You can allow users to add their own accounts using the portal website. You can also add built-in accounts individually or in bulk using the website. A command line utility is also available for you to add built-in or SAML-based enterprise accounts in bulk.
If you're using the portal's built-in store to manage members, the member's account is added to the built-in identity store and appears in the portal website. The account information is stored in the portal.
If you're using your organization's enterprise identity store or SAML provider to manage members, the account information is read from the enterprise identity provider and appears as an entry in the portal website. The account authentication information is not stored in the portal.
To learn more about how members are managed in the portal, see Managing access to your portal. For full instructions on how to add members to your portal, see the steps in the sections below.
Allow users to add their own accounts
Enterprise accounts
If your portal is configured with your organization's enterprise identity store, you can configure the portal to register these accounts with it the first time the enterprise accounts connect to it. By default, new installations of Portal for ArcGIS do not allow accounts from an enterprise identity store to be registered to the portal automatically. For full instructions on how to configure your portal to allow this, see Automatic registration of enterprise accounts.
Built-in portal accounts
By default, the portal does not allow users to create built-in accounts using the Sign In page. If your portal uses built-in accounts, you can enable users to add their own accounts by doing the following:
- Verify that you are signed in as an administrator of your organization.
- Click Organization > Settings > Member Roles.
- Choose a default user type and role to be assigned to new members from the Default user type and Default role for new members drop-down menus. Click Save defaults to apply this new setting.
- Click Organization > Settings > Security.
- Check the box next to Allow users to create new built-in accounts.
Note:
A warning will indicate that your portal will be restarted automatically upon clicking Save.
- Click Save.
Note:
Your portal will restart, which may take a couple of minutes. Once the restart is complete, the page will reload.
Once the steps above are complete, you can send the portal URL to the people in your organization who need to use the portal. These people can paste the URL in a web browser and create their own account by doing the following:
- From the portal home page, click Sign In. You'll also see this page if you attempt to save a map without logging in.
- Click Create an account.
- Provide your first name, last name, desired user name, password, and email address.
User names cannot have more than 128 characters or fewer than 6 characters. They can only contain alphanumeric ASCII characters or underscores.
- Choose an identity question and type an answer to the question.
- Click Create My Account.
An account is added to the portal's identity store, and the user is signed in to the portal.
Add accounts using the portal website
Using the website, you can add built-in or enterprise accounts to the portal. Accounts can be added individually or in bulk using a comma-separated values (CSV) file.
Note:
If you are adding more than 1,000 users at once, use the CreateUsers command line utility to do so.
Add built-in members
You can add built-in members one at a time or in bulk from a file.
One at a time
- Verify that you are signed in as an Administrator of your organization.
- Click Organization > Members > Add Members.
- On the Add Members page, under Method, select the Add built-in portal members option and click Next.
- Click the New member tab and provide the following information:
- First Name—The user's first name (for example, Jon).
- Last Name—The user's last name (for example, Cho).
- Email—An email address for the user, for example, jcho@email.com. If an email address is not available, use the email address of the Administrator.
- Username—The user name alias for the account. The user name is populated automatically based on the email address. You can modify it as desired (for example, jcho11). The user name must be between 6 and 128 ASCII characters. You must inform the user of their user name.
- User Type—The name of the user type to which the user will be assigned. Select any available user type from the drop-down list. You can click the compatible roles and compatible add-on licenses count to find out more about what is compatible with the selected user type. For more information, see User types, roles, and privileges.
- Role—The role to which the member will be assigned. This can be any role (viewer, user, publisher, custom role, or administrator role) that is compatible with the selected user type.
- Password—A password for the account (for example, jcho.1234). The password must be at least eight characters and have at least one number and letter. You must inform the user of their password. It's recommended that you encourage the user to change their password after logging in for the first time.
- Click Next to complete adding this user, or Next, add another to add more users.
