You can allow users to add their own accounts using the portal website. You can also add built-in accounts individually or in bulk using the website. A command line utility is also available for you to add built-in or SAML-based enterprise accounts in bulk.
If you're using the portal's built-in store to manage members, the member's account is added to the built-in identity store and appears in the portal website. The account information is stored in the portal.
If you're using your organization's enterprise identity store or SAML provider to manage members, the account information is read from the enterprise identity provider and appears as an entry in the portal website. The account authentication information is not stored in the portal.
To learn more about how members are managed in the portal, see Managing access to your portal. For full instructions on how to add members to your portal, see the steps in the sections below.
Allow users to add their own accounts
Enterprise accounts
If your portal is configured with your organization's enterprise identity store, you can configure the portal to register these accounts with it the first time the enterprise accounts connect to it. By default, new installations of Portal for ArcGIS do not allow accounts from an enterprise identity store to be registered to the portal automatically. For full instructions on how to configure your portal to allow this, see Automatic registration of enterprise accounts.
Built-in portal accounts
If your portal uses built-in portal accounts, you can send the portal URL to the people in your organization who need to use the portal. These people can paste the URL in a web browser and create their own account by doing the following:
- From the portal home page, click Sign In. You'll also see this page if you attempt to save a map without logging in.
- Click Create an account.
- Provide your first name, last name, desired user name, password, and email address.
User names cannot have more than 128 characters or fewer than 6 characters. They can only contain alphanumeric ASCII characters or underscores.
- Choose an identity question and type an answer to the question.
- Click Create My Account.
An account is added to the portal's identity store, and the user is signed in to the portal.
Add accounts using the portal website
Using the website, you can add built-in or enterprise accounts to the portal. Accounts can be added individually or in bulk using a comma-separated values (CSV) file.
Note:
If you are adding more than 1,000 users at once, use the CreateUsers command line utility to do so.
Add built-in members
You can add built-in members one at a time or in bulk from a file.
One at a time
- Verify that you are signed in as an Administrator of your organization.
- Click Organization > Add Members.
- On the Add Members page, select the Add built-in portal members radio button and click Next.
- Click the One at a time tab and provide the following information:
- Email—An email address for the user, for example, jcho@email.com. If an email is not available, use the email address of the Administrator.
- First Name—The user's first name (for example, Jon).
- Last Name—The user's last name (for example, Cho).
- Username—The user name alias for the account. The user name is populated automatically based on the email address. You can modify it as desired (for example, jcho11). The user name must be between 6 and 128 ASCII characters in length. You must inform the user of their user name.
- Password—A password for the account (for example, jcho.1234). The password must be at least eight characters in length and have at least one number and letter. You must inform the user of their password. It's recommended that you encourage the user to change their password after logging in for the first time.
- Level—The membership level to which the member will be assigned. Level 1 members can use existing content but do not have privileges to create or share it. Level 2 members have the ability to create, share, edit items, and so on. For more information, see Levels, roles, and privileges.
- Role—The role to which the member will be assigned. This can be any role (viewer, user, publisher, custom role, or administrator role) within its corresponding membership level.
- Click Add and Review.
- Verify that the member account information is correct and click Add Members.
The member account is added to the portal. The user can now log in using the credentials you specified.
From a file
- Create a plain-text CSV file that contains information for each member account. The first line must contain header information with these field names: First Name, Last Name, Email, Username, Password, Role, and Level. Subsequent lines include the actual member account information as follows:
- First Name—The user's first name (for example, Jon).
- Last Name—The user's last name (for example, Cho).
- Email—An email address for the user, for example, jcho@email.com. If an email is not available, use the email address of the Administrator.
- Username—The user name alias for the account. The user name is populated automatically based on the email address. You can modify it as desired (for example, jcho11). The user name must be between 6 and 128 ASCII characters in length. You must inform the user of their user name.
- Password—A password for the account (for example, jcho.1234). The password must be at least eight characters in length and have at least one number and letter. You must inform the user of their password. It's recommended that you encourage the user to change their password after logging in for the first time.
- Role—The role to which the user will be assigned. This
can be any role (viewer, user, publisher, custom role, or administrator role).
Legacy:
In earlier versions of portal, you could only assign the member to a user, publisher, or custom role without administrative privileges. You could not assign a member to the administrator role. You could assign them to the role after creating the account. Beginning at 10.3.1, you can assign a member to a role with administrative privileges.
