Is there an option to give publisher permission to specific arcgis server folder only?

3134
11
06-28-2015 01:09 AM
New Contributor II

Hi,

I want to allow specific user to publish data to my arcgis server. The problem is that I want this specific user to be able to change/modify/delete only services he created/specific services.

I thoght to create arcgis server folder,  and allow this user to access only this folder and prohibit from him to access all other services and folders.

Is there an option to do so, or other solution to tge the problem i have described?

Regards,

Noam

Reply
0 Kudos
11 Replies
Esri Esteemed Contributor

Reading this help topic Restricting access to ArcGIS Server—Documentation (10.3 and 10.3.1) | ArcGIS for Server it looks like this is not possible.

  • Publisher: The Publisher role type is given limited access to ArcGIS Server administrative components and functions. Members of a role with the role type set to Publisher can log in to ArcGIS Server Manager and the Administrator Directory with access to only the service and log management features. They can publish new services, manage existing services, and generate map caches. They cannot configure or change ArcGIS Server security options but can manage permissions for services. This role type should be restricted to roles that publish and manage ArcGIS web services.

and this note:

If a role's type is set to either Administrator or Publisher, that role automatically gets implicit access permission to all GIS web services hosted on the ArcGIS Server site. This implicit permission cannot be overridden by changing the permissions on a service or folder.
Honored Contributor

Hi Noam,

You could try the following.

In ArcGIS Server Manager,

1) Create different customized roles and define them for corresponding users.

2) Manager Services > Edit Folder Security (A lock icon on each folder) > In Security Settings: <FolderName>, click "Private, available to selected users"

3) Add the roles who can access the specific folder.

New Contributor II

Hi Jayanta,

Thank for your answer,

Your suggestion allows to consume services from folder with permission,

but not to publish only to a specific folder.

Noam

MVP Esteemed Contributor

​Naom,

Would setting permissions at the operating system level to revoke writing by thus user work?  Maybe in combination with what Jayanta recommended?

EDIT: Based on Vince Angelo comments below (7/5/15).....please ignore this comment.

Reply
0 Kudos
New Contributor II

Maybe,

as far as I know, ArcGis Server folder is a logic folder -

do you know where it is located on the operation system?

Reply
0 Kudos
MVP Esteemed Contributor

​looking at  my 10.2.2 server, when I create a folder in AGS manager, it creates two physical folders on my D drive (but default is C drive), and at least one other on my c)

d:\arcgisserver\directories\arcgissystem\arcgisinput\myNewFolder

d:\arcgisserver\directories\arcgisoutput\myNewFolder

c:\arcgisserver\config-store\services\myNewFolder

I'm the admin and I don't have another non admin account to be able to see whether it would work or not, or what error they would get.  Of course, best case, I would think you wouldnt even want them to see the folder exists.  My guess, it will still be listed, but it would give them an error when trying to publish.

although this may work, I am no expert on what messing around with the folder permissions will do.  Make sure you have a way to restore (backup, or how to reverse any folder permission changes) before you mess with things.  I'm not sure that any of the above would be suggested by tech support....and it may be good to talk to them first.

Reply
0 Kudos
Esri Esteemed Contributor

I wonder if this will work... Isn't it arcgis server that will create the service directory and not the windows user?

Reply
0 Kudos
MVP Esteemed Contributor

Hi Xander, yes, ArcGIS Server creates the folders.  I was suggesting changing the permissions AFTER the folder(s) are created. I'm not sure if it would work, nor do I necessary recommend it, I was just trying to think of things that they might want to try (With caution).   In our shop, there are only two of us that create services (most are by me) so it's not an issue (that is, only two will publishing privileges).  Talking about it us an easy option for..I'm assuming that isn't a possible fir Noam's shop.

Reply
0 Kudos
Esri Esteemed Contributor

I think that the folders and files for the service will be created using the arcgis server account and probably not the user account. Not sure about that, but that's what I'm afraid of.

Reply
0 Kudos