Organizations can use, create, and share a wide range of geographic content, including maps, scenes, apps, layers, and analytics. The ability of individual organization members to access and work with content in different ways depends on the privileges they have in the organization. Levels allow organizations to control the scope of privileges that can be assigned to members through roles.
Levels
Organizations use levels to allocate accounts based on the privileges that members need. Members are assigned a level when they are added to the organization. The level determines which privileges are available to the member. ArcGIS offers two levels of membership.
Level 1 membership is for members who only need privileges to view content, such as maps and apps, that has been shared with them through the organization, as well as join groups within the organization. Level 2 membership is for members who need to view, create, and share content and own groups, in addition to other tasks.
For example, a content creator assigned a level 2 account can create and share a site selection app with a group of users in their organization. This app allows users to select a specific site and view attribute information about the site that should only be available to internal employees. A member with a level 1 account can join the group and view and interact with the app.
Roles
A role defines the set of privileges assigned to a member. Privileges are assigned to members through a default role or a custom role. Members are assigned a role when they are added to the organization.
Note:
Once the member joins, their role can be changed by administrators and those with privileges to change member roles. Changing roles to or from administrator can be done only by administrators.
Default roles
Portal for ArcGIS defines a set of privileges for the following four default roles:
- Viewer—View items such as maps, apps, and elevation analysis layers that have been shared with the member. Join groups owned by the organization. Use network analysis and geocoding. Members assigned the Viewer role cannot create, own, or share content, or perform analysis. The Viewer role can be assigned to level 1 or level 2 accounts.
- User—Viewer privileges plus the ability to see a customized view of the site, use the organization's maps, apps, layers, and tools, and join groups owned by the organization. Members assigned the User role can also create maps and apps, add items, share content, and create groups. The User role can be assigned to level 2 accounts.
- Publisher—User privileges plus the ability to publish features and map tiles as hosted web layers. Members assigned the Publisher role can also perform standard feature analysis on layers in maps. The Publisher role can be assigned to level 2 accounts.
- Administrator—Publisher privileges plus privileges to manage the organization and other users. An organization must have at least one administrator. However, there is no limit to the number of roles that can be assigned within an organization. For example, if an organization has five members, all five members can be administrators. The Administrator role can be assigned to level 2 accounts.
By default, all new members added to the portal are assigned the User role, but you can choose a different role to apply to new members. Go to My Organization > Edit Settings > Roles and choose a role from the Default role for new members drop-down menu. Click Save to apply this new setting.
The following table shows the privileges defined for each of the default roles.
| Privilege | Default role | |||
|---|---|---|---|---|
Viewer | User | Publisher | Administrator | |
Use maps and apps |
|
|
|
|
Use geosearch |
|
|
|
|
Join groups |
|
|
|
|
Use elevation analysis |
|
|
|
|
Use geocoding |  | | | |
Use network analysis | | | | |
Create groups |
|
|
| |
Create content |
|
|
| |
Share maps and apps |
|
|
| |
Join and create groups |
|
|
| |
Edit features |
|
|
| |
Perform standard feature analysis |
|
|
| |
Publish hosted web layers |
|
| ||
Manage organization resources |
| |||
Configure website |
| |||
Set up enterprise logins |
| |||
Create custom roles |
| |||
Enable and disable Esri access on member accounts |
| |||
Change member role to or from administrator |
| |||
Remove other members of the default administrator role from the organization |
| |||
Move member content to different folders within the member's My Content page |
| |||
Share content with public when organization does not allow members to share outside the organization |
| |||
Create and own groups that allow members to update all items in the group |
| |||
Make ArcGIS Marketplace content available (subscription and premium content access requires an ArcGIS Online organizational account) |
| |||
Note:
When you federate a server with your portal, the portal's security store controls all access to the server. This provides a convenient sign in experience but also impacts how you access and administer the federated server. For example, when you federate, any users, roles, and permissions that you previously configured on ArcGIS Server services are no longer valid. Access to services is instead determined by portal members, roles, and sharing permissions. Review the information in Administer a federated server to learn more about how federating will impact your existing site.
Custom roles
Organizations may want to refine the default roles into a more fine-grained set of privileges by creating custom roles. For example, your organization may want to assign some members the same privileges as a default User but without allowing them to edit feature data. This could be achieved by creating a custom role based on the default User role, turning off the editing privileges, and calling the custom role User without Editing or something similar.
