Setting up users and roles in a custom provider |
|
Release 9.3.1 |
You can use a custom provider to store users and roles. Custom providers are created as standard ASP.NET membership and role providers. Providers may be available from software vendors or other sources for particular storage types. For example, an Oracle provider is available for using Oracle databases. Another example is an XML file based provider, available from a number of sources.
The provider must be created and configured outside Manager. Additionally, you must also configure the user and role stores before using the provider with Manager. The custom provider must implement the requirements for an ASP.NET provider. If the provider meets these prerequisites, it can be utilized as the user and role store. For example, this page at Microsoft discusses providers and shows how to use the Active Directory provider built into ASP.NET: How To: Use Membership in ASP.NET 2.0.
Once you've obtained the custom provider, you must add it to Manager's configuration file to see the provider in Manager's Security dialog box. Add the provider configuration information to the web.config file at /ArcGIS/Security web application (by default this is at C:\Inetpub\wwwroot\ArcGIS\Security). The entries in this web.config file should be standard provider entries as would be used when configuring an ASP.NET application to use the provider. Specifically, the <membership> element would be added if necessary, with a <providers> subelement. The provider would be inserted with an <add> element inside <providers>. Any connection strings or other required information would also need to be added. The content of these elements will vary depending on how the provider works.
For example, the following settings would be added to the web.config file for the Active Directory provider, as discussed in the topic How To: Use Membership in ASP.NET 2.0 linked above:
<connectionStrings> <add name="ADConnectionString" connectionString= "LDAP://domain.testing.com/CN=Users,DC=domain,DC=testing,DC=com" /> </connectionStrings> <system.web> ... <membership defaultProvider="MembershipADProvider"> <providers> <add name="MembershipADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString" connectionUsername="<domainName>\administrator" connectionPassword="password"/> </providers> </membership> ... </system.web>
ArcGIS Server can allow users to recover lost passwords. If your provider supports recovering lost passwords, and you want to enable users to recover passwords, you must also add a mail settings section with SMTP mail server information into the web.config file. For details and examples, see this Microsoft page: http://msdn2.microsoft.com/en-us/library/ms164240.aspx.
When you choose to use a custom provider in Manager, Manager copies these entries from this web.config file into the web.config files for the Web services application and for each Web application registered in Manager's application list.
Any custom provider should be thoroughly tested before being used with Manager. If the custom provider does not work properly, or is not configured correctly in Manager/Security/web.config, then security features will not work with services or Web applications.
Once you've tested the custom provider and added it to Manager's configuration file, perform the following steps to use it as the user and role store:
Whether Manager may be used to add, edit, or delete users or roles depends on the custom provider. If the provider implements the methods in the .NET API to manage users and roles, then Manager will enable editing operations for users or roles. If editing tools are not available, then you must use tools compatible with the provider to manage users and roles. Refer to the provider vendor for management tools.
User names and roles in a custom provider must not contain commas (,) or semicolons (;). Your custom provider may have other characters that are not permitted in user names or roles.