- Level—The membership level to which the member will be assigned. Level 1 members can use existing content but do not have privileges to create or share it. Level 2 members have the ability to create, share, edit items, and so on. For more information, see Levels, roles, and privileges.
The format for the file is as follows:
First Name,Last Name,Email,Username,Password,Role,Level Jon,Cho,jcho@email.com,jcho11,jcho.1234,publisher,2 Satish,Rajhandas,srajhandas@email.com,srajhandas,sraj.abcd,viewer,1
- Save the document as a plain-text CSV file and close it.
- Verify that you are signed in as an Administrator of your organization.
- Click Organization > Add Members.
- On the Add Members page, select the Add built-in portal members radio button and click Next.
- Click the From a file tab and click Browse to select the CSV file.
- Click Upload File and Review.
- Verify that the member account information is correct and click Add Members.
The member accounts are added to the portal. The users can now log in using the credentials you specified.
Add SAML-based enterprise accounts
If your portal has been configured with a SAML-compliant identity provider, enterprise accounts can be added one at a time or in bulk using a CSV file. You must first register your SAML identity provider with the portal before adding SAML-based enterprise accounts.
One at a time
- Verify that you are signed in as an administrator of your organization.
- Click Organization > Add Members.
- On the Add Members page, select the Add members for <identity provider name> enterprise logins via SAML radio button and click Next.
- Click the One at a time tab and provide the following information:
- Email—Email address for the user, for example, jcho@email.com. If an email is not available, use the email address of the Administrator.
- First Name—The user's first name (for example, Jon).
- Last Name—The user's last name (for example, Cho).
- Username—The user name alias for the account. The user name must match the existing enterprise user and format defined in the SAML identity provider (for example, jcho11). If the user name does not match, the account will be created in the portal but cannot be used. Verify the user name is correct before proceeding.
- Level—The membership level to which the member will be assigned. Level 1 members can use existing content but do not have privileges to create or share it. Level 2 members have the ability to create, share, edit items, and so on. For more information, see Levels, roles, and privileges.
- Role—The role to which the user will be assigned. This
can be any role (viewer, user, publisher, custom role, or administrator role).
Legacy:
In earlier versions of portal, you could only assign the member to a user, publisher, or custom role without administrative privileges. You could not assign a member to the administrator role. You could assign them to the role after creating the account. Beginning at 10.3.1, you can assign a member to a role with administrative privileges.
- Click Add and Review.
- Verify that the member account information is correct and click Add Members.
The member account is added to the portal. The user can now log in to the website.
From a file
- Create a plain-text CSV file that contains information for each member account. The first line must contain header information with these field names: First Name, Last Name, Email, Username, Role, and Level. Subsequent lines include the actual member account information as follows:
- First Name—The user's first name (for example, Jon).
- Last Name—The user's last name (for example, Cho).
- Email—An email address for the user, for example, jcho@email.com. If an email is not available, use the email address of the Administrator.
- Username—The user name alias for the account. The user name must match the existing enterprise user and format defined in the SAML identity provider (for example, jcho11). If the user name does not match, the account will be created in the portal but cannot be used. Verify the user name is correct before proceeding.
- Role—The role to which the user will be assigned. This
can be any role (viewer, user, publisher, custom role, or administrator role).
Legacy:
In earlier versions of portal, you could only assign the member to a user, publisher, or custom role without administrative privileges. You could not assign a member to the administrator role. You could assign them to the role after creating the account. Beginning at 10.3.1, you can assign a member to a role with administrative privileges.
- Level—The membership level to which the member will be assigned. Level 1 members can use existing content but do not have privileges to create or share it. Level 2 members have the ability to create, share, edit items, and so on. For more information, see Levels, roles, and privileges.
The format for the file is as follows:
First Name,Last Name,Email,Username,Role,Level Jon,Cho,jcho@email.com,jcho11,publisher,2 Satish,Rajhandas,srajhandas@email.com,srajhandas,viewer,1
- Save the document as a plain-text CSV file and close it.
- Verify that you are signed in as an Administrator of your organization.
- Click Organization > Add Members.
- On the Add Members page, select the Add members for <identity provider name> enterprise logins via SAML radio button and click Next.
- Click the From a file tab and click Browse to select the CSV file.
- Click Upload File and Review.
- Verify that the member account information is correct and click Add Members.
The member accounts are added to the portal. The users can now log in to the website.