Only default administrators—that is, those who have been assigned the Administrator role—can create, configure, and assign custom roles. Default administrators configure custom roles based on any combination of available general and administrative privileges.
A custom role that has any publishing privilege (for features, tiles, or scenes) will also be able to create other types of ArcGIS Server services on servers federated with your portal. This functionality may be further restricted in a future release to prevent such workflows. Esri recommends that if users need the ability to publish ArcGIS Server services, add them to the default Publisher role.
The privileges that can be granted to a member through a custom role cannot exceed those associated with their assigned member level. For example, if a level 1 member is assigned a custom role that has more privileges than a level 1 account allows, the additional privileges will be disabled for that member.
Privileges
Privileges allow organization members to perform different tasks and workflows in an organization. For example, some members have privileges to create and publish content, while others have privileges to view content but cannot create their own.
General privileges
Members who perform specific tasks within the organization—create maps or edit features, for example—can be assigned the general privileges they need to work and share with groups, content, and features.
| General privileges | |
|---|---|
Members | View This privilege is new at 10.5.1. |
Groups | Create, update, and delete |
Join organizational groups | |
Content | Create, update, and delete |
Publish hosted feature layers | |
Publish hosted tile layers | |
Publish hosted scene layers | |
View content shared with portal This privilege is new at 10.5.1. | |
Sharing | Share with groups |
Share with portal | |
Share with public | |
Make groups visible to portal | |
Make groups visible to public | |
Content and Analysis | Geocoding: Use Esri World Geocoder from ArcGIS Online to convert addresses to map points (geocoding) such as when publishing a CSV file of addresses as hosted feature layers or adding a CSV file of addresses to a map (does not apply to custom geocoders configured for the organization) |
Network Analysis: Perform network analysis tasks such as create drive-time areas | |
Standard Feature Analysis : Perform spatial analysis tasks such as create buffers Legacy:Prior to 10.5.1, this privilege was called Spatial Analysis. | |
GeoEnrichment: Use the GeoEnrichment service to access demographic information. | |
Elevation Analysis: Perform elevation and hydrology analysis tasks on elevation data | |
GeoAnalytics Feature Analysis: Use GeoAnalytics Tools. This privilege is new at 10.5.1. | |
Raster Analysis: Use raster analysis tools. This privilege is new at 10.5.1. | |
Features | Edit: Edit features based on permissions set on the layer |
Edit with full control: No matter what level of editing is enabled on hosted feature layers, members of roles with this privilege can add, update, and delete features | |
Administrative privileges
The privileges listed below allow custom roles to assist the default administrators with managing members, groups, and content in the organization. These custom administrative roles do not include the full set of privileges reserved for default administrators—that is, those assigned the Administrator role.
| Administrative privileges | |
|---|---|
Members | View all: View all member account information |
Update: Update member account information | |
Delete: Remove member accounts from the portal organization | |
Disable: Make member accounts inactive | |
Change roles: Change the role assigned to portal members Note:Only members of the default administrator role can add members to or remove members from the default Administrator role. | |
Manage licenses: Manage licenses for members | |
Groups | View all: View groups owned by portal members This privilege is new at 10.5.1. |
Update: Update groups owned by portal members | |
Delete: Delete groups owned by portal members | |
Reassign ownership: Reassign ownership of groups | |
Assign members: Add members to groups | |
Link to enterprise group: Link groups to enterprise groups | |
Create with update capabilities: Create a group that allows all members of the group to update all items shared to the group regardless of item ownership or editor settings. This privilege is new at 10.5.1. | |
Content | View all: View content owned by members |
Update: Update content owned by members | |
Delete: Delete content owned by members | |
Reassign ownership: Reassign ownership of content | |
Privileges for common workflows
Some workflows require a combination of privileges. If you cannot perform a function that you think your role should allow you to perform, verify that your administrator has enabled the full set of privileges required for the function.
| Workflow | Required privileges |
|---|---|
Use the analysis tools |
Note:Some tools require additional privileges to use GeoEnrichment, elevation analysis, or network analysis. See Perform analysis for requirements per tool. |
Publish hosted feature and WFS layers |
|
Publish hosted tile layers |
|
Publish hosted scene layers |
|
Publish apps from the map viewer or group page |
|
Embed maps or groups |
|
Manage content owned by members |
|
Manage groups owned by members |
|
Manage member profiles |
|
Add, update, and delete features on editable hosted feature layers even if the hosted feature layer is only configured to Only update feature attributes or Only add new features |
|