Service security works differently depending on whether you are accessing the server through a local or an Internet connection.
Security for services accessed through ArcGIS Server Local connections is handled by the operating system's agsusers and agsadmin groups. Once a member of the agsadmin or agsusers group has connected to the server, he or she will have access to all of the services running on the server. Restricting access to some services, but not others, on the same server is only available through Internet connections.
If you don't want users to make local connections to your services, you can choose to keep the agsusers group empty, then configure access for your Internet services as outlined below.
When you create a service, Web access is automatically enabled. You can choose to limit the types of operations that can be performed with the service, or restrict access to a select group of users. If you don't need or want Internet clients to access the service, you can disable Web access completely.
If you don't want Internet clients to access a service, you need to explicitly disable Web access.Turning off Web access in Manager
To disable Web access for a service in Manager, follow the steps below. The service must be stopped when you perform these steps. See Starting, stopping, and pausing services for instructions.
To disable Web access for a service in ArcCatalog, follow the steps below. The service must be stopped when you perform these steps. See Starting, stopping, and pausing services for instructions.
Note: For map services, the steps above only disable Web access for the Mapping capability. You can disable Web access for other capabilities in the Service Properties page, in the Capabilities tab.
To set limits on which users can access your services, use the web.config file located in the services folder of your ArcGIS Server instance (for example, C:\Inetpub\wwwroot\arcgis\services). Here you can set differing levels of access for each folder of your GIS server. Use the location path attribute to specify the folder name. The location path should be inserted in the web.config file just above the </configuration> line as shown below. The </configuration> line should be the next line after your edits.
The following example only allows access to the ZoningMaps folder for users in the PlanningDept group on the operating system:
<configuration> . . . <location path="ZoningMaps"> <system.web> <authorization> <allow roles="PlanningDept" /> <deny users="*" /> </authorization> </system.web> </location> </configuration>
You can also choose to allow access to specific users only. In the example below, only mike23 has access to the Redlands folder:
<configuration> . . . <location path="Redlands"> <system.web> <authorization> <allow users="mydomain\mike23" /> <deny users="*" /> </authorization> </system.web> </location> </configuration>
When specifying access for the root folder, just use empty quotes ("") for the location path. The root folder must allow access to all those who have access to the folders beneath it. For example, if you limit access so that the PlanningDept group has access to the ZoningMaps folder, you must also ensure that the PlanningDept group has access to the root folder.
If you want your security restrictions for Internet connections to resemble the settings for your local connections, you can allow only the agsadmin and agsusers groups at the root level, as shown in this example:
<configuration> . . . <location path=""> <system.web> <authorization> <allow roles="agsadmin, agsusers" /> <deny users="*" /> </authorization> </system.web> </location> </configuration>
For the above additions to the web.config file to be effective, you must disable anonymous access for your ArcGIS Server instance's services directory in IIS (This folder is likely located at C:\Inetpub\wwwroot\ArcGIS\services). Otherwise your Internet users will always connect with the same name (IUSR_<machine name>) and your operating system will not recognize them as distinct members of the groups you have set up. To disable anonymous access, follow these steps:
Once you perform the steps above, Internet users wishing to connect to your server will need to type a name and password. This name and password will be checked using the authentication method you have chosen in IIS. If you've limited access to certain folders using the web.config file, only users who belong to the allowed roles, or operating system groups, will be able to see those folders.
Edits that you make to the web.config file are not retained if you re-install ArcGIS Server, so it's a good idea to keep a backup of the security information that you add. For additional information, see this link from Common Problems and Solutions.
You can configure your services to be visible only when a client is connecting through a Secure Socket Layer (SSL). SSL connections are encrypted and are commonly used to send sensitive information, such as credit card transactions, over the Internet. When making an SSL connection, the URL begins with "https".
Setting up an SSL connection requires the use of your Web server administration software; refer to its documentation for information on how to configure SSL.
Requiring encrypted connections is done at the GIS server folder level. In the folder properties, you can check the option "Require Encrypted Web Access". All of the services in that folder will then be accessible only when an SSL connection is being made.
To make it easy to control how your Web services are used, each type of service has a set of allowed operations. Each operation consists of a set of methods that can be enabled or disabled as a group. Clients of the Web service can only call the methods of the operations that have been allowed.
Suppose you wanted to allow consumers of a mapping Web service to draw the map but not to query the data sources of the map's layers. You would then need to disable the Query operation and ensure that the Map operation was allowed.
If you create a service using the Add New Service wizard (as opposed to the Publish GIS Resource wizard) you can choose the allowed operations as you create the service. No matter how you originally created a service, you can change which operations are allowed on an existing service by editing the service's properties. The available operations are listed in the Capabilities panel.
The following tables list which methods are included in each operation:
The default allowed operations for map services are Map, Query, and Data.
The default allowed operations for geocode services are Geocode and Reverse Geocode.
The default allowed operations for geodata services are Query and Extraction, which enable all of the supported methods for querying and extracting data. The Replication choice enables all of the supported methods for synchronization, data changes, message acknowledgement, and schema.
The default allowed operations for globe services are Globe, Animation, and Query. Unlike with map services, the Query operation covers both Identify and Find.