Update Security Configuration

URL:: https://<root>/security/config/update
Methods:: POST
Required Capability:: Access allowed with the "Security and Infrastructure" privilege
Version Introduced:: 10.2.1

Description

The update operation can be used to update the portal's security settings, such as whether or not enterprise accounts are automatically registered as members of your organization the first time they log in.

The security configuration is stored as a collection of properties in a JSON object. The supported properties are defined in the Security configuration properties table below.

Request parameters

Parameter Details

Parameter	Details
`securityConfig`	The JSON object containing the properties listed below.
`f`	The response format. The default response value is `html`. Values: `html` \| `json` \| `pjson`

securityConfig

The JSON object containing the properties listed below.

f

The response format. The default response value is html.

Values: html | json | pjson

Security configuration properties

Properties	Details
`allowedProxyHosts`	Restricts what hosts Enterprise portal can access directly. This restriction applies to several scenarios, including when the Enterprise portal accesses resources from a server that does not support Cross Origin Resources Sharing (CORS) or when saving credentials used to access a secure service. By default, this property is not defined and no restrictions are applied. Use the format `(.*).domain.com` to allow access to all machines within a specified domain. Syntax: A comma-separated list of host names.
`enableAutomaticAccountCreation`	The automatic account creation flag. This determines the behavior for unregistered enterprise accounts the first time they access an organization. The default value for the property is `false`. When set to `false`, first-time users are not automatically registered as members of your organization and must have the same access privileges as other nonmembers. For these accounts to sign in, an administrator must register the enterprise accounts using the Create User operation. When the value is set to `true`, ArcGIS Enterprise will add enterprise accounts automatically as a member of your organization. Warning Be aware that when `enableAutomaticAccountCreation` is set to `true`, enterprise accounts are added as members of your organization not only when users access the organization, but also when they view embedded web maps from your organization, or view a web map or web application from a link. This could result in a rapid increase in accounts. Values: `true` \| `false`
`disableServicesDirectory`	Controls whether the HTML pages of the services directory should be accessible to the users. The default value for this property is `false`, meaning the services directory HTML pages are accessible to everyone. Values: `true` \| `false`
`defaultRoleForUser`	Note At 10.8, the default user role is no longer set through the Portal Administration API. The default role for new members can now be set from the New Member Defaults tab in your organization settings or through the Set User Default Settings operation in the Portal Directory API. Sets which role ArcGIS Enterprise automatically assigns to new accounts. By default, new accounts are assigned to `account_user`. Other possible values are `account_publisher` or the ID of one of the custom roles defined in your organization. To obtain a custom role ID, access the Roles resource in the Portal Directory API where you can copy the custom role ID you want to use. Values: `account_user` \| `account_publisher` \| `<custom role ID>`
`defaultIDPUsernameSuffix`	Appends an underscore and specified suffix to new enterprise accounts that will sign in via SAML. This applies to accounts created automatically and manually. This allows enterprise usernames in ArcGIS Enterprise to match corresponding enterprise usernames in ArcGIS Online. This is needed if editor tracking is enabled on a feature service that is edited by members from both ArcGIS Online and ArcGIS Enterprise. For example, if the `defaultIDPUsernameSuffix` property is specified as `energy`, the enterprise user names created for SAML logins will append `_energy` to the user name. See the examples below: The user name `rsanchez` becomes `rsanchez_energy`. With an email address used as a user name, `rsanchez` becomes `rsanchez@domain.com_energy`.
`defaultUserTypeIdForUser`	Note At 10.8, the default user type is no longer set through the Portal Administration API. The default user type for new members can now be set from the New Member Defaults tab in organization's settings or through the Set User Default Settings operation in the Portal Directory API. Sets the default user type assigned to users during account creation and when creating built-in accounts. These user types must be compatible with the `defaultRoleForUser` that has been specified. Legacy At ArcGIS Enterprise 11.4, the `GISProfessionalBasicUT` user type has been merged with the `creatorUT` user type; this change provides users assigned the `creatorUT` user type access to the applications previously included with `GISProfessionalBasicUT`. Values: `creatorUT` \| `editorUT` \| `GISProfessionalStdUT` \| `GISProfessionalAdvUT` \| `viewerUT` \| `fieldWorkerUT`
`allowInternetCORSAccess`	Introduced at 10.9.1. A boolean that controls the value of the `Access-Control-Allow-Private-Network` response header in a CORS pre-flight request to a portal service URL. This was added to support the Private Network Access web specification (CORS-RFC1918), which aims to protect websites accessed over a private network from being able to make internal cross-origin (CORS) requests. The default value is `true`. Values: `true` \| `false`
`contentSecurityPolicy`	Introduced at 11.4. The `contentSecurityPolicy` property defines the Content-Security-Policy (CSP) response headers that are included when accessing the organization's portal website or any of its associated applications. The CSP for the portal website, and the CSP for its applications, are defiend separately. The values for each CSP can be one or more of the CSP directives based on the CSP specifications. For more information on CSP syntax and directives, reference the Content-Security-Policy documentation maintained by MDN Web Docs. Use dark colors for code blocksCopy `1 2 3 4 "contentSecurityPolicy": { "home": "frame-ancestors 'self';", "apps": "frame-ancestors 'self' sample.domain.com;" }`

Example usage

The following is a sample POST request for the update operation:

Use dark colors for code blocksCopy
POST /webadaptor/portaladmin/security/config/update HTTP/1.1
Host: machine.domain.com
Content-Type: application/x-www-form-urlencoded
Content-Length: []

securityConfig={
  "disableServicesDirectory": false,
  "enableAutomaticAccountCreation": false,
  "contentSecurityPolicy": {
    "home": "frame-ancestors 'self';",
    "apps": "frame-ancestors 'self' sample.domain.com;"
  }
}&f=pjson

JSON Response example

Use dark colors for code blocksCopy
{
  "status": "success",
  "recheckAfterSeconds": 10
}