- On the Compile member list page, select the members you would like to add and click Next
- On the Set member properties page, you can assign licenses, apps, groups, and settings to the selected members. Click Next.
- Review the summary page to ensure the details are correct, then select Add Members to add the new members to your organization.
The member accounts are added to the portal. The users can now log in using the credentials you specified.
From a file
- Create a plain-text CSV file that contains information for each member account. The first line must contain header information with these field names: First Name, Last Name, Email, Username, Password, Role, and User type. Subsequent lines include the actual member account information as follows:
- First Name—The user's first name (for example, Jon).
- Last Name—The user's last name (for example, Cho).
- Email—An email address for the user, for example, jcho@email.com. If an email address is not available, use the email address of the Administrator.
- Username—The user name alias for the account. The user name is populated automatically based on the email address. You can modify it as desired (for example, jcho11). The user name must be between 6 and 128 ASCII characters. You must inform the user of their user name.
- Password—A password for the account (for example, jcho.1234). The password must be at least eight characters and have at least one number and letter. You must inform the user of their password. It's recommended that you encourage the user to change their password after logging in for the first time.
- Role—The role to which the user will be assigned. This
can be any role (viewer, user, publisher, custom role, or administrator role).
Legacy:
In earlier versions of portal, you could only assign the member to a user, publisher, or custom role without administrative privileges. You could not assign a member to the administrator role. You could assign them to the role after creating the account. Beginning at 10.3.1, you can assign a member to a role with administrative privileges.
- User Type—The name of the user type to which the user will be assigned. This can include any user type available to your organization. For more information, see User types, roles, and privileges.
The format for the file is as follows:
First Name,Last Name,Email,Username,Password,Role,User Type Jon,Cho,jcho@email.com,jcho11,jcho.1234,publisher,Creator Satish,Rajhandas,srajhandas@email.com,srajhandas,sraj.abcd,viewer,Viewer
- Save the document as a plain-text CSV file and close it.
- Verify that you are signed in as an Administrator of your organization.
- Click Organization > Members > Add Members.
- On the Add Members page, under Method, select the Add built-in portal members option and click Next.
- Click the New members from a file tab and click Browse to select the CSV file. Click Open.
- Verify that each of the required fields have a check mark next to them, and click Next.
- On the Compile member list page, select the members you would like to add and click Next.
- On the Set member properties page, you can assign licenses, apps, groups, and settings to the selected members. Click Next.
- Review the summary page to ensure the details are correct, then select Add Members to add the new members to your organization.
The member accounts are added to the portal. The users can now log in using the credentials you specified.
Add SAML-based enterprise accounts
If your portal has been configured with a SAML-compliant identity provider, enterprise accounts can be added one at a time or in bulk using a CSV file. You must first register your SAML identity provider with the portal before adding SAML-based enterprise accounts.
One at a time
- Verify that you are signed in as an administrator of your organization.
- Click Organization > Members > Add Members.
- Select the Add members for <identity provider name> enterprise logins via SAML option and click Next.
- Click the New member tab and provide the following information:
- Email—Email address for the user, for example, jcho@email.com. If an email address is not available, use the email address of the Administrator.
- First Name—The user's first name (for example, Jon).
- Last Name—The user's last name (for example, Cho).
- Username—The user name alias for the account. The user name must match the existing enterprise user and format defined in the SAML identity provider (for example, jcho11). If the user name does not match, the account will be created in the portal but cannot be used. Verify the user name is correct before proceeding.
- User Type—The name of the user type to which the user will be assigned. Select any available user type from the drop-down list. You can click the compatible roles and compatible add-on licenses count to find out more about what is compatible with the selected user type. For more information, see User types, roles, and privileges.
- Role—The role to which the user will be assigned. This
can be any role (viewer, user, publisher, custom role, or administrator role).
Legacy:
In earlier versions of portal, you could only assign the member to a user, publisher, or custom role without administrative privileges. You could not assign a member to the administrator role. You could assign them to the role after creating the account. Beginning at 10.3.1, you can assign a member to a role with administrative privileges.
