Overview of setting up users and roles
ArcGIS Server Manager allows you to assign access privileges to roles for services and for Web applications. A role is a group of one or more users. A user is an individual who accesses a Web application or a Web service. A user can belong to many roles.
For example, suppose John, Carla, and Pat are all users of a GIS server that helps manage natural resources. All three of these users belong to the General Access role which allows them to access a set of base services. However, John and Carla belong to a Hydrologist role that gives them access to additional services. Perhaps a fourth user, Maria, belongs to a Team Leader role that allows access to all services. The important thing to remember is that you can configure the roles and levels of access to fit your scenario.
Before you can use the tools in ArcGIS Server Manager to assign permissions to services or applications, you need to define where those users and roles will be stored. You have several options. See the links below to learn more about setting up each one.
By default, users and roles are stored in the same location. If you choose Windows users, you can choose to store roles in either SQL Server or in a custom provider. If you choose this option, you must ensure that the roles in SQL Server (or custom provider) contain members whose names are spelled exactly as they are for the Windows user accounts.
Manager uses the same user and role store for all Web services and for all Web applications. If you want to use a different location for services than for applications, you cannot use the same instance of Manager to secure both services and applications. You could use Manager to secure services, and use other tools to secure applications; or use Manager to secure applications and use external tools to secure services. For the first option (Manager secures services only), you would not enable security within Manager for any Web applications. Instead, you could configure security for individual Web applications either by configuring the application manually or by using Microsoft's Web Site Administration Tool (WSAT). See Securing Web Applications for information on using WSAT.
Another option is to add a second instance of the ArcGIS Web applications using the AddInstance tool. You would administer your GIS Web services with one ArcGIS instance and administer your Web applications with the second instance. For more information, see ArcGIS Server Instances.
When you configure the storage location for users and roles, this information is written to configuration files in ArcGIS Server. The actual users and roles themselves are stored separately, in the storage location you specify. But information that configures how the security store is used is stored in ArcGIS Server configuration files. Normally, you should use Manager to edit the configuration, but information is provided here for users who may need to manually modify security settings.
All settings related to security are stored in standard ASP.NET configuration settings. You may want to consult references on ASP.NET for more information on these settings.
The central location for security settings is in the <ArcGIS Instance>\Security Web application (for example, http://myserver.example.com/ArcGIS/Security, with a physical location by default at C:\Inetpub\wwwroot\ArcGIS\Security). The web.config file in this application folder houses the security configuration for the ArcGIS Server instance. If you need to manually configure a provider, for instance, to add a custom membership provider, you would edit this web.config file (see Setting up users and roles in a custom provider for more information on custom providers).
When you use the wizard to configure security, the settings in the Security Web application are updated, then these same settings are copied to several other applications. These include three applications within the same ArcGIS instance: Rest, Services, and Tokens. Also, if any Web applications have previously been secured with Manager, the settings are updated in those applications. Subsequently, when any other Web application is secured with Manager, these settings are also copied into that application's web.config file.
If you make any changes to the configuration in the Security application's web.config file, you should run the Security-Settings-Change wizard. This will copy changes into the applications that apply security. Also, since Manager coordinates the security settings for multiple applications, it is recommended to use Manager to make any changes to security settings rather than to attempt manual changes.