ArcGIS Server has a built-in identity store to manage user authentication and authorization in your site. This identity store, which is maintained in the ArcGIS Server configuration store, is used by default as the user store and role store for the site.
Stand-alone implementations of ArcGIS Server (those not federated with an ArcGIS Enterprise portal) use the built-in identity store by default. This model is called server-tier authentication.
Learn more about access control in ArcGIS Server
When server-tier authentication is enabled, ArcGIS Server controls access to services using a role-based access control model. In a role-based access control model, the permission to access a secured service is controlled by assigning roles to that service. To consume a secured service, a user must be a member of a role that has been assigned permissions to access it.
Permissions may be assigned to an individual web service or to the parent folder containing a group of services. If you assign permissions to a folder, any service contained within inherits the folder's permissions. For example, if you grant a role access to the site (root) folder, users belonging to that role will be granted access to all the services hosted on that site. Also, to override permissions automatically inherited by a service from its parent folder, you can edit the service and explicitly remove the permissions that were inherited.
The built-in identity store is an effective way to secure your server site's GIS resources. All authentication and authorization is done within the server site itself.
If you want to integrate ArcGIS Server authentication with your organization's external identity store, you can do so, thus elevating your security model to web-tier authentication. See Configure web-tier authentication for more information.
Configure ArcGIS Server security
By default, ArcGIS Server is configured to use users and roles managed in the built-in store. If you have not made any changes to the out-of-the-box security configuration, you can skip this section. If you've been using some other way to store your users and roles and you want to change the configuration to use the built-in store, follow the steps below.
- Open Manager and log in as the primary site administrator. You must use the primary site administrator account. If you need help with this step, see Log in to Manager.
- Click Security > Settings.
- Click the Edit button next to Configuration Settings.
- On the User and Role Managementpage, choose Users and roles from ArcGIS Server's built-in store, then click Next.
- Click Finish to apply and save the security configuration.
Add users and roles
After choosing to use the built-in store for user and role management, you will need to create new users and roles.
Add new users following the steps in Manage users in Manager.
Add new roles following the steps in Manage roles in Manager.
Control permissions for your services
Once you have configured your security settings and defined users and roles, you can set permissions for services to control who is allowed to access them.
To change the permissions for a service, see Control access to your services.
Test access to secured services
To test your setup, follow the steps below.
- Open the ArcGIS Token page: https://gisserver.domain.com:6443/arcgis/tokens.
- Acquire a token for a user that has permissions to the ArcGIS web service you want to access. If you need help with this step, see Acquiring ArcGIS tokens.
- Access the ArcGIS web service by appending the token to the request.
To access the SOAP endpoint, use the URL: https://gisserver.domain.com:6443/arcgis/services/folder/service/MapServer?wsdl&token=6dzPxjidIoBu2yIVpUW3FCW6RXH_xi2ejMoHnlWyenahmd6OYS9jnSso-GhmCA3W
To access the REST endpoint, use the URL: https://gisserver.domain.com:6443/arcgis/rest/services/myfolder/myservice/MapServer?token=6dzPxjidIoBu2yIVpUW3FCW6RXH_xi2ejMoHnlWyenahmd6OYS9jnSso-GhmCA3W