- Click Next to complete adding this user, or Next, add another to add more users.
- On the Compile member list page, select the members you would like to add and click Next
- On the Set member properties page, you can assign licenses, apps, groups, and settings to the selected members. Click Next.
- Review the summary page to ensure the details are correct, then select Add Members to add the new members to your organization.
The member accounts are added to the portal. The user can now log in to the website.
From a file
- Create a plain-text CSV file that contains information for each member account. The first line must contain header information with these field names: First Name, Last Name, Email, Username, Role, and User type. Subsequent lines include the actual member account information as follows:
- First Name—The user's first name (for example, Jon).
- Last Name—The user's last name (for example, Cho).
- Email—An email address for the user, for example, jcho@email.com. If an email address is not available, use the email address of the Administrator.
- Username—The user name alias for the account. The user name must match the existing enterprise user and format defined in the SAML identity provider (for example, jcho11). If the user name does not match, the account will be created in the portal but cannot be used. Verify the user name is correct before proceeding.
- Role—The role to which the user will be assigned. This
can be any role (viewer, user, publisher, custom role, or administrator role).
Legacy:
In earlier versions of portal, you could only assign the member to a user, publisher, or custom role without administrative privileges. You could not assign a member to the administrator role. You could assign them to the role after creating the account. Beginning at 10.3.1, you can assign a member to a role with administrative privileges.
- User Type—The name of the user type to which the user will be assigned. This can include any user type available to your organization. For more information, see User types, roles, and privileges.
The format for the file is as follows:
First Name,Last Name,Email,Username,Role,User Type Jon,Cho,jcho@email.com,jcho11,publisher,GIS Professional Advanced Satish,Rajhandas,srajhandas@email.com,srajhandas,viewer,Viewer
- Save the document as a plain-text CSV file and close it.
- Verify that you are signed in as an Administrator of your organization.
- Click Organization > Members > Add Members.
- Select the Add members for <identity provider name> enterprise logins via SAML option and click Next.
- Click the New members from a file tab and click Browse to select the CSV file. Click Open.
- Verify that each of the required fields have a check mark next to them, and click Next.
- On the Compile member list page, select the members you would like to add and click Next.
- On the Set member properties page, you can assign licenses, apps, groups, and settings to the selected members. Click Next.
- Review the summary page to ensure the details are correct, then select Add Members to add the new members to your organization.
The member accounts are added to the portal. The users can now log in to the website.
Add members from AD or LDAP identity providers
If your portal has been configured with an enterprise identity provider based on Active Directory (AD) or Lightweight Directory Access Protocol (LDAP), enterprise accounts can be added individually, in bulk, or from enterprise groups managed by the identity provider.
Note:
Accounts must include an email address to be added to the portal. Any special characters in account names will be changed to an underscore (_), except the at sign (@), point (.), or dash (-).
One at a time
- Verify that you are signed in as an administrator of your organization.
- Click Organization > Members > Add Members.
- On the Add members page, select the Add members based on existing enterprise users option and click Next.
- Click the New member tab and provide the following information:
- Username—The user name alias for the account. The user name must match the existing enterprise user and format defined in the identity provider (for example, jcho11). Click the magnifying glass to search for and select the desired user name.
- Role—The role to which the user will be assigned. This can be any role (viewer, user, publisher, custom role, or administrator role).
- User Type—The name of the user type to which the user will be assigned. Select any available user type from the drop-down list. You can click the compatible roles and compatible add-on licenses count to find out more about what is compatible with the selected user type. For more information, see User types, roles, and privileges.
- Click Next to complete adding this user, or Next, add another to add more users.
- On the Compile member list page, select the members you would like to add and click Next
- On the Set member properties page, you can assign licenses, apps, groups, and settings to the selected members. Click Next.
- Verify that the member account information is correct and click Add Members.
