Difference between adding a user to agsadmin group vs. Publisher role?

1426
8
Jump to solution
02-08-2017 11:43 AM
PlanningCommission
New Contributor II

Running ArcGIS Server 10.3 with IIS.  What's the difference between adding a user to the agsadmin machine group versus adding them to the Publisher role in ArcGIS Server Manager?  Are the permissions the same for both?  Do they need to be added to both?

0 Kudos
1 Solution

Accepted Solutions
JonathanQuinn
Esri Notable Contributor

If you're talking about the agsadmin group within your Local Users and Groups in Windows, I'm betting you had ArcGIS Server 10.0 on that machine, and that group is a legacy group from that setup.  ArcGIS Server 10.0 used the agsadmin group and DCOM to determine who was an Admin on the machine.  At 10.1 and on, all security and privileges are defined within the scope of roles, (Administrator, Publisher, User), set within Manager.

View solution in original post

8 Replies
RebeccaStrauch__GISP
MVP Emeritus

Take a look at the comments and vote up this idea

https://community.esri.com/ideas/12522  

Although this is for ArcGIS Online administration, ArcGIS Server has a similar issue.  The Admin group can change anything, including the installation and security settings.  Publishers can do a lot, but can't modify some of those settings. 

We have most of our users in a publisher group.  The times that they do need additional privileges, they log into the primary admin group.  That is how we deal with it anyway.  All other users are just domain users and are given privileges based on that (when a folder/service is restricted by security).

AdrianWelsh
MVP Honored Contributor

All I can do here is smile.  

It looks like the idea has been "reviewed", so whatever that means!

0 Kudos
RebeccaStrauch__GISP
MVP Emeritus

  yes, I've had many conversations about this (for both AGOL and AGS).  Admins have all powers, Publishers sometimes don't have enough but the gap between the two is too large.  Even though you can make custom roles on the AGOL line, you can'l start with the Admin role and then take things away....and you can't add some of these from the publisher template.  Hopefully this will change on the AGOL side soon.

Sam issue is with the AGS side,.  But to answer the question, I would look at some of the security help docs for AGS

Managing ArcGIS Server users and roles—ArcGIS Server Administration (Windows) | ArcGIS Enterprise  might be a place to start, but you will have to look a bit deeper.  I haven't found the direct link to the "what does admin allow" vs "what does publisher allow" (but still looking, and someone else may have found this by now)

RebeccaStrauch__GISP
MVP Emeritus

This is what I was looking for

Choose one of the available role types. The role type controls access to the ArcGIS Server site and permissions to perform administrative and publishing functions. A role can be one of three types:

  • Administrator: The Administrator role type is given unrestricted access to ArcGIS Server administrative components and functions. Members of a role with the role type set to Administrator can log in to ArcGIS Server Manager, the Services Directory, and the Administrator Directory with access to all features and functionality. They can add or remove machines from the site, configure security, and so forth. This role type should be restricted to roles that perform ArcGIS Server site administration.
  • Publisher: The Publisher role type is given limited access to ArcGIS Server administrative components and functions. Members of a role with the role type set to Publisher can log in to ArcGIS Server Manager and the Administrator Directory with access to only the service and log management features. They can publish new services, manage existing services, and generate map caches. They cannot configure or change ArcGIS Server security options but can manage permissions for services. This role type should be restricted to roles that publish and manage ArcGIS web services.
  • User: The User role type is restricted from accessing ArcGIS Server administrative components and functions. Members of a role with the role type set to User cannot access ArcGIS Server Manager or the Administrator Directory. They can only use or access a service, provided that permission has been granted to their user accounts to access it. This role type should be used for users who will consume GIS web services through the ArcGIS web APIs. Each role is set to type User by default.
Note:

If a role's type is set to either Administrator or Publisher, that role automatically gets implicit access permission to all GIS web services hosted on the ArcGIS Server site. This implicit permission cannot be overridden by changing the permissions on a service or folder.

Restrict access to ArcGIS Server—ArcGIS Server Administration (Windows) | ArcGIS Enterprise 

0 Kudos
PlanningCommission
New Contributor II

Thanks, this helps a lot!  But I'm still confused about the "agsadmin" machine group.

Is adding a user to the "agsadmin" machine group equivalent to adding them to the Administrator role in ArcGIS Server Manager?  Is the "agsadmin" machine group even used anymore?  Can I delete it and just add my users to the appropriate role (Administrator or Publisher) in ArcGIS Server Manager?

0 Kudos
RebeccaStrauch__GISP
MVP Emeritus

Are you sure that isn't a local Active Directory of or  LDAP group that was created??

0 Kudos
JonathanQuinn
Esri Notable Contributor

If you're talking about the agsadmin group within your Local Users and Groups in Windows, I'm betting you had ArcGIS Server 10.0 on that machine, and that group is a legacy group from that setup.  ArcGIS Server 10.0 used the agsadmin group and DCOM to determine who was an Admin on the machine.  At 10.1 and on, all security and privileges are defined within the scope of roles, (Administrator, Publisher, User), set within Manager.

PlanningCommission
New Contributor II

Yes, that is what I'm referring to.  I have both an "agsadmin" and "agsusers" group on my Windows server in the Local Users and Groups.  These were created from a previous ArcGIS Server install.  I just didn't know if they are still being used in my current version (10.3.1).  Sounds like I can remove those groups and use the ArcGIS Server built-in roles (Administer, Publisher, User).

Thanks to all who replied!