The security of your ArcGIS Monitor deployment depends on proper, stringent authentication and authorization of your users. Authentication is the process of verifying the identity of a user, and authorization is the process of verifying that an authenticated user has the permission to access the requested resource or perform the requested operation. To enforce permissions for secured resources and operations, a user is first authenticated; then their authorization is verified. These terms are defined by your security model.
The security model for Monitor determines who can register and manage resources such as components and collections, and who can perform administrative tasks.
Users, roles, and permissions
Monitor manages access to secured resources using a role-based access control system. There are three main components in a role-based access control system: users, roles, and permissions.
Users
A user is any person or software agent accessing a Monitor resource. An identity store is a list of users who can make resource requests. Monitor uses a built-in identity store.
Roles
A role is assigned to a set of users and is used to grant a specific level of access to Monitor resources. Users who comprise a role are usually related by function, title, or some other relationship. For example, users who will perform administration tasks should be assigned the Administrator role, while users who only need to view and explore components or metrics should be assigned the Viewer role. In the Monitor built-in identity store, a user can only be assigned a single role. Monitor includes the following purpose-built roles:
- Administrator—Administrators have unrestricted access to Monitor capabilities. Administrators can fully manage system settings, register and unregister Monitor Agent machines and components, configure security settings, and manage users and all other capabilities in Monitor. This role should be restricted to users who perform Monitor administration functions.
- Manager—Managers have limited access to Monitor capabilities. Managers can manage all monitoring-related capabilities such as components, observers, metrics, collections, and incidents. However, they cannot configure or change Monitor system or security settings. This role should be restricted to users who manage monitored environments but do not need access to configure Monitor system or security settings.
- Viewer—Viewers have restricted access to Monitor capabilities. Viewers can view resources such as components, metrics, alerts, and collections. This role should be assigned to users who only need to consume information in Monitor.
Permissions
Permissions grant authority to perform a certain task or access a certain resource. Permissions are inherent to a role and cannot be changed. Individual users acquire permissions by inheriting them from their assigned role. The following table lists the permissions assigned to each role:
| Permission | Viewer role | Manager role | Administrator role |
|---|---|---|---|
View any alert | Yes | Yes | Yes |
Manage any alert | No | Yes | Yes |
Register any agent | No | Yes | Yes |
View any agent | No | Yes | Yes |
Manage any agent | No | Yes | Yes |
Unregister any agent | No | Yes | Yes |
Create analysis | No | Yes | Yes |
View any analysis | Yes | Yes | Yes |
Manage own analysis | No | Yes | Yes |
Manage any analysis | No | No | Yes |
Delete own analysis | No | Yes | Yes |
Delete any analysis | No | No | Yes |
Create collection | No | Yes | Yes |
View any collection | Yes | Yes | Yes |
Manage any collection | No | Yes | Yes |
Delete any collection | No | Yes | Yes |
Register any component | No | Yes | Yes |
View any component | Yes | Yes | Yes |
Manage any component | No | Yes | Yes |
Unregister any component | No | Yes | Yes |
Create dataview | No | Yes | Yes |
View any dataview | No | Yes | Yes |
Manage own dataview | No | Yes | Yes |
Manage user-created dataview | No | No | Yes |
Delete own dataview | No | Yes | Yes |
Delete any user-created dataview | No | No | Yes |
Create Incident | No | Yes | Yes |
View any Incident | No | Yes | Yes |
Manage any Incident | No | Yes | Yes |
Delete any Incident | No | Yes | Yes |
Create label | No | Yes | Yes |
View any label | No | Yes | Yes |
Manage any label | No | Yes | Yes |
Delete any label | No | Yes | Yes |
View system logs | No | Yes | Yes |
View any metric | Yes | Yes | Yes |
Manage any metric | No | Yes | Yes |
Create any Notification | No | Yes | Yes |
View any Notification | No | Yes | Yes |
Manage any Notification | No | Yes | Yes |
Delete any Notification | No | Yes | Yes |
View any observer | No | Yes | Yes |
Manage any observer | No | Yes | Yes |
Manage system configuration | No | No | Yes |
Manage users | No | No | Yes |