Security configuration files

ArcGIS Server stores permissions rules for services in XML-based files. These files are stored on the server object manager (SOM) computer. The location is the same as for service configurations within <ArcGIS Installation>\server\user\cfg. Each service or folder permission set is stored in a separate file. For a service, the file has the same name as the service but has an .sec extension (the service configuration file has a .cfg extension). For a folder, permissions are stored in the folder in the file Folder.sec. If no permissions have been specifically added for a service or folder, no .sec file will be present. Since permissions are inherited from the root and/or folder, permissions can still be applied by inheritance.

Permissions can be modified by editing the .sec files directly, but the recommended approach is to use Manager. Unlike changes to .cfg files, changes to .sec files take effect immediately, without restarting the SOM.

The .sec file stores permissions in XML format. The XML tags for permissions have no attributes. The tags used and their meanings are as follows:

<Permissions>

The root tag for the permissions file. Contains one <Allowed> tag and one <Denied> tag.

<Allowed>

Contains a list of roles that are allowed access to the service or folder. Each role is specified by a <Principal> tag.

<Denied>

Contains a list of roles that are denied access to the service or folder. Normally these roles have been allowed access to a parent folder of the service or folder. Each role is specified by a <Principal> tag.

<Principal>

Specifies one role that is allowed or denied access to the service or folder. The role name is stored as a string value between opening and closing tags, as shown in the following example:

<Principal>Editors</Principal>

Role names must match values for roles in the role store as specified in Manager.

Example .sec file
<Permissions>
 <Allowed>
  <Principal>Editors</Principal>
  <Principal>Managers</Principal>
 </Allowed>
 <Denied>
  <Principal>Users</Principal>
 </Denied>
</Permissions>

8/22/2012