Out of the box, the services you publish to ArcGIS Server are publicly available to everyone with knowledge of the service URL and network access to your ArcGIS Server site. This allows an unauthorized user or web application to consume your services without requiring your approval. To restrict access to a service, you will need to specify which users are allowed to access that service. You can set permissions for a service or folder in ArcGIS Server Manager.
When a role has its role type set to Administrator or Publisher, members of that role can access all services hosted on an ArcGIS Server site. This implicit permission cannot be overridden by changing the permissions on a service or folder.
The ArcGIS Server access control model
ArcGIS Server controls access to services using a role-based access control model. In a role-based access control model, the permission to access a secured service is controlled by assigning roles to that service. To consume a secured service, a user must be a member of a role that has been assigned permissions to access it.
Permissions may be assigned to an individual web service or to the parent folder containing a group of services. If you assign permissions to a folder, any service contained within inherits the folder's permissions. For example, if you grant a role access to the site (root) folder, users belonging to that role will be granted access to all the services hosted on that site. Also, to override permissions automatically inherited by a service from its parent folder, you can edit the service and explicitly remove the permissions that were inherited.
By default, the System folder of services is only accessible to site publishers and administrators. It's recommended that you don't make this folder publicly accessible; doing so could make your site vulnerable to denial of service (DOS) attacks and unauthorized publishing.
To set permissions for a service, you need to have at least one user and one role in your identity store. To add users, see Manage users. To add roles, see Manage roles.
Edit permissions for a service or folder in Manager
- Open Manager and log in. If you need help with this step, see Log in to Manager.
- Click Services, then locate the service or folder you want to edit.
- To set permissions for a folder, click the folder and then click the lock button next to the folder name. To set permissions for a service, click the lock button corresponding to that service. The lock button will indicate whether the folder or service is currently secured or publicly available to all users .
- To secure a folder or service, click the Private, available only to selected users option. This disables anonymous access to the resource. Now, only users who have been authenticated and authorized will be allowed to access this resource.
- To authorize access for all users in the Identity Store, click the Allow access to all users who are logged in option.
- To allow access to users belonging to a specific set of roles, click the add role button next to the role name to add it to the Allowed roles list. To access this resource, a user must be a member of at least one of the roles in the Allowed roles list.
- Click Save to apply your changes.