Skip To Content

Configure security settings

As a default administrator or member with the correct privileges, you determine whether HTTPS is required for all transactions and whether anonymous access is allowed to your portal. You can also configure security settings for sharing and searching, password policies, sign in options, access notices, information banners, and trusted servers, and configure a list of portals with which you want to share secure content.


Visit ArcGIS Trust Center for more in-depth security, privacy, and compliance information.

  1. Verify that you are signed in as a default administrator or as a member of a custom role with the administrative privilege to manage security and infrastructure enabled.
  2. At the top of the site, click Organization and click the Settings tab.
  3. Click Security on the left side of the page.
  4. Configure any of the following security settings:

Access and permissions

Change any of the following policy settings as needed:

  • Allow access to the organization through HTTPS only—By default, Portal for ArcGIS enforces HTTPS-only communication to ensure that your organization's data as well as any temporary identification tokens that allow access to your data are encrypted during communications over the internet. Turning off this toggle button allows both HTTP and HTTPS communication. Changes to this setting may affect the performance of the site.
  • Allow anonymous access to your organization—Enable this option to allow anonymous users access to your organization's website. If this option is not enabled, anonymous access is disabled, and anonymous users cannot access the website. They also cannot view your maps with Bing Maps (if your organization is configured for Bing Maps). If you enable anonymous access, make sure that the groups selected for the site configuration groups are shared with the public; otherwise, anonymous users may not be able to properly view or access the public content of those groups.

  • Allow members to edit biographical information and who can see their profile—Enable this option to allow members to modify the biographical information in their profile and specify who can see their profile.
  • Allow users to create new built-in accounts—Enable this option to allow users to create a built-in portal account from the portal sign-in page. Disable this option if you are using enterprise accounts or want to create all accounts manually.

Sharing and searching

Change any of the following sharing and search settings as needed:

  • Members can share content publicly—Enable this option to allow members to make their profile visible to everyone (public), share their web apps and other items with the public, or embed their maps or groups in websites.

  • Show social media links on item and group pages—Enable this option to include links to Facebookand Twitter on item and group pages.

Password policy

When members change their passwords, they must conform to the organization's policy. If they don't, a message appears with the policy details. The password policy of the organization does not apply to enterprise logins or app credentials that use app IDs and app secrets.

Click Manage password policy to configure the password length, complexity, and history requirements for members with built-in accounts. You can specify the character length and whether the password must contain at least one of any of the following: uppercase letter, lowercase letter, number, or special character. You can also configure the number of days before the password expires and the number of past passwords that the member cannot reuse. Passwords are case sensitive and cannot be the same as the user name. Click Use portal defaults to reset the organization to use the standard Portal for ArcGIS password policy (at least eight characters with at least one letter and one number; spaces are not allowed).


Weak passwords may not be accepted. A password is considered weak if it's a commonly used password such as password1 or includes repetitive or sequential characters—for example, aaaabbbb or 1234abcd.


At 10.8.1, if email settings are configured in your organization, an automatic email notification will be sent to your administrative contacts when the password policy is changed. If no administrative contacts are set, the oldest administrator account in the organization or the Initial Administrator Account will receive the email notification.


Use the Set enterprise login button to configure a SAML-compliant identity provider with your portal if you want members to sign in to the portal using the same logins they use to access your enterprise information systems.

If you configured a SAML-compliant identity provider with your portal, you see a Sign in options section where you can configure the options that appear on the portal sign in page. Turn on the toggle buttons for the options you want to display. For example, if you want all members to sign in only with their login for the SAML-compliant identity provider, disable the second option. If enterprise logins are not enabled for the organization, the Sign in options section is not visible.

Access notice

You can configure and display a notice of terms for users who access your site.

You can configure an access notice for organization members or all users who access your organization, or both. If you set an access notice for organization members, the notice is displayed after members sign in. If you set an access notice for all users, the notice is displayed when any user accesses your site. If you set both access notices, organization members see both notices.

