Introduction to VertiGIS Studio Access Control

VertiGIS Studio Access Control is a standalone, web-based product that gives you fine-grained control over who can access your ArcGIS Server services, and the layers, fields, features, geometries, and geoprocessing tasks it contains.

ArcGIS Server service permissions are limited to the service level. However, Access Control lets you control user and user group access at the layer level, the field level, and the task level.

Specifically, you can:

VertiGIS Studio Access Control deals with permissions only. It does not authenticate the user. Authentication still takes place through ArcGIS.

Supported Servers and Services

VertiGIS Studio Access Control is installed on the same server as your ArcGIS Server and supports the security model used to secure ArcGIS Server:

For details, see Key Concepts.

Access Control supports MapServer, FeatureServer, and GPServer services only.

Configuring Permissions in VertiGIS Studio Access Control

Access Control includes a web-based designer for administrative configuration. The Access Control Designer creates permissions using a behind-the-scenes RESTful configuration service. Permission configuration is transparent to end users and to client applications.

Sign in to the Access Control Designer using your ArcGIS Administrator identity. If you do not have an on-premise portal, you can sign in with your ArcGIS Online account and manage your on-premise services.

When you sign in, you will see a list of ArcGIS Servers. Some ArcGIS Servers—such as federated servers—are detected automatically, but you can also register ArcGIS Servers manually. You can register as many ArcGIS Servers as you want.

Select an ArcGIS Server to see a catalog of the folders and services on that server. You can apply permissions at the service level, or drill down to find the layer, field, or geoprocessing task on which to apply more fine-grained permissions.


Note the following:

VertiGIS Studio Access Control is an administrative tool. You should restrict access to the Designer to ArcGIS administrator users only.

How Does Access Control Work?

In a typical deployment, Access Control is installed on the ArcGIS Server and acts as a forwarding proxy for the ArcGIS Web Adaptor that is used to access ArcGIS Server.

When the client application issues a request (shown as dashed arrows in the diagram below), the following sequence of events occurs.

  1. The client request is received by the ArcGIS Web Adaptor.

  2. The Web Adaptor forwards the request to the VertiGIS Studio Access Control proxy.

  3. The Access Control proxy examines the request and evaluates it against the permissions configured in the Access Control Designer.

  4. If the user has permission to access the requested resource, the request is relayed to the back-end ArcGIS Server.

  5. ArcGIS Server sends the response to the Access Control proxy.

  6. The Access Control proxy examines the response and evaluates it against the configured Access Control permissions.

The recommended, and most common, deployment of Access Control requires ArcGIS Server to use the ArcGIS Web Adaptor. However, other deployments are also supported. For details, see Reverse Proxy and/or Load Balancer Deployments.