Out of the box, the GIS web services hosted by ArcGIS Server are publicly available to everyone with knowledge of the web service's URL and network access to ArcGIS Server. This allows an unauthorized user or web application to consume your services, without your approval. To restrict access to a service, you will need to specify which users are allowed to access that service.
ArcGIS Server controls access to the GIS web services hosted on your server using a role-based access control model. In a role-based access control model, the permission to access a secured service is controlled by assigning roles to that service. To consume a secured service, a user must be a member of a role that has been assigned permissions to access it.
Permissions may be assigned to an individual web service or to the parent folder containing a group of services. If you assign permissions to a folder, any service contained within inherits the folder's permissions. For example, if you grant a role access to the site (root) folder, users belonging to that role will be granted access to all the services hosted on that site. Also, to override permissions automatically inherited by a service from its parent folder, you can edit the service and explicitly remove the permissions that were inherited.
To set permissions for a service, you need to have at least one user and one role in your Identity Store. To add users, see Managing users. To add roles, see Managing roles.
To set permissions for a service, see Editing permissions in Manager.