ArcGIS Server makes your data, such as maps, tools, imagery, locators, and so on, available to many other computers in your organization and potentially the entire Internet. However, your GIS server machines need to be able to freely access your data in order to expose it effectively. There are three main things you need to do to make your data accessible to ArcGIS Server:
- Store your data where all GIS server machines can see it.
- Grant the ArcGIS Server account permissions to your folders that contain data and databases you access with operating system authentication. The ArcGIS Server account is the operating system account you specified when you installed ArcGIS Server, not the primary site administrator specified when the ArcGIS Server site was created.
- Register your data with the server.
This topic covers all of the above requirements. First, it is helpful to understand how ArcGIS Server stores and references the data behind its services.
How ArcGIS Server stores and accesses data
When you publish an item as a service, that item is placed on the server. Thus, if you publish a locator as a geocode service, a copy of the locator ends up on the server where ArcGIS Server has sufficient permissions to access it.
Sometimes, you might publish an item that references additional data. For example, a map might reference various feature classes stored in a database. This data is only moved to the server if you do not register the data with the server when publishing. Alternatively, if you do not want the data to be copied to the server at the time of publishing, you need to explicitly take the steps below to ensure ArcGIS Server can see and access your data.
Store data where all GIS server machines can access it
Each GIS server machine in your deployment needs to be able to read your GIS resources and all the data they reference. For example, when you publish a map as a service, all the data for the map's layers must be visible to all GIS server machines. Following are some approaches for how you can store the data.
Store data locally on each GIS server machine
When you save your data to a local path, for example, C:\data and create a service from it, other GIS server machines are not able to work with the service unless they have their own copies of the data residing at C:\data. Loading an identical copy of your data into an identical path on each GIS server machine can be beneficial for performance, but it may not be a practical solution for large or frequently changing datasets.
Store data in a shared directory
Another way to make your data available to all GIS server machines is to use the operating system tools to share the directory in which the data is stored. Shared directories are commonly referred to with Universal Naming Convention (UNC) paths, which contain the name of the server (for example, \\myServer\data). When you use UNC paths to reference your data, all GIS server machines will look to the correct machine for the data.
If you store your GIS resources in shared directories, remember that all data source paths within the resource must also use UNC paths or relative paths. For example, if your map document contains layers from three feature classes, the paths to those feature classes must be UNC or relative paths.
Although shared network folders are convenient for referencing data, they require network traffic and can introduce performance bottlenecks that would not otherwise exist when accessing the data through local paths.
Store data in a database
Many GIS shops store large data collections in a relational database management system (RDBMS) such as SQL Server, DB2, Informix, Netezza, Oracle, or PostgreSQL. Esri natively supports these databases, which provides a way to conveniently organize and use spatial data from an RDBMS in ArcGIS.
Esri also provides a geodatabase that you can deploy within your RDBMS. Geodatabases and databases are convenient and powerful, but, because they are accessed over the network, they often do not yield as fast performance as you would see when accessing the data locally. In some cases, you may be able to use the geodatabase to replicate to other formats that are easy to store locally, such as file geodatabases. You can then place the data on each GIS server machine for optimum performance.
See Data storage considerations for an ArcGIS Server site to learn about whether this approach is right for you.
Grant the ArcGIS Server account permissions to your data
When you log in to your own computer, the account name you use gives you access to all your files and folders on the computer. No one else can access your data unless you allow them to. The same holds true for your GIS data. The ArcGIS Server account needs at least read permissions to any data in folders that you use in your services and any data in databases that you access using operating system authentication. In some scenarios where edits are occurring, the ArcGIS Server account may also need write permissions.
When do you need to apply permissions?
The items you publish are copied to the server where the ArcGIS Server account has already been granted permissions. However, the data referenced in those items (for example, the layers in a map or globe) may or may not have the correct permissions applied, depending on whether you choose to register the containing folder or database with the server when publishing.
If you chose to have the server automatically copy data to the server, there is no need to set any additional permissions. All the data is copied to the server where the ArcGIS Server account already has permissions. If your source data is file based and you are publishing a feature or transaction-enabled WFS (WFS-T) service, the source data is copied into a geodatabase that you registered with the server, called ArcGIS Server's Managed Database. You do not need to grant permissions to the ArcGIS Server account to access the source data that is copied to the server.
