Securing a service

Service security works differently depending on whether you are accessing the server through a local or an Internet connection.

Security for ArcGIS Server Local connections

Security for services accessed through ArcGIS Server Local connections is handled by the operating system's agsusers and agsadmin groups. Once a member of the agsadmin or agsusers group has connected to the server, he or she will have access to all of the services running on the server. Restricting access to some services, but not others, on the same server is only available through Internet connections.

If you don't want users to make local connections to your services, you can choose to keep the agsusers group empty, then configure  access for your Internet services as outlined below.

Security for ArcGIS Server Internet connections

When you create a service, Web access is automatically enabled. You can choose to limit the types of operations that can be performed with the service, or restrict access to a select group of users. If you don't need or want Internet clients to access the service, you can disable Web access completely.

Turning off Web access

If you don't want Internet clients to access a service, you need to explicitly disable Web access.

Turning off Web access in Manager

To disable Web access for a service in Manager, follow the steps below. The service must be stopped when you perform these steps. See Starting, stopping, and pausing services for instructions.

  1. In Manager, click the Services tab.
  2. In the list of services, find the service for which you want to disable Web access and click its Edit link.
  3. In the menu on the left, click Capabilities.
  4. Uncheck the box next to Enable Web Access.
  5. Click Finish.
  6. Start the service.
Turning off Web access in ArcCatalog

To disable Web access for a service in ArcCatalog, follow the steps below. The service must be stopped when you perform these steps. See Starting, stopping, and pausing services for instructions.

  1. Make an administrative connection to the server. See Connecting to a GIS server in ArcCatalog for instructions.
  2. Find the service for which you would like to disable Web access.
  3. Right-click the service and click Disable Web Access.

Note: For map services, the steps above only disable Web access for the Mapping capability. You can disable Web access for other capabilities in the Service Properties page, in the Capabilities tab.

Limiting which users can access a service

To set limits on which users can access your services, use the web.config file located in the services folder of your ArcGIS Server instance (for example, C:\Inetpub\wwwroot\arcgis\services). Here you can set differing levels of access for each folder of your GIS server. Use the location path attribute to specify the folder name. The location path should be inserted in the web.config file just above the </configuration> line as shown below. The </configuration> line should be the next line after your edits. 

The following example only allows access to the ZoningMaps folder for users in the PlanningDept group on the operating system:

 
<configuration> 
 . . .
  <location path="ZoningMaps">
    <system.web>
      <authorization>
        <allow roles="PlanningDept" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
</configuration>

You can also choose to allow access to specific users only. In the example below, only mike23 has access to the Redlands folder:

<configuration>
 . . .
  <location path="Redlands">
    <system.web>
      <authorization>
        <allow users="mydomain\mike23" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
</configuration>

When specifying access for the root folder, just use empty quotes ("") for the location path. The root folder must allow access to all those who have access to the folders beneath it. For example, if you limit access so that the PlanningDept group has access to the ZoningMaps folder, you must also ensure that the PlanningDept group has access to the root folder.

If you want your security restrictions for Internet connections to resemble the settings for your local connections, you can allow only the agsadmin and agsusers groups at the root level, as shown in this example:

<configuration>
 . . .
  <location path="">
    <system.web>
      <authorization>
        <allow roles="agsadmin, agsusers" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
</configuration>

For the above additions to the web.config file to be effective, you must disable anonymous access for your ArcGIS Server instance's services directory in IIS (This folder is likely located at C:\Inetpub\wwwroot\ArcGIS\services). Otherwise your Internet users will always connect with the same name (IUSR_<machine name>) and your operating system will not recognize them as distinct members of the groups you have set up. To disable anonymous access, follow these steps:

  1. In Windows, click Start > Control Panel
  2. Click Administrative Tools and click Internet Information Services
  3. In the tree structure on the left, navigate to (Your computer name) > Web Sites > Default Web Site > ArcGIS (or your instance name if it is different) > services.
  4. Right-click services and click Properties
  5. Click the Directory Security tab and click Edit
  6. Uncheck "Enable anonymous access" ("Anonymous access" in IIS 5.1). Make sure one of the IIS authentication methods is checked. (To learn about IIS authentication methods, see the Microsoft article IIS Authentication.) Then click OK.
  7. Click OK again and exit IIS.