The member account is added to the portal. The user can now log in to the website.
From a file
- Create a plain-text CSV file that contains information for each member account. The first line must contain header information with these field names: Username, Role, and User Type. Subsequent lines include the actual member account information as follows:
- Username—The user name alias for the account. The user name must match the existing enterprise user and format defined in the enterprise identity provider (for example, jcho11).
- Role—The role to which the user will be assigned. This
can be any role (viewer, user, publisher, custom role, or administrator role).
Legacy:
In earlier versions of portal, you could only assign the member to a user, publisher, or custom role without administrative privileges. You could not assign a member to the administrator role. You could assign them to the role after creating the account. Beginning at 10.3.1, you can assign a member to a role with administrative privileges.
- User Type—The name of the user type to which the user will be assigned. This can include any user type available to your organization. For more information, see User types, roles, and privileges.
The format for the file is as follows:
Username,Role,User Type jcho11,publisher,Editor srajhandas,viewer,Viewer
- Save the document as a plain-text CSV file and close it.
- Verify that you are signed in as an Administrator of your organization.
- Click Organization > Members > Add Members.
- Select the Add members based on existing enterprise users option and click Next.
- Click the New members from a file tab and click Browse to select the CSV file. Click Open.
- Verify that each of the required fields have a check mark next to them, and click Next.
- On the Compile member list page, select the members you would like to add and click Next.
- On the Set member properties page, you can assign licenses, apps, groups, and settings to the selected members. Click Next.
- Review the summary page to ensure the details are correct, then select Add Members to add the new members to your organization.
The member accounts are added to the portal. The users can now log in to the website.
From a group
If your portal has been configured with AD or LDAP-based enterprise groups, you can add accounts from the enterprise groups you've connected to your portal. See Create groups for more information.
- Verify that you are signed in as an Administrator of your organization.
- Click Organization > Members > Add Members.
- Select the Add members based on existing enterprise users option and click Next.
- Click the From a group tab and provide the following information:
- Enterprise Group—The enterprise group name. Click the magnifying glass to search for and select the desired enterprise group.
- Role—The role to which the selected accounts will be assigned. This
can be any role (viewer, user, publisher, custom role, or administrator role).
Legacy:
In earlier versions of portal, you could only assign members to a user, publisher, or custom role without administrative privileges. You could not assign members to the administrator role. You could assign them to the role after creating the accounts. Beginning at 10.3.1, you can assign members to a role with administrative privileges.
- User Type—The user type to which the member will be assigned. For more information, see User types, roles, and privileges.
- On the Compile member list page, select the members you would like to add and click Next
- On the Set member properties page, you can assign licenses, apps, groups, and settings to the selected members. Click Next.
- Review the summary page to ensure the details are correct, then select Add Members to add the new members to your organization.
If your enterprise group is from an LDAP server, members of nested groups are not added to the portal.
The member accounts are added to the portal. The users can now log in to the website.
Add members in bulk using a command line utility
Adding members in bulk is useful if you want to add multiple built-in or enterprise accounts to the portal at once. The CreateUsers tool is located in the <Portal for ArcGIS installation location>/tools/accountmanagement directory. The tool takes a text file as input and must be run on the machine where the portal is installed. If either the name or description (described below) includes non-English characters, save the input file as UTF-8; otherwise, non-English characters will not save properly.
Note:
The utility can only be executed by a built-in administrator account; you cannot use an enterprise administrator account. The built-in account you use can be the initial administrator account you set up when you configured the portal or another built-in account that has been granted administrator privileges. If you deleted the initial administrator account and do not have any other built-in administrator accounts available, you will need to create one to execute the utility. For instructions, see the Built-in portal accounts section above.
Register enterprise accounts
By default, new installations of Portal for ArcGIS do not allow users to register their enterprise accounts automatically the first time they log in. Therefore, you'll need to preregister your enterprise users with the CreateUsers command line utility tool or, alternatively, a Python script. If you want enterprise users to be able to register their own accounts, you can enable automatic registration of enterprise accounts.
