Row level Security through silverlight api w/ ActiveDirectoryAuthentication

1192
4
03-16-2011 01:21 PM
StevenSchuldt
New Contributor
Greetings,

I'm looking into a way to incorporate row level security, if at all possible on the database side (due to a client's needs), while still using ESRI's rest services. 

The scenario is, they have an sde database with several million rows, and about 300 hundred users.  Each user will only be able to access certain rows based on their login.

I know ArcGIS manager can be configured to use the ActiveDirectoryProiver, but to secure in this fashion, wouldn't we have to publish several hundred services?

Additionally I've considered using a single service with a spatial view for each user (indexing performance enhancements and all), and publishing them with Map & Feature access, and then limiting access to the different layers through the proxy config.

I'm aware I could simply use the QueryTask along with a where string, but I don't believe the client will be satisfied with this solution.

Also there's the matter of obtaining the security context within the silverlight app - I was planning on just calling a simple web service which would check the Membership provider and get and info I needed from there.

Any thoughts, or suggestions?

Please tell me I'm missing something very simple 🙂

Thanks for any help
0 Kudos
4 Replies
Bende_Vries
New Contributor
Steven,

We had exactly the same requirements last year for a web client app in our homeland security suite of apps. After long studying we decided and implemented the following:
- Use SQlServer's toolkit: Row Level Security
- Not on a per user basis but on a per role basis (3 roles: public, member, admin)
- So, only 3 mapservices and not hundreds
- Not use ArcSDE, database contraints on native tables prevented the use of SDE
- Viewing through REST query layers directly on SQlServer views
- Editing via WCF/RIA services.
- The business app template for SIlverlight comes with a Authentication service which gives you access to authenticated user/roles in the client
- So, we do not use the standard editor widgets  and featurelayer editing
- Authentication on a per user basis and authorization on a per role basis works fine.
- This pattern does not secure data transport properly. We still have to implement a data-secure pattern such that relevant attributes in the database (like login user-identities) are resolved in the server

Regards, Ben
0 Kudos
StevenSchuldt
New Contributor
Thanks much for the reply.

Let me make sure I understand. When you say "Viewing through REST query layers directly on SQlServer views", are you referring to the standard ESRI map REST services, secured via AD authentication?

coupled with

"This pattern does not secure data transport properly. We still have to implement a data-secure pattern such that relevant attributes in the database (like login user-identities) are resolved in the server"

If I'm understanding correctly, your services were secure for viewing at the role level, but could describe briefly how the row level security came into play? Were the sql views hardcoded for particular roles (or role "labels") , thus if you could access a map service, you could see all the rows included in that service, or was there another mechanism used which limited rows to the role?

Just want to be sure you didn't just point out "the missing link" and I didn't catch it 🙂

Our situation truly is 300 or so "roles" or "users", basically one for every agency of a certain type allowed to see only their data.

So I think it's down to a where clause, or a couple hundred rest endpoints with security (in a single service.)

Thanks again for your time and any further insight.

Steven
0 Kudos
JenniferNery
Esri Regular Contributor
I asked our REST API team if there is an out of the box solution to securing services at the database level and their answer was no. I was unsuccessful in finding a documentation that may serve as guideline for extending security this way.  However, they advised that you go through our tech support to discuss this issue so they may enter a request. Tech support should be able to point you to the proper resource.
0 Kudos
ahmadhasan
New Contributor II

HI Steven

did you find any solution for your problem because  i have same requirements.

0 Kudos