| FRAMES | NO FRAMES | Description | Properties | Example |
The role store is a repository of roles (groups) and a mapping of users and roles.
ArcGIS Server uses the roles and the mapping during authorization of a request. The authorization
module fetches all the roles that have been assigned to a user and then computes the privileges
as the sum total of all the privileges assigned to individual roles.
In addition to connecting to your enterprise role store such as Windows Domain or any other
directory service that supports an LDAP interface, ArcGIS Server also ships with a built-in
storage mechanism where you can create your roles and define a user-to-role mapping.
ArcGIS Server requires you to configure a role store while setting up security
on your site. The role store configuration is represented in JSON format as follows:
{
"type": "<BUILTIN | WINDOWS | LDAP | CUSTOM>",
"properties": <properties>
}
| BUILTIN Properties | Description |
|---|---|
| n/a | n/a |
| LDAP Properties | Description |
| ldapURLForRoles | The LDAP URL pointing to the roles if roles are stored within the LDAP Example: "ldap://server:389/dc=mydomain,dc=com???(&(objectClass=group))? |
| memberAttributeInRoles | The attribute of the role entry that contains user membership information Example: member |
| usernameAttribute | The attribute of the user entry that is to be treated as the username Example: name |
| rolenameAttribute | The attribute of the role entry that is to be treated as the rolename Example: name |
| adminUser | The administrative account to the LDAP that has at least read access. Example: cn=admin,cn=users,dc=mydomain,dc=com |
| adminUserPassword | The credentials for the administrative account. Example: secret |
| WINDOWS Properties | Description |
| adminUser | The administrative account to the LDAP that has at least read access. Example: cn=admin,cn=users,dc=mydomain,dc=com |
| adminUserPassword | The credentials for the administrative account. Example: secret |
| CUSTOM Properties | Description |
| class | The fully qualified name of the Java class that implements custom access
to the role store Example: com.myorg.userstore.DBUserStore |
| ... | Any custom properties that are required by your class |
The JSON representation of a connection to LDAP:
{
"type": "LDAP",
"properties": {
"ldapURLForRoles": "ldap://server:389/dc=mydomain,dc=com???(&(objectClass=group))?",
"memberAttributeInRoles": "member",
"usernameAttribute": "name",
"rolenameAttribute": "name",
"adminUser": "cn=admin,cn=users,dc=mydomain,dc=com",
"adminUserPassword": "secret"
}
}
The JSON representation of a connection to Windows Domain roles:
{
"type": "WINDOWS",
"properties": {
"adminUser": "ourdomain\\myreadonlyaccount",
"adminUserPassword": "secret"
}
}