It's common to have datasets in a SeaSketch project that need to be visualized by a select user group. They may be sensitive in nature, and not to be made publicly accessible. SeaSketch can interoperate with web services published in ArcGIS Server with token-based authentication enabled to support this use case.

Adding Secure Services

Prerequisites

You will need the url of service hosted in ArcGIS Server >= 10.1 with token-based authentication enabled, as well as a valid username and password for that service. See Esri's documentation for details on how to setup token-based authentication in ArcGIS Server. We recommend that the service be configured with an account to be used by SeaSketch exclusively, with read-only access to the data. This will prevent users from using their token to publish or alter services, as well as for distinguishing SeaSketch requests from others in the ArcGIS Server logs.

Adding the Service

In the Data Layers tab of your project's administrative interface, add the secure service using it's URL as you would for any other map service. You will be prompted to provide a username and password. After filling out these fields, press the search button once more to load the service and continue adding to the table of contents. By default, this layer will only be available for viewing by project administrators.

If you'd like to try this functionality but don't yet have a secure service available, a test service is available.

Test Service
Username: test
Password: test

Adding Group Viewing Permissions

Secure layers have an extra option when editing that allows administrators to specify access. Right-click on a secure layer and click edit to access this menu. Each group added to the group permissions option will see the layer in the table of contents and view the data.

Security Architecture

SeaSketch stores the username and password for secure services but does not ever give these credentials to it's users. Rather, SeaSketch uses these credentials to request a short-term token from ArcGIS Server. Tokens can be used to access data services but do not contain the original credentials used to generate the token. Tokens expire after a period of time that is configurable by the data provider. When a SeaSketch user with proper permissions accesses a project (an admin or part of an allowable user group), they will be given on of these tokens so that their browser can request secure data to display on the map.