Once you perform the steps above, Internet users wishing to connect to your server will need to type a name and password. This name and password will be checked using the authentication method you have chosen in IIS. If you've limited access to certain folders using the web.config file, only users who belong to the allowed roles, or operating system groups, will be able to see those folders.

Edits that you make to the web.config file are not retained if you re-install ArcGIS Server, so it's a good idea to keep a backup of the security information that you add. For additional information, see this link from Common Problems and Solutions.

Requiring an encrypted connection

You can configure your services to be visible only when a client is connecting through a Secure Socket Layer (SSL). SSL connections are encrypted and are commonly used to send sensitive information, such as credit card transactions, over the Internet. When making an SSL connection, the URL begins with "https".

Setting up an SSL connection requires the use of your Web server administration software; refer to its documentation for information on how to configure SSL.

Requiring encrypted connections is done at the GIS server folder level. In the folder properties, you can check the option "Require Encrypted Web Access". All of the services in that folder will then be accessible only when an SSL connection is being made.

Limiting what users can do with the service

To make it easy to control how your Web services are used, each type of service has a set of allowed operations. Each operation consists of a set of methods that can be enabled or disabled as a group. Clients of the Web service can only call the methods of the operations that have been allowed.

Suppose you wanted to allow consumers of a mapping Web service to draw the map but not to query the data sources of the map's layers. You would then need to disable the Query operation and ensure that the Map operation was allowed.

If you create a service using the Add New Service wizard (as opposed to the Publish GIS Resource wizard) you can choose the allowed operations as you create the service. No matter how you originally created a service, you can change which operations are allowed on an existing service by editing the service's properties. The available operations are listed in the Capabilities panel.

The following tables list which methods are included in each operation:

Map service operations
Map Query Data
GetDocumentInfo Identify Find
GetLegendInfo QueryFeatureCount QueryFeatureData
GetMapCount QueryFeatureIDs
GetMapName QueryHyperlinks
GetDefaultMapName GetSQLSyntaxInfo
GetServerInfo
GetSupportedImageReturnTypes
ExportMapImage
IsFixedScaleMap
ToMapPoints
FromMapPoints
HasSingleFusedMapCache
GetTileCacheInfo
GetMapTile
HasLayerCache
GetLayerTile
GetVirtualCacheDirectory
GetCacheName
ComputeScale
ComputeDistance

The default allowed operations for map services are Map, Query, and Data. 

Geocode service operations
Geocode ReverseGeocode
GeocodeAddress ReverseGeocode
GeocodeAddresses
StandardizeAddress
FindAddressCandidates
GetAddressFields
GetCandidateFields
GetIntersectionCandidateFields
GetStandardizedFields
GetStandardizedIntersectionFields
GetResultFields
GetDefaultInputFieldMapping
GetLocatorProperties

The default allowed operations for geocode services are Geocode and Reverse Geocode.

Geodata service operations
Query Extraction Replication
Get_Versions ExpandReplicaDatasets CreateReplica
Get_DefaultWorkingVersion ExtractData ExportAcknowledgement
Get_DataElements ExportReplicaDataChanges
Get_MaxRecordCount ImportAcknowledgement
TableSearch ImportReplicaDataChanges
GetNextResultPortion ReExportReplicaDataChanges
Get_Replicas UnregisterReplica
Get_WrappedWorkspaceType ImportData

The default allowed operations for geodata services are Query and Extraction, which enable all of the supported methods for querying and extracting data. The Replication choice enables all of the supported methods for synchronization, data changes, message acknowledgement, and schema.

Globe service operations
Globe Animation Query
Get_Version Get_Animation Identify
Get_LayerCount Find
Get_LayerInfos
Get_LegendInfos
Get_Config
Get_MQT
Get_Configuration
Get_Tile
Get_Symbols
Get_Textures
Get_VirtualCacheDirectory

The default allowed operations for globe services are Globe, Animation, and Query. Unlike with map services, the Query operation covers both Identify and Find.