Add members from AD or LDAP identity providers
If your portal has been configured with an enterprise identity provider based on Active Directory (AD) or Lightweight Directory Access Protocol (LDAP), enterprise accounts can be added individually, in bulk, or from enterprise groups managed by the identity provider.
Note:
Accounts must include an email address in order to be added to the portal. Any special characters in account names will be changed to an underscore (_), except the at sign (@), point (.), or dash (-).
One at a time
- Verify that you are signed in as an administrator of your organization.
- Click Organization > Add Members.
- On the Add Members page, select the Add members based on existing enterprise users radio button and click Next.
- Click the One at a time tab and provide the following information:
- Username—The user name alias for the account. The user name must match the existing enterprise user and format defined in the identity provider (for example, jcho11). Click the magnifying glass to search for and select the desired user name.
- Role—The role to which the user will be assigned. This can be any role (viewer, user, publisher, custom role, or administrator role).
- Level—The membership level to which the member will be assigned. Level 1 members can use existing content but do not have privileges to create or share it. Level 2 members have the ability to create, share, edit items, and so on. For more information, see Levels, roles, and privileges.
- Click Add and Review.
- Verify that the member account information is correct and click Add Members.
The member account is added to the portal. The user can now log in to the website.
From a file
- Create a plain-text CSV file that contains information for each member account. The first line must contain header information with these field names: Username, Role, and Level. Subsequent lines include the actual member account information as follows:
- Username—The user name alias for the account. The user name must match the existing enterprise user and format defined in the enterprise identity provider (for example, jcho11).
- Role—The role to which the user will be assigned. This
can be any role (viewer, user, publisher, custom role, or administrator role).
Legacy:
In earlier versions of portal, you could only assign the member to a user, publisher, or custom role without administrative privileges. You could not assign a member to the administrator role. You could assign them to the role after creating the account. Beginning at 10.3.1, you can assign a member to a role with administrative privileges.
- Level—The membership level to which the member will be assigned. Level 1 members can use existing content but do not have privileges to create or share it. Level 2 members have the ability to create, share, edit items, and so on. For more information, see Levels, roles, and privileges.
The format for the file is as follows:
Username,Role,Level jcho11,publisher,2 srajhandas,viewer,1
- Save the document as a plain-text CSV file and close it.
- Verify that you are signed in as an Administrator of your organization.
- Click Organization > Add Members.
- On the Add Members page, select the Add members based on existing enterprise users radio button and click Next.
- Click the From a file tab and click Browse to select the CSV file.
- Click Upload File and Review.
- Verify that the member account information is correct and click Add Members.
The member accounts are added to the portal. The users can now log in to the website.
From a group
If your portal has been configured with AD or LDAP-based enterprise groups, you can add accounts from the enterprise groups you've connected to your portal. See Create groups for more information.
- Verify that you are signed in as an Administrator of your organization.
- Click Organization > Add Members.
- On the Add Members page, select the Add members based on existing enterprise users radio button and click Next.
- Click the From a group tab and provide the following information:
- Enterprise Group—The enterprise group name. Click the magnifying glass to search for and select the desired enterprise group.
- Role—The role to which the selected accounts will be assigned. This
can be any role (viewer, user, publisher, custom role, or administrator role).
Legacy:
In earlier versions of portal, you could only assign members to a user, publisher, or custom role without administrative privileges. You could not assign members to the administrator role. You could assign them to the role after creating the accounts. Beginning at 10.3.1, you can assign members to a role with administrative privileges.
- Level—The membership level to which the member will be assigned. Level 1 members can use existing content but do not have privileges to create or share it. Level 2 members have the ability to create, share, edit items, and so on. For more information, see Levels, roles, and privileges.
- Click Review Additions. This generates a list of all of the selected accounts within the
enterprise group. If duplicate accounts or accounts that you don't want to add are listed, remove them by clicking Remove.
If your enterprise group is from an LDAP server, members of nested groups are not added to the portal.
- Click Add Members. A page displays reporting the total number of accounts added. Duplicate accounts or accounts without an email address are not added to the portal.
The member accounts are added to the portal. The users can now log in to the website.
Add members in bulk using a command line utility
Adding members in bulk is useful if you want to add multiple built-in or enterprise accounts to the portal at once. The CreateUsers tool is located in the <Portal for ArcGIS installation location>/tools/accountmanagement directory. The tool takes a text file as input and must be run on the machine where the portal is installed. If either the name or description (described below) includes non-English characters, save the input file as UTF-8; otherwise, non-English characters will not save properly.
