Managing ArcGIS Server users and roles
In this topic
- Users and roles from ArcGIS Server's built-in store
- Users and roles from an existing enterprise system
- Users from an existing enterprise system and roles from ArcGIS Server's built-in store
The following options are available for managing users and roles in ArcGIS Server:
Users and roles from ArcGIS Server's built-in store
Out of the box, ArcGIS Server security is enforced with users and roles from the built-in store. When this option is selected, user and role information is persisted in a file-based format in the configuration store. Users and roles in the built-in store can only be accessed and managed by ArcGIS Server. As a result, when security is configured to use the built-in store, users are authenticated using ArcGIS token-based authentication.
To learn how to manage users and roles using the built-in store, see the Managing users and roles section of the help.
Users and roles from an existing enterprise system
ArcGIS Server has the ability to enforce security with users and roles managed in an external Microsoft Active Directory or LDAP server. ArcGIS Server uses the Active Directory or LDAP server as a read-only store. You can view users and roles from the Active Directory or LDAP server in Manager, but you cannot add, edit, or delete users and roles. Additionally, user authentication may be done by either ArcGIS Server or the web server.
If your logon settings deny login rights to the machine where Active Directory is hosted, you will encounter an error when configuring security. It is not necessary to grant Log on locally group policy settings to the user. For more information, see Advanced considerations when using domain accounts.
Users from an existing enterprise system and roles from ArcGIS Server's built-in store
ArcGIS Server can be configured to enforce security with users managed in an external Microsoft Active Directory or LDAP server and roles managed in the ArcGIS Server built-in store. ArcGIS Server uses the Active Directory or LDAP server as a read-only store. You can view the users in the Active Directory or LDAP server in Manager, but you cannot add, edit, or delete users. You can add, edit, and delete roles in the built-in store using Manager. When using Active Directory or LDAP as your user store, user authentication may be done by either ArcGIS Server or the web server.