- Create a text file that contains information for registering enterprise accounts. Use a separate line for each account, and separate values using pipes (|). The format for each entry is as follows:
<login>|<email address>|<name>|<role>|<user type id>|<description>|<Idp UserName>|<first name>|<last name>
login—The login is the enterprise login to be registered. Logins must contain alphanumeric ASCII characters or underscores and may contain up to 128 characters.
- If you're using Active Directory, this login should be in the form sAMAccountName@DOMAIN. The domain name must be in all capital letters.
- If you're using LDAP, the login should match the value of the userNameAttribute you specified when configuring the identity store.
- If you're using SAML-based enterprise logins, the login value specified should match the NameID attribute in the SAML identity provider.
email address—The email address should be the email associated with the login and match the value in the identity store. If the user account does not have an email address, provide a false or generic value.
name—The name is the alias for the login that will be used in your ArcGIS organization. Most identity stores use the user's full name as the default alias. When the user is connected to the portal website, this name appears at the top of the website.
role—This is the role the enterprise login will have in the organization. Valid role values are viewer, user, publisher, admin, or <custom_role_name>, where <custom_role_name> is the name of the custom role (for example, hostedservicepublisher).
Note:
Ensure roles specified correspond with a compatible user type. For more information, see User types, roles, and privileges.
description—Optionally, you can include text to describe the account. This value does not correspond to any attribute in the identity store. Descriptions cannot exceed 250 characters.
Idp UserName—Optionally, specify the user name of the enterprise account in the identity provider. If this value is not provided, the value specified for the login parameter is used instead.
first name—Optionally, you can specify the user's first name. If this value is left blank or set to no firstName, the Name parameter will be used. If the Name parameter consists of more than one word, the first word before a space will be used for the first name. If the first name is left blank or set to no firstName and the Name parameter is empty the user will not be created.
last name—Optionally, you can specify the user's last name. If this value is left blank or set to no lastName, the Name parameter will be used. If the Name parameter consists of more than one word, the first word after a space will be used for the last name. If the last name is left blank or set to no lastName and the Name parameter is empty the user will not be created. If both the first and last name for a user are left blank or set to no firstName and no lastName and the Name parameter contains one word, that word will be used for both the first and last names.
user type id—The id of the user type to which the member will be assigned.
Note:
You're required to provide a value for the login, email address, name, role, and user type. The description, Idp UserName, first name, and last name are optional. For each account listed in the file, verify that the values you entered for the login, email address, and name exactly match the values in your identity store. The portal will not connect to your identity store to validate these values.
The following is an example of an entry to register an Active Directory enterprise account for login jcho111, with an email address of jcho@domain.com and a full name of Jon Cho. The login is placed in the user role (user) and a Creator user type and is described as a user in department b.
jcho111@DOMAIN|jcho@domain.com|Jon Cho|user|department b|creatorUT
The following is an example of an entry to register an enterprise account from a SAML identity provider. The user's login is rsmith@domain.com, with an email address of rsmith@domain.com and a full name of Robert Smith. The login is placed in the publisher role (publisher) with an Idp UserName of rsmith@domain.com and a GIS Professional Basic user type.
rsmith@domain.com|rsmith@domain.com|Robert Smith|publisher|rsmith@domain.com|GISProfessionalBasicUT
The following is an example of an entry to register an LDAP enterprise account for login sjames4513, with an email address of sjames@domain.com and a full name of Sara James. The login is placed in the viewer role (admin) and a Viewer user type and a description is provided.
sjames4513@DOMAIN|sjames@domain.com|Sara James|viewer|Department Lead and GIS Manager|viewerUT
The following is an example of an entry to register an enterprise account for login srajhandas, with an email address of srajhandas@domain.com and a full name of Satish Rajhandas. The login is placed in the user role (user) and an Editoruser type.
srajhandas@DOMAIN|srajhandas@domain.com|Satish Rajhandas|user|editorUT
The following is an example of an entry to register an enterprise account from a SAML identity provider. The user's login is djohnson308, with an email address of djohnson@domain.com and a full name of Daisha Johnson. The login is placed in the user role (user), with a description, the Idp UserName which is defined as djohnson@domain.com and a GIS Professional Standard user type.
djohnson308@DOMAIN|djohnson@domain.com|Daisha Johnson|user|Account Specialist|djohnson@domain.com|GISProfessionalStdUT
- Save the text file.