Note:
The utility can only be executed by a built-in administrator account; you cannot use an enterprise administrator account. The built-in account you use can be the initial administrator account you set up when you configured the portal or another built-in account that has been granted administrator privileges. If you deleted the initial administrator account and do not have any other built-in administrator accounts available, you will need to create one to execute the utility. For instructions, see the Built-in portal accounts section above.
Register enterprise accounts
By default, new installations of Portal for ArcGIS do not allow users to register their enterprise accounts automatically the first time they log in. Therefore, you'll need to pre-register your enterprise users with the CreateUsers command line utility tool or, alternatively, a Python script. If you want enterprise users to be able to register their own accounts, you can enable automatic registration of enterprise accounts.
- Create a text file that contains information for registering enterprise accounts. Use a separate line for each account, and separate values using pipes (|). The format for each entry is as follows:
<login>|<email address>|<name>|<role>|<description>|<Idp UserName>|<first name>|<last name>|<level>
login—The login is the enterprise login to be registered. Logins must contain alphanumeric ASCII characters or underscores and may contain up to 128 characters in length.
- If you're using Active Directory, this login should be in the form sAMAccountName@DOMAIN. The domain name must be in all capital letters.
- If you're using LDAP, the login should match the value of the userNameAttribute you specified when configuring the identity store.
- If you're using SAML-based enterprise logins, the login value specified should match the NameID attribute in the SAML identity provider.
email address—The email address should be the email associated with the login and match the value in the identity store. If the user account does not have an email address, provide a false or generic value.
name—The name is the alias for the login that will be used in your ArcGIS organization. Most identity stores use the user's full name as the default alias. When the user is connected to the portal website, this name appears at the top of the website.
role—This is the role the enterprise login will have in the organization. Valid role values are viewer, user, publisher, admin, or <custom_role_name>, where <custom_role_name> is the name of the custom role (for example, hostedservicepublisher).
Note:
Ensure roles specified correspond with their respective membership levels. For example, a user, publisher, or admin role correspond with a minimum membership level 2. For more information, see Levels, roles, and privileges.
description—Optionally, you can include text to describe the account. This value does not correspond to any attribute in the identity store. Descriptions cannot exceed 250 characters.
Idp UserName—Optionally, specify the user name of the enterprise account in the identity provider. If this value is not provided, the value specified for the login parameter is used instead.
first name—Optionally, you can specify the user's first name. If this value is left blank or set to no firstName, the Name parameter will be used. If the Name parameter consists of more than one word, the first word before a space will be used for the first name. If the first name is left blank or set to no firstName and the Name parameter is empty the user will not be created.
last name—Optionally, you can specify the user's last name. If this value is left blank or set to no lastName, the Name parameter will be used. If the Name parameter consists of more than one word, the first word after a space will be used for the last name. If the last name is left blank or set to no lastName and the Name parameter is empty the user will not be created. If both the first and last name for a user are left blank or set to no firstName and no lastName and the Name parameter contains one word, that word will be used for both the first and last names.
level—The membership level to which the member will be assigned. Level 1 members can use existing content but do not have privileges to create or share it. Level 2 members have the ability to create, share, edit items, and so on.
Note:
You're required to provide a value for the login, email address, name, role, and level. The description, Idp UserName, first name, and last name are optional. For each account listed in the file, verify that the values you entered for the login, email address, and name exactly match the values in your identity store. The portal will not connect to your identity store to validate these values.
The following is an example of an entry to register an Active Directory enterprise account for login jcho111, with an email address of jcho@domain.com and a full name of Jon Cho. The login is placed in the user role (user) in membership level 2 and is described as a user in department b.
jcho111@DOMAIN|jcho@domain.com|Jon Cho|user|department b|2
The following is an example of an entry to register an enterprise account from a SAML identity provider. The user's login is rsmith@domain.com, with an email address of rsmith@domain.com and a full name of Robert Smith. The login is placed in the publisher role (publisher) with an Idp UserName of rsmith@domain.com in membership level 2.
rsmith@domain.com|rsmith@domain.com|Robert Smith|publisher|rsmith@domain.com|2
The following is an example of an entry to register an LDAP enterprise account for login sjames4513, with an email address of sjames@domain.com and a full name of Sara James. The login is placed in the viewer role (admin) in membership level 1 and a description is provided.