To learn more, see Copying data to the server automatically when publishing.
If you chose to register the containing folder, you need to explicitly give the ArcGIS Server account permissions to read from that folder. For example, when you publish a globe service, you do not need to give the ArcGIS Server account permissions to read your 3DD file (because this is always copied to the server). However, you need to explicitly give the ArcGIS Server account permissions to the data referenced by the layers of that 3DD document.
If you choose to register the containing database, the type of permissions you need to grant depends on what type of database you are using and what type of authentication you are using to connect.
The process of granting permissions to your file-based or database data is described in the remaining sections of this topic.
Permissions for file-based data
If your data is file based, such as shapefiles, image files, and file geodatabases, you need to work with the operating system to set access to the folders that contain your data. The ArcGIS Server account must have at least read access to the data and write access if the data will be edited. Here are some scenarios:
- If your data resides on the GIS server machine (or one of the GIS server machines in the event you have more than one), grant the ArcGIS Server account read (and optionally write) access to the folders containing your data.
- If the data does not reside on the GIS server machine and you specified a local account as the ArcGIS Server account, you will first need to create an identical local account (having the same user name and password) on the machine that hosts your data. Then grant that local account read (and optionally write) access to the folders containing your data. As long as the local accounts on the machine with data and the GIS server machine are identical, the GIS server machine will be able to access the data.
- If the data does not reside on the GIS server machine and you specified a domain account as the ArcGIS Server account, grant the domain account read (and optionally write) access to the folders containing your data.
You should be aware of your operating system's security mechanisms and hierarchies. For example, if you are working from a shared directory in Windows, you need to give the ArcGIS Server account share permissions for the folder, switch to the Security tab of the folder properties, and grant NTFS (file) permissions to the ArcGIS Server account for the folder. If you do not grant both types of permissions (share and file), ArcGIS Server cannot access the resource, since the operating system gives precedence to the more restrictive of the two.
Permissions to data in a database
When you create a service that references data in a database, you need to ensure that the server has the appropriate permissions to access the data. The type of permissions you need to grant depends on what type of database you are using and what type of authentication you are using to connect.
The way you grant ArcGIS Server access to data in a database depends on whether you connect to the database using database authentication or operating system (OS) authentication. View the database connection properties in ArcCatalog or the Catalog window in ArcMap to find out whether the connection uses database authentication or OS authentication. Note that you always access workgroup geodatabase using OS authentication.
When using database authentication, check your database connection properties in the Catalog tree and make sure you check the option to save the user name and password. This is required for your service to access the data successfully.
Write permissions on the data must be granted to the database user making the connection if you plan to allow edits to the data.
If you access data through OS authentication, add the ArcGIS Server account to the database and grant it permissions to the resources that it needs to access. When the service runs, it will log in to the DBMS as the ArcGIS Server account.
The way that you add the ArcGIS Server account and grant it permissions can vary. You may find it helpful to consult your DBMS documentation to learn how to grant access to an operating system account. Once you add the ArcGIS Server account, you need to grant it SELECT permissions to the resources that you are going to publish. Write permissions on the data are required if you plan to allow edits to the data.
If you are working with a workgroup geodatabase, perform the following steps in ArcCatalog or the Catalog window to give the ArcGIS Server account the necessary permissions:
- Double-click Database Servers in the Catalog tree.
- Right-click the database server containing the geodatabase and click Permissions.
- Click Add User and add the ArcGIS Server account. Click OK.
- Double-click the same database server.
- Right-click the geodatabase, click Administration, and click Permissions.
- Click the ArcGIS Server account to select it and choose the level of permissions you want it to have. You need at least read permissions to see the data, and you need write permissions for editing. See Database server permissions in the ArcGIS Desktop help if you need further assistance deciding which permissions would be necessary for your ArcGIS Server account.
Register your data with the server
After you grant the ArcGIS Server account the appropriate permissions to the folders and databases that contain your data, you need to register the folders and databases with the server using ArcGIS Server Manager or ArcGIS for Desktop. Data registration gives you the most control over how your server accesses data and helps you ensure that the data is truly accessible by the server.
Note that to register workgroup geodatabases with ArcGIS Server, you need to create a database connection (.sde file) to the workgroup geodatabase.
For full instructions, see the following topics: