access is enabled on ArcGIS Web Adaptor. The URL you'll use to connect is formatted https://webadaptor.domain.com/arcgis/manager.
If your portal is configured with a built-in identity store or Lightweight Directory Access Protocol (LDAP), you'll need to enter the user name and password of your portal account. If your portal is configured with Windows Active Directory, you may be prompted to enter your Windows credentials or be logged into Manager automatically.
Connect to the server in ArcGIS for Desktop
You can connect to the server in ArcGIS for Desktop with any portal account, for example, accounts assigned to the user, publisher, or administrator role. You can also connect to the server using the primary site administrator account from your ArcGIS Server site.
When you supply the Server URL when connecting to your server using the Add ArcGIS Server wizard, you should specify a URL that uses HTTPS and includes the fully qualified domain name of the server:
- If you are connecting directly to ArcGIS Server, the URL is formatted https://gisserver.domain.com:6443/arcgis.
- If you are connecting through ArcGIS Web Adaptor as a publisher or administrator, you'll need to ensure administrative access is enabled on the Web Adaptor. The URL you'll use to connect is formatted https://webadaptor.domain.com/arcgis/manager.
If your portal is configured with a built-in identity store or Lightweight Directory Access Protocol (LDAP), you'll need to enter the user name and password of your portal account. If your portal is configured with Windows Active Directory, do not enter your Windows credentials in the wizard; click Finish, and you'll be connected to the server automatically. If you want to connect to ArcGIS Server using the primary site administrator account, enter the credentials for the account.
Connect to the ArcGIS Server Administrator Directory and Services Directory
When connecting to the ArcGIS Server Administrator Directory, you may need to supply a portal token. The login page provides instructions on how to obtain this token. For more information, see Accessing the Administrator Directory on a federated server. Alternatively, you can log in using the server's primary site administrator account if you connect directly through port 6080 or 6443.
When connecting to the ArcGIS Server Services Directory, you do not need to provide a token. You'll log in using your portal credentials. You cannot log in using the primary site administrator account.
Behavior of a portal's hosting server
When you designate your federated server to also act as the portal's hosting server, you provide the portal with a powerful back end. You allow portal users with at least publisher privileges to publish cached maps, feature services, and scene services (tile layers, feature layers, and scene layers). These users might not have any ArcGIS products on their computers; they may just publish the services by uploading a shapefile or a CSV file through the portal website; however, publishing through ArcMap is still an option.
All services published by portal users directly to the portal are hosted services and are placed in an ArcGIS Server folder called Hosted. This way, you can keep track of which services are hosted services and which are not. If you delete a hosted service through the portal, it's also deleted from the server. This is not true for services published to the federated server; if you delete a service from the portal that was published to the federated server, the service is not deleted from the server.
Service types listed in the Hosted folder differ from those in other server folders. This is to match the item types that are displayed in Portal for ArcGIS. The table below lists all supported hosted services and their updated item types:
ArcGIS Server service type | Hosted folder/Portal for ArcGIS item type |
---|---|
Cached map service | Tile layer |
Cached map service with feature service | Tile and Feature Layer |
Feature service | Feature Layer |
Scene service | Scene Layer |
When viewing and editing hosted service properties in Manager or ArcGIS for Desktop, there will only be a subset of the expected ArcGIS Server capabilities or operations available. For example, some services will not display instance information in the service gallery or service Pooling tab in Manager.
When using the Catalog window in ArcGIS for Desktop to administer your hosted services, perform your work through the My Hosted Services node instead of your GIS server connection node. This will help ensure that you only view capabilities available through the portal.
A hosting server should have sufficient storage space, CPU, and memory to accommodate the services that it will host. You should train your publishers carefully, and monitor your server metrics to avoid exceeding capacity.
Considerations for tile layers and caching jobs
Tile layers present special challenges because of the processing power that can be taken by a single large caching job or many concurrent jobs. By publishing a tile layer at large scale over an indiscriminately broad area, a single untrained portal publisher could send a very large caching job to the server that would consume portal resources for a long time.
You can potentially mitigate the effect of caching jobs by running your CachingTools service in a separate ArcGIS Server cluster from the other services. If this is not possible, you can lower the number of instances of the CachingTools service that are allowed to run at one time, thereby leaving CPU cycles available for other services.
You can also limit the number of caching jobs that can run at one time by lowering the maximum number of instances allowed for the CachingControllers service. By default, three jobs can run simultaneously.
See Allocation of server resources to caching for additional details on how server resources are apportioned for caching jobs.
Unfederate the server from the portal
You can unfederate the server from the portal, allowing each to continue independent of the other. This process of separation requires several steps.
- If the hosted services that were published by members of the portal are no longer needed, you can log in to ArcGIS Server Manager and delete them. Hosted services are in the Hosted folder on your server. If the services will still be used, skip this step.
- Disable the hosting server so that portal users can no longer publish to it.
- Remove the ArcGIS Server site from your portal, which restores your ArcGIS Server security store to its default settings and removes any portal items that came from the server while it was federated.
- Configure ArcGIS Server security to use your desired user and role stores.