Skip To Content

Update Security Configuration

Description

This operation can be used to update the portal's security settings, such as whether or not Enterprise accounts are automatically registered as members of your organization the first time they access your Enterprise portal.

The security configuration is stored as a collection of properties in a JSON object. The following properties are supported:

  • allowedProxyHosts (introduced at 10.3)
  • enableAutomaticAccountCreation
  • disableServicesDirectory
  • defaultIDPUsernameSuffix (introduced at 10.5.1)

Note:
The webgisServerTrustKey is automatically generated during the federation process and used for communication with a federated ArcGIS Server. This key should not be modified.

Request parameters

ParameterDetails
securityConfig

The JSON object containing the properties listed below.

f

The response format. The default response value is html.

Values: html | json | pjson

securityConfig properties

PropertiesDetails
allowedProxyHosts

This property restricts what hosts Enterprise portal can access directly. This restriction applies to several scenarios, including when the Enterprise portal accesses resources from a server that does not support Cross Origin Resources Sharing (CORS) or when saving credentials used to access a secure service. By default, this property is not defined and no restrictions are applied. Use the format (.*).domain.com to allow access to all machines within a specified domain.

Syntax: A comma-separated list of host names.

enableAutomaticAccountCreation

The automatic account creation flag. This determines the behavior for unregistered ArcGIS Enterprise accounts the first time they access Enterprise portal. The default value for the property is false. When set to false, first-time users are not automatically registered as members of your ArcGIS organization and must have the same access privileges as other nonmembers. For these accounts to sign in, an administrator must register the Enterprise accounts using the Create User operation. When the value is set to true, Enterprise portal will add Enterprise accounts automatically as a member of your organization.

Values: true | false

defaultLevelForUser
Legacy:

This property has been deprecated as of 10.7 with the changes to user type licensing. You can set a default user type for new users using the defaultUserTypeIdForUser property below. For more information on user types, see User types, roles, and privileges.

Introduced at 10.5, this property sets the level Enterprise portal automatically assigns to new accounts. Level 1 membership allows members to view content, such as maps and apps, that have been shared with them through the organization. Level 2 membership allows members to view, create, and share content.

Values: 1 | 2

disableServicesDirectory

This property controls whether the HTML pages of the services directory should be accessible to the users. The default value for this property is false, meaning the services directory HTML pages are accessible to everyone.

Values: true | false

defaultRoleForUser
Legacy:

At 10.8, the default user role is no longer set through the Portal Administration API. The default role for new members can now be set from the New Member Defaults tab in the Organization Settings of Enterprise portal or through the Set User Default Settings operation in the Portal Services (Sharing) API.

Introduced at 10.4, this property sets which role Enterprise portal automatically assigns to new accounts. By default, new accounts are assigned to account_user. Other possible values are account_publisher or the ID of one of the custom roles defined in your organization. To obtain a custom role ID, sign in to the Enterprise portal sharing directory and browse to Portals > Self > Roles where you can copy the custom role ID you want to use.

Values: account_user | account_publisher | <custom role ID>

defaultIDPUsernameSuffix

This property appends an underscore and specified suffix to new Enterprise accounts that will sign in via SAML. This applies to accounts created automatically and manually through Enterprise portal. This allows ArcGIS Enterprise user names in Enterprise portal to match corresponding Enterprise portal user names in ArcGIS Online. This is needed if editor tracking is enabled on a feature service that is edited by Enterprise portal users from both ArcGIS Online and ArcGIS Enterprise.

For example, if the defaultIDPUsernameSuffix property is specified as energy, the Enterprise user names created for SAML logins will append _energy to the user name. See the examples below:

  • The user name rsanchez becomes rsanchez_energy.
  • With an email address used as a user name, rsanchez becomes [email protected]_energy.
defaultUserTypeIdForUser
Legacy:

At 10.8, the default user type is no longer set through the Portal Administration API. The default user type for new members can now be set from the New Member Defaults tab in the Organization Settings of Enterprise portal or through the Set User Default Settings operation in the Portal Services (Sharing) API.

Introduced at 10.7, this property sets the default user type assigned to users during account creation and when creating built-in accounts. These user types must be compatible with the defaultRoleForUser that has been specified.

Values: fieldWorkerUT | GISProfessionalStdUT | GISProfessionalBasicUT | GISProfessionalAdvUT | creatorUT | editorUT | insightsAnalystUT

allowInternetCORSAccess

Introduced at 10.9.1. A boolean that controls the value of the "Access-Control-Allow-Private-Network" response header in a CORS pre-flight request to a portal service URL. This was added to support the Private Network Access web specification (CORS-RFC1918), which aims to protect websites accessed over a private network from being able to make internal cross-origin (CORS) requests. The default value is true.

Values: true | false

Note:

Be aware that when enableAutomaticAccountCreation is set to true, ArcGIS Enterprise accounts are added as members of your organization not only when users access your Enterprise portal, but also when they view embedded web maps from your Enterprise portal, or view a web map or web application from a link. This could result in a rapid increase in accounts.

Example usage

Below is a sample POST request for update, formatted for readability:


POST /webadaptor/portaladmin/security/config/update HTTP/1.1
Host: machine.domain.com
Content-Type: application/x-www-form-urlencoded
Content-Length: []

securityConfig={
  "disableServicesDirectory": false,
  "enableAutomaticAccountCreation": false,
  "webgisServerTrustKey": "xxxXxxxxXxxxXxxxxXxxxxXxxXxxxxxxXxXxxXxxxXX="
}&f=json

JSON Response example


{
  "status": "success",
  "recheckAfterSeconds": 10
}