To configure an access notice for organization members or all users, click Set access notice in the appropriate section, turn on the toggle button to display the access notice, and provide a notice title and text. Choose the ACCEPT and DECLINE option if you want users to accept the access notice before proceeding to the site, or select OK only if you want users to only click OK to proceed. Click Save when finished.

To edit the access notice for organization members or all users, click Edit access notice in the appropriate section and make changes to the title, text, or action button options. If you no longer want the access notice displayed, use the toggle button to disable the access notice. After disabling the access notice, the previously entered text and configuration will be retained if the access notice is re-enabled in future. Click Save when finished.

Information banner

You can use information banners to alert all users who access your organization about your site's status and content. For example, inform users about maintenance schedules, classified information alerts, and read-only modes by creating custom messages to appear at the top and bottom of your site. The banner appears on the Home, Gallery, Map Viewer, Scene Viewer, Groups, Content, and Organization pages, and on sites created in ArcGIS Enterprise Sites if enabled in the app.


At 10.8, this information banner replaces the workflow to set the classificationBanner property in the configuration file.

To enable the information banner for your organization, click Set information banner and turn on Display information banner. Add text in the Banner text field and choose a background color and font color. A contrast ratio appears for your selected text and background color. Contrast ratio is a measure of legibility based on WCAG 2.1 accessibility standards; a contrast ratio of 4.5 is recommended to adhere to these standards.

You can preview the information banner in the Preview pane. Click Save to add the banner to your organization.

To edit the information banner, click Edit information banner and make changes to the banner text or styling. If you no longer want the information banner displayed, use the toggle button to disable the information banner. After disabling the information banner, the previously entered text and configuration will be retained if the information banner is re-enabled in future. Click Save when finished.

Trusted servers

For Trusted servers, configure the list of trusted servers you want your clients to send credentials to when making Cross-Origin Resource Sharing (CORS) requests to access services secured with web-tier authentication. This applies primarily to editing secure feature services from a stand-alone (unfederated) ArcGIS Server or viewing secure OGC services. ArcGIS Server hosting services secured with token-based security do not need to be added to this list. Servers added to the trusted servers list must support CORS. Layers hosted on servers without CORS support may not function as expected. ArcGIS Server supports CORS by default at versions 10.1 and later. To configure CORS on non-ArcGIS servers, refer to the vendor documentation for the web server.

The host names must be entered individually. Wildcards cannot be used and are not accepted. The host name can be entered with or without the protocol in front of it. For example, the host name can be entered as or


Editing feature services secured with web-tier authentication requires a web browser enabled with CORS. The latest versions of Firefox, Chrome, Safari, and Internet Explorer are CORS enabled. To test if your browser has CORS enabled, open

Allow origins

By default, ArcGIS REST API is open to Cross-Origin Resource Sharing (CORS) requests from web applications on any domain. If your organization wants to limit the web application domains that are allowed to access ArcGIS REST API through CORS, you must specify these domains explicitly. For example, to restrict CORS access to web applications on only, click Add and enter in the text box and click Add domain. You can specify up to 100 trusted domains for your organization. It's not necessary to specify as a trusted domain, as applications running on the domain are always allowed to connect to ArcGIS REST API.

Allow portal access

Configure a list of portals (for example with which you want to share secure content. This allows members of your organization to use their enterprise logins (including SAML logins) to access the secure content when viewing it from these portals. Portals that your organization collaborates with are included automatically and do not need to be added to this list. This is only applicable for portals at Portal for ArcGIS version 10.5 and later. This setting is not needed for sharing secured content with an ArcGIS Online organization.

The portal URLs must be entered individually and must include the protocol. Wildcards cannot be used and are not accepted. If the portal being added allows both HTTP and HTTPS access, two URLs must be added for that portal (for example and Any portal added to the list is validated first and, therefore, must be accessible from the browser.