The Security module in ArcGIS Server Manager contains a Roles page. If you have a stand-alone ArcGIS Server site, you can use this page to view and manage your site's roles, which define a set of permissions granted to the users designated with that role.
The features available on this page vary depending on where your roles are managed. If roles are in the ArcGIS Server built-in store, you can add, modify, and delete roles in Manager. If you have configured web-tier authentication and manage roles from an external identity provider, you can only view the list of roles and search for roles. You cannot add new roles, delete roles, or modify a role's properties in Manager.
Note:
If you have configured web-tier authentication, you must manage users from your external identity store, but you can choose to manage roles either from the external identity store or from the built-in store. You can change this in the Configuration Settings on the Security > Settings page in Manager.
Note:
If using a Public Key Infrastructure, you must use built-in roles.
If your server site is federated with an ArcGIS Enterprise portal, the users list in ArcGIS Server Manager will be grayed out. Log in to the portal as an administrator to manage users.
Learn more about the security models available in ArcGIS Server
View roles
To view the roles in your identity store, follow the steps below.
- Log in to Manager as the primary site administrator or a user with administrative access.
- Click Security > Roles.
Manager only displays the first 1,000 roles in your identity store. However, Manager offers a Search tool that you can use to locate and view the properties of a role. This is especially convenient when your identity store contains a large number of roles. To find a role using the Search tool, see the next section in this topic.
Add roles
You can add a new role to the built-in Identity store in ArcGIS Server Manager by following the steps below.
- Log in to Manager as the primary site administrator or a user with administrative access.
- Click Security > Roles.
- Click New Role. This displays a dialog box to add a new role. On this dialog box, provide the following information:
- Role name: This is a required parameter and must be set to a unique value that easily identifies the role.
- Description: A brief description of the role.
- Role Type: Choose one of the available role types:
- Administrator: The Administrator role type is given unrestricted access to ArcGIS Server administrative components and functions. Members of a role with the role type set to Administrator can log in to ArcGIS Server Manager, the Services Directory, and the Administrator Directory with access to all features and functionality. They can add or remove machines from the site, configure security, and so forth. This role type should be restricted to roles that perform ArcGIS Server site administration.
- Publisher: The Publisher role type is given limited access to ArcGIS Server administrative components and functions. Members of a role with the role type set to Publisher can log in to ArcGIS Server Manager and the Administrator Directory with access to only the service and log management features. They can publish new services, manage existing services, and generate map caches. They cannot configure or change ArcGIS Server security options but can manage permissions for services. This role type should be restricted to roles that publish and manage ArcGIS web services.
- User: The User role type is restricted from accessing ArcGIS Server administrative components and functions. Members of a role with the role type set to User cannot access ArcGIS Server Manager or the Administrator Directory. They can only use or access a service, provided that permission has been granted to their user accounts to access it. This role type should be for users who will consume GIS web services through the ArcGIS web APIs. Each role is set to type User by default.
Note:
If a role's type is set to either Administrator or Publisher, that role automatically gets implicit access permission to all services published to the ArcGIS Server site. This implicit permission cannot be overridden by changing the permissions on a service or folder.
- To add users as members to this role, click the Add User button next to a user in the Available users list. You need to have one or more users previously defined to do this. If there are currently no users in the identity store, you can modify the role later to add members. To add users to the identity store, see Manage users in Manager.
Search for a role
To search for a role in Manager, follow the steps below.
- Log in to Manager as the primary site administrator or a user with administrative access.
- Click Security > Roles.
- Provide the name of the role on the Find Role dialog box.
Note:
If you're using an external identity store, you can also type the first few characters of the role name or use the asterisk (*) character to replace one or more characters in the role name. For example, to locate a role named ArcGIS Administrators, you can use the search string *Administrators or ArcGIS*.
- Click the Search button to view the results of your query.
Modify a role
You can modify a role's properties in ArcGIS Server Manager by following the steps below.
- Locate the role you want to modify and click the Edit button corresponding to that role. This opens a dialog box that allows you to edit the role
description, role type, and role members.
Note:
You cannot modify the name of a role.
- Click the Add User button to add users from the Available users list. Click the Delete button next to the user name to remove users from the Role members list.
- Click Save to apply your changes or Cancel to abandon the changes and return to the Roles page.
Delete a role
You can delete a role in Manager by following the steps below.
Note:
If your roles are stored in an organization-specific identity provider, such as LDAP, you will need to use that product's user management tool to delete roles.
- Log in to Manager as the primary site administrator or a user with administrative access.
- Click Security > Roles.
- Click the Delete button corresponding to that role.
- Click Yes when prompted to confirm that you want to delete the role.