The arc:restrict keyword allows you to restrict access to a service based on users and roles. This restriction is over and above any restrictions that you might enforce using ASP.NET.
If you add arc:restrict to your script, only the users or roles specified will be able to use the service.
The arc:restrict keyword can control access based on the following:
- The specific user trying to execute the feed.
- Whether the user is a member of a specified security role where a role maps to the roles defined by the ASP.NET authentication and authorization configuration.
You can have multiple arc:restrict statements in a single script. They are evaluated with the logical OR operator.
- user: A comma-separated list of usernames. All users specified on the list will have access to the feed. Note that if you have Windows Integrated Authentication, you must ensure that usernames are domain- or machine-qualified (i.e., “DOMAIN\username”).
- role: A comma-separated list of role names. Any user in at least one of the specified roles will have access to the feed.
- authtoken: A comma-separated list of authtokens for users authorized to access the script. The authtoken can be supplied in HTTP Basic authentication, the x-arcesb-authtoken header, or the @authtoken in the form-post data. If AllowtokeninURL is set in settings.json, located in the app_data folder, @authtoken can also be provided in the query string.
- visibility: Setting the visibility to “local” makes the script inaccessible directly from HTTP. However, you can still invoke the script through another script.
- method: A comma-separated list of HTTP methods that the specified user can execute against the feed.
Below are some examples of arc:restrict:
Grant access only to the tomk and jdoe users:
Grant access only to a user in the “FeedConsumers” role:
- arc:call: Call scripts, operations, or feeds.