sjames4513@DOMAIN|sjames@domain.com|Sara James|viewer|Department Lead and GIS Manager|1
The following is an example of an entry to register an enterprise account for login srajhandas, with an email address of srajhandas@domain.com and a full name of Satish Rajhandas. The login is placed in the user role (user) in membership level 2.
srajhandas@DOMAIN|srajhandas@domain.com|Satish Rajhandas|user|2
The following is an example of an entry to register an enterprise account from a SAML identity provider. The user's login is djohnson308, with an email address of djohnson@domain.com and a full name of Daisha Johnson. The login is placed in the user role (user), with a description, the Idp UserName which is defined as djohnson@domain.com and membership level 2.
djohnson308@DOMAIN|djohnson@domain.com|Daisha Johnson|user|Account Specialist|djohnson@domain.com|2
- Save the text file.
- Run the CreateUsers command line tool with the idp option set to enterprise (for example, ./CreateUsers.sh --file usr/adminfiles/users.txt --idp enterprise).
Note:
If you do not specify -idp, enterprise accounts are registered by default. Also be sure to use the correct case for command line options and file names.
Once users log in to the portal, they can add or change the security question and answer by editing their account profiles.
Add built-in portal accounts
- Create a text file that contains information for creating built-in portal members. Use a separate line for each account, and separate values using pipes (|). The format for each entry is as follows:
<account>|<password>|<email address>|<name>|<role>|<description>|<first name>|<last name>|<level>
- account—The account is the user name to be used for the built-in account. Accounts must contain alphanumeric ASCII characters or underscores and may contain up to 128 characters in length.
- password—This is a password to be assigned to the account. Users can use this password the first time they sign in to the portal, and then they can change their password by editing their profile.
- email address—Provide an email address for this account. This parameter is required; therefore, you must provide a value for the email address even if it's not a valid address.
- name—The name is the alias for the account that will be used in your ArcGIS organization. When the user is connected to the portal website, this name appears at the top of the portal website.
- role—This is the role the account will have in the ArcGIS organization. Valid role values are viewer, user, publisher, admin, or <custom_role_name>, where <custom_role_name> is the name of the custom role (for example, hostedservicepublisher).
Note:
Ensure roles specified correspond with their respective membership levels. For example, a user, publisher, or admin role must correspond with membership level 2. For more information, see Levels, roles, and privileges.
- description—Optionally, you can include text to describe the account. Descriptions cannot exceed 250 characters.
- first name—Optionally, you can specify the user's first name. If this value is left blank or set to no firstName, the Name parameter will be used. If the Name parameter consists of more than one word, the first word before a space will be used for the first name. If the first name is left blank or set to no firstName and the Name parameter is empty the user will not be created.
- last name—Optionally, you can specify the user's last name. If this value is left blank or set to no lastName, the Name parameter will be used. If the Name parameter consists of more than one word, the first word after a space will be used for the last name. If the last name is left blank or set to no lastName and the Name parameter is empty the user will not be created. If both the first and last name for a user are left blank or set to no firstName and no lastName and the Name parameter contains one word, that word will be used for both the first and last names.
- level—The membership level to which the member will be assigned. Level 1 members can use existing content but do not have privileges to create or share it. Level 2 members have the ability to create, share, edit items, and so on.
The following is an example of an entry that adds a built-in portal account with the user name pub1 for Barbara Williams and an email account of bwilliams@domain.com. It also adds pub1 to the publisher role in membership level 2:
pub1|changepasswordlater|bwilliams@domain.com|Barbara Williams|publisher|2
The following is an example of an entry that adds a built-in portal account with the user name jcho for Jon Cho and an email account of jcho@domain.com. It also adds jcho to the administrator role in membership level 2, describes it as the GIS manager, and lists the first and last names for the user:
jcho|changepasswordlater|jcho@domain.com|Jon Cho|admin|GIS Manager|Jon|Cho|2
- Save the text file.
- Run the CreateUsers command line tool with the idp option set to builtin (for example, ./CreateUsers.sh --file portalmembers.txt --idp builtin).
Note:
If you do not specify -idp, enterprise accounts are registered by default. Be sure to use the correct case for command line options and file names.
Once users log in to the portal, they can add or change the security question and answer by editing their account profiles. Users can also change their passwords by editing their account profiles.