Help Understanding ArcGIS Server 10 Security

Discussion created by zconlen on Apr 5, 2012
Latest reply on May 8, 2012 by zconlen
I am interested in setting up some secure services in ArcGIS Server 10.0 sp3. I see that I have a choice of either sql or windows based security and it looks fairly straight forward to set it up, but I have several questions.
1) Is it true that for a given instance of AGS, you must choose either windows or sql security? It seems like different applications would have different security requirements and you should be able to configure security on a service by service basis if desired.

2) I am concerned by the following statement in AGS documentation -

"Near the end of this walk-through, you enable security for GIS Web services. Once you enable services security, only users whom you have authorized, based on their Windows group membership, will be able to access any services on your system. Also from this point on, you will need to manage permissions for all services. You should not enable services security unless you want to restrict all services to authorized users and you are prepared to continue managing permissions."

A similar statement can be found for sql security. So if I'm understanding correctly, if I want security for 1 service I must implement it for all services? Again, this does not seem like a user friendly, flexible way of managing services...

3) Here is my scenario - I have dozens of services that dont require security and a handful that do. I'd like to implement seucrity in such a manner that existing applications which use the un-secured services are not impacted. Of the several services which require security some of the applications would be on intranet and suited to windows authentication, but at least one is public facing and would require sql authentication. What are my options? What is best approach?

4) Does managing security get better at 10.1?