Restrict access to ArcGIS Server
Out of the box, ArcGIS Server only allows the primary site administrator access to the server. To allow a user in the Identity store to access ArcGIS Server, you will need to define that user's level of access to ArcGIS Server.
ArcGIS Server controls access using a role-based access control model. In a role-based access control model, access is always granted to a role and a user inherits a role's access permissions by becoming a member of that role. You will need to have at least one user and one role in your Identity Store before you can configure access to ArcGIS Server. To add users, see Managing users. To add roles, see Managing roles.
When you federate ArcGIS Server with Portal for ArcGIS, the portal's security store controls all access to the server. This provides a convenient sign-on experience, but also impacts how you access and administer the federated server. For example, when you federate, any users, roles, and permissions that you previously configured on ArcGIS Server services are no longer valid. Access to services is instead determined by portal members, roles, and sharing permissions. Before federating, review the information in Administer a federated server to learn more about how federating will impact your existing site.
To define ArcGIS access permissions for a role, follow the steps below:
- In ArcGIS Server Manager, click the Security tab and open the Roles page.
- To select a role, click the edit icon corresponding to that role.
- Choose one of the available role types. The role type controls access to the ArcGIS Server site and permissions to perform
administrative and publishing functions. A role can be one of three types:
- Administrator: The Administrator role type is given unrestricted access to ArcGIS Server administrative components and functions. Members of a role with the role type set to Administrator can log in to ArcGIS Server Manager, the Services Directory, and the Administrator Directory with access to all features and functionality. They can add or remove machines from the site, configure security, and so forth. This role type should be restricted to roles that perform ArcGIS Server site administration.
- Publisher: The Publisher role type is given limited access to ArcGIS Server administrative components and functions. Members of a role with the role type set to Publisher can log in to ArcGIS Server Manager and the Administrator Directory with access to only the service and log management features. They can publish new services, manage existing services, and generate map caches. They cannot configure or change ArcGIS Server security options but can manage permissions for services. This role type should be restricted to roles that publish and manage ArcGIS web services.
- User: The User role type is restricted from accessing ArcGIS Server administrative components and functions. Members of a role with the role type set to User cannot access ArcGIS Server Manager or the Administrator Directory. They can only use or access a service, provided that permission has been granted to their user accounts to access it. This role type should be used for users who will consume GIS web services through the ArcGIS web APIs. Each role is set to type User by default.
If a role's type is set to either Administrator or Publisher, that role automatically gets implicit access permission to all GIS web services hosted on the ArcGIS Server site. This implicit permission cannot be overridden by changing the permissions on a service or folder.
- Click Save to apply your changes.