Skip To Content

How ArcGIS Server security works

In this topic

ArcGIS Server comes with a robust and effective security framework. By configuring ArcGIS Server security, you can manage and control access to ArcGIS Server. ArcGIS Server allows you to control who can administer ArcGIS Server, who can publish GIS services to it, and who can access hosted GIS web services.

Users, roles, and permissions

When a resource on ArcGIS Server is secured, only authorized users are allowed to access that resource. ArcGIS Server manages access to a secured resource by using a role-based access control system. There are three main components in a role-based access control system: users, roles, and permissions.


A user is any person or software agent that will access a GIS server resource. ArcGIS Server maintains a list, called the identity store, of users that are allowed to make resource requests.


A role is a set of users. Users who make up a role are usually related by function, title, or some other relationship. For example, users who will perform administration of an ArcGIS Server site could be grouped into a role named Administrators, and users who belong to an organization’s Human Resources department could be grouped into a role named Human Resources. A user can belong to more than one role. Roles are managed along with users in the identity store.


In ArcGIS Server, the authority to access a GIS resource can only be assigned to a role. Individual users can only acquire permissions by inheriting them from their roles. Role-based access control provides the ability to enforce, manage, and audit an organization’s access control policies efficiently and effectively. Permissions are managed internally by ArcGIS Server.

Authentication and authorization

To enforce permissions for secured resources, a user is first authenticated, then his or her authorization is verified.

Authentication is the process of verifying the identity of a user. In ArcGIS Server, this can be done by using either ArcGIS token-based authentication or web server authentication.

Authorization is the process of verifying that an authenticated user has the permission to access the requested resource.