Overview of setting up users and roles
ArcGIS Server Manager allows you to assign access privileges to roles for services and for Web applications. A role is a group of one or more users. A user is an individual who accesses a Web application or a Web service. A user can belong to many roles.
For example, suppose John, Carla, and Pat are all users of a GIS server that helps manage natural resources. All three of these users belong to the General Access role, which allows them to access a set of base services. However, John and Carla belong to a Hydrologist role that gives them access to additional services. Perhaps a fourth user, Maria, belongs to a Team Leader role that allows access to all services. The important thing to remember is that you can configure the roles and levels of access to fit your scenario.
Configuring locations for users and roles
Before you can use the tools in ArcGIS Server Manager to assign permissions to services or applications, you need to define where those users and roles will be stored. You have several options. See the links below to learn more about setting up each one.
Windows users and groups—Choose Windows users and groups if you want to leverage either existing local Windows accounts on the Web server or domain accounts. When using domain accounts, the Web server must be on the domain that you are using for authentication.
This option is most frequently used when ArcGIS Server is being used on an intranet. Single sign on (SSO) is also possible with this option using Integrated Windows Authentication on your Web server. Automatic pass-through of credentials from Web application to Web service is built in to this option.
Microsoft SQL Server Express—If you want to set up a new list of users and roles, and want to use tools included with ArcGIS Server, you can use this option. You can use Microsoft SQL Server Express (included with ArcGIS Server) to store users and roles, or you can also use your own non-Express edition of SQL Server. Manager's Security interface provides tools for managing users and roles that are stored within SQL Server.
This option is most frequently used when ArcGIS Server is being used on the Internet, because you may not want to give Windows credentials to Internet users. This options is also useful when you want your Web applications to have different credentials than the Web services consumed by those applications.
Custom provider—You may want to store users and roles somewhere other than in SQL Server or in the Windows operating system. Choices here include other types of databases and XML files.
This option uses an ASP.NET custom membership provider. To use this option, you will need to acquire and configure a .NET provider for the user/role store. For example, third-party providers are available to use an Oracle database for user and role store. It is also possible to write your own custom provider. See documentation on ASP.NET membership for details. You would use this option for the same reasons as Microsoft SQL Server above, but when you want to store your users and groups somewhere other than Microsoft SQL Server.
By default, users and roles are stored in the same location. If you choose Windows users, you can choose to store roles in either SQL Server or in a custom provider. If you choose this option, you must ensure that the roles in SQL Server (or custom provider) contain members whose names are spelled exactly as they are for the Windows user accounts.
Manager uses the same user and role store for all Web services and for all Web applications. If you want to use a different location for services than for applications, you cannot use the same instance of Manager to secure both services and applications. You could use Manager to secure services and use other tools to secure applications, or use Manager to secure applications and use external tools to secure services. For the first option (Manager secures services only), you would not enable security within Manager for any Web applications. Instead, you could configure security for individual Web applications either by configuring the application manually or by using Microsoft's Web Site Administration Tool (WSAT). See Securing Web Applications for information on using WSAT.
Another option is to add a second instance of the ArcGIS Web applications using the Add Instance tool. You would administer your GIS Web services with one ArcGIS instance and administer your Web applications with the second instance. For more information, see ArcGIS Server Instances.
Configuration files
When you configure the storage location for users and roles, this information is written to configuration files in ArcGIS Server. The actual users and roles themselves are stored separately in the storage location you specify. But information that configures how the security store is used is stored in ArcGIS Server configuration files. Normally, you should use Manager to edit the configuration, but information is provided here for users who may need to manually modify security settings.
All settings related to security are stored in standard ASP.NET configuration settings. You may want to consult references on ASP.NET for more information on these settings.
The central location for security settings is in the <ArcGIS Instance>\Security Web application (for example, http://myserver.example.com/ArcGIS/Security, with a physical location by default at C:\Inetpub\wwwroot\ArcGIS\Security). The web.config file in this application folder houses the security configuration for the ArcGIS Server instance. If you need to manually configure a provider, for instance, to add a custom membership provider, you would edit this web.config file (see Setting up users and roles in a custom provider for more information on custom providers).
When you use the wizard to configure security, the settings in the Security Web application are updated, then these same settings are copied to several other applications. These include three applications within the same ArcGIS instance: Rest, Services, and Tokens. Also, if any Web applications have previously been secured with Manager, the settings are updated in those applications. Subsequently, when any other Web application is secured with Manager, these settings are also copied into that application's web.config file.
If you make any changes to the configuration in the Security application's web.config file, you should run the Security > Settings > Change wizard. This will copy changes into the applications that apply security. Also, since Manager coordinates the security settings for multiple applications, it is recommended that you use Manager to make any changes to security settings rather than to attempt manual changes.