Update Security Configuration

URL:
https://<root>/security/config/update
Methods:
POST
Required Capability:
Access allowed with the "Security and Infrastructure" privilege
Version Introduced:
10.2.1

Description

The update operation can be used to update the portal's security settings, such as whether or not enterprise accounts are automatically registered as members of your organization the first time they log in.

The security configuration is stored as a collection of properties in a JSON object. The supported properties are defined in the Security configuration properties table below.

Request parameters

ParameterDetails

securityConfig

The JSON object containing the properties listed below.

f

The response format. The default response value is html.

Values: html | json | pjson

Security configuration properties

PropertiesDetails

allowedProxyHosts

Restricts what hosts Enterprise portal can access directly. This restriction applies to several scenarios, including when the Enterprise portal accesses resources from a server that does not support Cross Origin Resources Sharing (CORS) or when saving credentials used to access a secure service. By default, this property is not defined and no restrictions are applied. Use the format (.*).domain.com to allow access to all machines within a specified domain.

Syntax: A comma-separated list of host names.

enableAutomaticAccountCreation

The automatic account creation flag. This determines the behavior for unregistered enterprise accounts the first time they access an organization. The default value for the property is false. When set to false, first-time users are not automatically registered as members of your organization and must have the same access privileges as other nonmembers. For these accounts to sign in, an administrator must register the enterprise accounts using the Create User operation. When the value is set to true, ArcGIS Enterprise will add enterprise accounts automatically as a member of your organization.

Values: true | false

disableServicesDirectory

Controls whether the HTML pages of the services directory should be accessible to the users. The default value for this property is false, meaning the services directory HTML pages are accessible to everyone.

Values: true | false

defaultRoleForUser

Sets which role ArcGIS Enterprise automatically assigns to new accounts. By default, new accounts are assigned to account_user. Other possible values are account_publisher or the ID of one of the custom roles defined in your organization. To obtain a custom role ID, access the Roles resource in the Portal Directory API where you can copy the custom role ID you want to use.

Values: account_user | account_publisher | <custom role ID>

defaultIDPUsernameSuffix

Appends an underscore and specified suffix to new enterprise accounts that will sign in via SAML. This applies to accounts created automatically and manually. This allows enterprise usernames in ArcGIS Enterprise to match corresponding enterprise usernames in ArcGIS Online. This is needed if editor tracking is enabled on a feature service that is edited by members from both ArcGIS Online and ArcGIS Enterprise.

For example, if the defaultIDPUsernameSuffix property is specified as energy, the enterprise user names created for SAML logins will append _energy to the user name. See the examples below:

  • The user name rsanchez becomes rsanchez_energy.
  • With an email address used as a user name, rsanchez becomes rsanchez@domain.com_energy.

defaultUserTypeIdForUser

Sets the default user type assigned to users during account creation and when creating built-in accounts. These user types must be compatible with the defaultRoleForUser that has been specified.

Values: creatorUT | editorUT | GISProfessionalStdUT | GISProfessionalAdvUT | viewerUT | fieldWorkerUT

allowInternetCORSAccess

Introduced at 10.9.1. A boolean that controls the value of the Access-Control-Allow-Private-Network response header in a CORS pre-flight request to a portal service URL. This was added to support the Private Network Access web specification (CORS-RFC1918), which aims to protect websites accessed over a private network from being able to make internal cross-origin (CORS) requests. The default value is true.

Values: true | false

contentSecurityPolicy

Introduced at 11.4. The contentSecurityPolicy property defines the Content-Security-Policy (CSP) response headers that are included when accessing the organization's portal website or any of its associated applications. The CSP for the portal website, and the CSP for its applications, are defiend separately. The values for each CSP can be one or more of the CSP directives based on the CSP specifications. For more information on CSP syntax and directives, reference the Content-Security-Policy documentation maintained by MDN Web Docs.

Use dark colors for code blocksCopy
1
2
3
4
"contentSecurityPolicy": {
  "home": "frame-ancestors 'self';",
  "apps": "frame-ancestors 'self' sample.domain.com;"
}

Example usage

The following is a sample POST request for the update operation:

Use dark colors for code blocksCopy
1
2
3
4
5
6
7
8
9
10
11
12
13
POST /webadaptor/portaladmin/security/config/update HTTP/1.1
Host: machine.domain.com
Content-Type: application/x-www-form-urlencoded
Content-Length: []

securityConfig={
  "disableServicesDirectory": false,
  "enableAutomaticAccountCreation": false,
  "contentSecurityPolicy": {
    "home": "frame-ancestors 'self';",
    "apps": "frame-ancestors 'self' sample.domain.com;"
  }
}&f=pjson

JSON Response example

Use dark colors for code blocksCopy
1
2
3
4
{
  "status": "success",
  "recheckAfterSeconds": 10
}

Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.