Managing roles

Roles, or groups, allow you to assign permissions to multiple users at once. This usually makes it easier to maintain security for your site.

To view and modify roles, click the Security tab in Manager and click the Roles link in the table of contents. This displays a list of roles available on your GIS server.

You can view members of a role by clicking the plus (+) icon to the left of the role name. This expands the role display to show a scrolling list of users in the role.

If you're storing your roles in a SQL Server database, you will see a list with options to add, edit, and delete roles. If you're using Windows groups for your roles, this view is read-only. Your system administrator can help you manage roles that are stored as Windows groups. If using a custom provider, Manager may enable editing roles if the custom role provider implements the required .NET API methods to enable editing of roles. If Manager cannot edit the roles, then use the provider's tools to manage roles.

Roles managed within ArcGIS Server Manager may only contain individual users, not other roles. Roles managed outside Manager may have the ability to nest roles within roles, but you must use tools for the provider of those roles. For example, Windows groups may contain other groups.

NoteNote:

If your role store is Windows groups, any changes to group membership require logging off and back on to take effect. For example, if you add user SallyB to UtilityManagers, then you must log off and log back on before you can use SallyB's credentials to access services permitted for the UtilityManagers group.

Adding roles

If your roles are stored in SQL Server, you can use Manager to add and modify roles. Some custom providers also support adding roles with Manager. To add a new role, make sure you are on the Roles panel of Manager's Security tab, then click Add Role. This displays a dialog box to add the role. In this dialog box, you can set the following:

Do not use a comma (,) or semicolon (;) in the role name. Other special characters may not be allowed by the role provider. If you see an error when adding the role, try again without the special characters.

To add users to the role, use the Find users box to display a list of matching users in the Available users box. Type the first letter or two of the user name and click Find. Or click Show all users to retrieve all users in the user store (this may produce a very long list, especially for Active Directory in a large organization). Once users are in the Available users box, select one or more and click Add to move them to the Role members box. You can also remove members by clicking to select them and clicking Remove. You can choose multiple users in either box with the CTRL or SHIFT keys.

Once you have defined the role name and added users, click Add Role to add the role and return to the Roles panel.

Modifying roles

You can modify the members in a role by clicking the Edit (pencil) icon in the list on the Roles panel. This displays a dialog box almost identical to the one above for adding a role. You cannot change the role name, however. Click the Save button to save changes to the role.

Deleting roles

To delete a role, click the Delete icon (red circle with an X) next to the role's name. You'll be prompted to confirm that you want to delete the role. Note that roles cannot be deleted if the role contains users. Before deleting a role, remove all users from the role.

Deleting a role does not remove that role from the permissions list for services or for Web applications. If desired, you can remove the role through the permissions list for the services (including folders) or Web applications. See Securing Internet connections to services and Securing Web applications.

Anonymous, Everyone, and Authenticated roles

These special roles can be added to your roles when you store them either in Microsoft SQL Server or in a custom provider. The Anonymous role enables you to designate one or more GIS Web services to be open to users who do not supply credentials (via a token). The Authenticated users role allows any user who provides correct credentials (via a token) to access the service. The Everyone role allows any user, whether authenticated or not, to access the service. When these special roles exist, no users are actually added to the roles.

To add these special roles when using Microsoft SQL Server for roles, use the setup wizard for security, as described in Setting up users and roles in SQL Server. Be sure to check the option to add these roles to the database.

To add these roles when using a custom provider, you must use tools compatible with the provider to add a new role. The names of the roles in the provider are not Anonymous, and so on. Instead, use these characters to name the roles:

Manager will display the appropriate name for the role, for example, Anonymous for the role named ?. The approach of using special characters was used to support multiple languages in the server. When adding the role to the custom provider, do not add any users to the role.

These special roles are not supported when using Windows users. This is because, to use Windows authentication to obtain user credentials, the IIS Web server must be set to reject anonymous access to ArcGIS Web services. Hence, every user who requests GIS Web services must provide credentials for a valid Windows user.


8/22/2012