- Run the CreateUsers command line tool with the idp option set to enterprise (for example, ./CreateUsers.sh --file usr/adminfiles/users.txt --idp enterprise).
Note:
If you do not specify -idp, enterprise accounts are registered by default. Also be sure to use the correct case for command line options and file names.
Once users log in to the portal, they can add or change the security question and answer by editing their account profiles.
Add built-in portal accounts
- Create a text file that contains information for creating built-in portal members. Use a separate line for each account, and separate values using pipes (|). The format for each entry is as follows:
<account>|<password>|<email address>|<name>|<role>|<user type id>|<description>|<first name>|<last name>
- account—The account is the user name to be used for the built-in account. Accounts must contain alphanumeric ASCII characters or underscores and may contain up to 128 characters.
- password—This is a password to be assigned to the account. Users can use this password the first time they sign in to the portal, and then they can change their password by editing their profile.
- email address—Provide an email address for this account. This parameter is required; therefore, you must provide a value for the email address even if it's not a valid address.
- name—The name is the alias for the account that will be used in your ArcGIS organization. When the user is connected to the portal website, this name appears at the top of the portal website.
- role—This is the role the account will have in the ArcGIS organization. Valid role values are viewer, user, publisher, admin, or <custom_role_name>, where <custom_role_name> is the name of the custom role (for example, hostedservicepublisher).
Note:
Ensure roles specified correspond with a compatible user type. For more information, see User types, roles, and privileges.
- description—Optionally, you can include text to describe the account. Descriptions cannot exceed 250 characters.
- first name—Optionally, you can specify the user's first name. If this value is left blank or set to no firstName, the Name parameter will be used. If the Name parameter consists of more than one word, the first word before a space will be used for the first name. If the first name is left blank or set to no firstName and the Name parameter is empty the user will not be created.
- last name—Optionally, you can specify the user's last name. If this value is left blank or set to no lastName, the Name parameter will be used. If the Name parameter consists of more than one word, the first word after a space will be used for the last name. If the last name is left blank or set to no lastName and the Name parameter is empty the user will not be created. If both the first and last name for a user are left blank or set to no firstName and no lastName and the Name parameter contains one word, that word will be used for both the first and last names.
- user type id—The id of the user type to which the member will be assigned.
The following is an example of an entry that adds a built-in portal account with the user name pub1 for Barbara Williams and an email account of bwilliams@domain.com. It also adds pub1 to the publisher role and the GIS Professional Advanced user type:
pub1|changepasswordlater|bwilliams@domain.com|Barbara Williams|publisher|GISProfessionalAdvUT
The following is an example of an entry that adds a built-in portal account with the user name jcho for Jon Cho and an email account of jcho@domain.com. It also adds jcho to the administrator role and the Creator user type, describes it as the GIS manager, and lists the first and last names for the user:
jcho|changepasswordlater|jcho@domain.com|Jon Cho|admin|GIS Manager|Jon|Cho|creatorUT
- Save the text file.
- Run the CreateUsers command line tool with the idp option set to builtin (for example, ./CreateUsers.sh --file portalmembers.txt --idp builtin).
Note:
If you do not specify -idp, enterprise accounts are registered by default. Be sure to use the correct case for command line options and file names.
Once users log in to the portal, they can add or change the security question and answer by editing their account profiles. Users can also change their passwords by editing their account profiles.