Managing policies using the Manager UI

This page contains the following sections:

Service Manager

Activate or deactivate security.manager

After the initial installation, security.manager NEXT has no effect on the accessibility of services. It must be activated for every single service where it shall control access. This is why all services of the selected ArcGIS Server initially appear with a security.manager deactivated symbol in the Service Manager. The grey lock indicates that security.manager is not activated for the actual service.

To activate security.manager on a service, click service menuActivate security.manager. You can now select to Enable replica support under Advanced settings.

When you click on Activate, security.manager NEXT does the following:

  1. Set disableCaching: true on the service in order to make sure that service metadata will get filtered according to defined policies.

  2. Set javaHeapSize: "256" on the service.
    If the property was already set, it will not be changed, even if it is set differently. See ArcGIS Server Memory Settings for details about memory handling for dedicated and shared instances.

  3. Enable the SOI on the service.

  4. Restart the service.
    If the service was stopped before activation, it is not started automatically.

On successful activation, the lock symbol turns to security.manager activated, and access control is applied. Administrative users still have full access to the service resources without limitations. But all other users will not get access to any service resource until you define a policy with a permission that explicitly grants access.

Deactivate security.manager by clicking service menuDeactivate security.manager. The service settings (disableCaching, javaHeapSize, enable replica support) are not reset. Policies are not purged but become inactive.

When you activate security.manager again, the settings are again checked and adjusted as described above, in case they have been reset by any other means. On activation, inactive policies become active again.

Edit permissions

When security.manager is activated on a service, regular users initially do not have access to any layers or features. Only if you define a policy that grants permission to a layer of a service, users get access to service resources like layers and features. With the Service Manager you can define policies on a service — although we recommend to use the CLI. The CLI in combination with a policies working directory allows to quickly bring your ArcGIS Server into a defined, reproducible state.

Defining policies inside the Service Manager can still be useful for testing or managing a smaller ArcGIS Server site.

To define a policy giving permission to access resources of a service

  1. Make sure security.manager is activated for this service.

  2. Click service menuEdit permissions.

  3. Enter or modify a JSON policy in the dialog.
    Alternatively you can drag and drop an existing JSON file including a valid policy onto the dialog.

  4. Apply the policies with Save changes and restart.

If the service was started it will be restarted, and the new policies become effective.