A role defines the privileges that a member has within the organization. ArcGIS defines a set of privileges for the user, publisher, and administrator roles. In addition, organizations can define privileges at a more detailed level by creating and assigning custom roles.
- Users—See a customized view of the site, use the organization's maps, apps, layers, and tools, and join groups owned by the organization. Users can also create maps and apps, add items, share content, and create groups.
- Publishers—User privileges plus the ability to publish features and map tiles as hosted web layers. They can also perform analysis on layers in maps.
- Administrators—User and publisher privileges plus privileges to manage the organization and other users. An organization must have at least one administrator. However, there are no limits on how many roles can be assigned within an organization. For example, if an organization has five members, all five members can be administrators.
- Custom—A specific set of privileges defined by the administrator. For example, you might have access to maps and apps but cannot create groups. Or you might have privileges to publish features but not tiles.
Note:
When you federate a server with your portal, the portal's security store controls all access to the server. This provides a convenient sign in experience, but also impacts how you access and administer the federated server. For example, when you federate, any users, roles, and permissions that you previously configured on ArcGIS Server services are no longer valid. Access to services is instead determined by portal members, roles, and sharing permissions. Review the information in Administer a federated server to learn more about how federating will impact your existing site.
Role privileges
| Privilege | User | Publisher | Administrator | Custom |
|---|---|---|---|---|
Use maps and apps |
|
|
|
|
Create content |
|
|
| Optional |
Share maps and apps |
|
|
| Optional |
Join and create groups |
|
|
| Optional |
Edit features |
|
|
| Optional |
Publish hosted web layers |
|
| Optional | |
Perform analysis |  | | Optional | |
Manage organization resources |
| Optional | ||
Configure website |
| |||
Create custom roles |
|
Custom roles
Organizations might want to refine the standard roles into a more fine-grained set of privileges. For example, members who work with the organization's private maps and apps but do not have a need to create content can be added to the organization in a custom-defined viewer role. In addition, some administrative tasks such as inviting users or managing content can be designated to members through a custom role. There may be cases where members need to have the default administrator role instead of a custom role. For example, only default administrators can configure the website and create custom roles. Administrators configure custom roles based on any combination of the general and administrative privileges listed below.
General privileges
Members who perform specific tasks within the organization—create maps or edit features, for example—can have custom roles that give them the general privileges they need to work and share with groups, content, and features.
- Create, update, and delete groups.
- Join organizational groups.
- Create, update, and delete content.
- Publish hosted feature layers.
- Publish hosted tile layers.
- Publish hosted scene layers.
- Share with groups.
- Share with organization.
- Share with public.
- Make groups visible to organization.
- Make groups visible to public.
- Perform network analysis tasks such as create drive-time areas.
- Perform spatial analysis tasks such as create buffers.
- Use GeoEnrichment to enrich features.
- Perform elevation analysis tasks on elevation data.
Administrative privileges
The privileges listed below allow custom roles to assist the default administrators with managing members, groups, and content in the organization. These custom administrative roles do not contain the full set of privileges of the default administrator role.
- View all member account info.
- Update member account info.
- Delete members from the organization (only default administrators can delete other default administrators).
- Disable members from the organization.
- Change roles of members (only default administrators can change the role to and from the default administrator role).
- Manage licenses for members.
- View group owned by members.
- Update group owned by members.
- Delete group owned by members.
- Reassign ownership of groups.
- Add members to group.
- Link groups to enterprise groups.
- View content owned by members.
- Update content owned by members.
- Delete content owned by members.
- Reassign ownership of content.
Privileges for common workflows
Some workflows require a combination of privileges. If you cannot perform a function that you think your role should be able to do, verify that your administrator has enabled the full set of required privileges.
| In order to... | You need privileges to.... |
|---|---|
Use the analysis tools | Create content, publish features, and use spatial analysis. Some tools require privileges to use GeoEnrichment or network analysis. |
Publish hosted feature layers | Create content and publish hosted feature layers. |
Publish hosted tile layers | Create content and publish hosted tile layers. |
Publish hosted scene layers | Create content, publish hosted feature layers, and publish hosted scene layers. |
Publish apps from the map viewer or group page | Create and share content (with groups, organization, or public). |
Embed maps or groups | Create and share content with public. |
Manage content owned by members | View all member account information; view, update, delete, and reassign content. |
Manage groups owned by members | View all member account information; view, update, reassign, and delete group; and add member to group. |
Manage member profiles | View and update all members' account information. |
Reserved privileges
The privileges listed below are reserved for the default administrator.
- Configure website.
- Configure custom roles.
- Set up enterprise logins.
- Manage credit budgets.
- Enable and disable Esri access on member accounts.
- Disable multifactor authentication on member accounts.
- Change member role to or from administrator.
- Remove other administrators from the organization.
- Move member content to different folders within the member's My Content page.
- Share content with public when organization does not allow members to share outside the organization.
- Create and own groups that allow members to update all items in the group.