Adding a data store item makes it easier to share GIS data across your organization. As with all data in your organization, though, you also need to keep the data secure. One way to do that is to make the data available to only those who need it. Consider each person's role in the organization, what data each person needs to access, and how the data will be used. Once you've determined that, configure the following:
- Access to and privileges on the source data
- The ability to create data store items
- Access to data store items
- Access to the web layers published from the data store
Access to source data
How you control access to the source data location depends on the type of data store.
Group files in separate folders based on who needs access to the files.
For each shared folder, grant read privileges to the network login used to run the ArcGIS Image Server sites with which you will register the file share. If anyone else needs to add imagery data to the folder, grant that person's login write access to the file share.
Grant read privileges on each file share to the logins of those who will use ArcGIS Pro to publish from files in the file share.
Create a database user who has only read access to the subset of feature classes and tables that you will publish in bulk from the data store item. Specific privileges vary by database, but the user needs the ability to connect to the database and select only the tables and feature classes to be published.
If you intend to enable editing on specific feature services after completing the bulk publishing operation, ensure that the account used to connect to the database has the correct editing privileges on only those feature classes or tables that populate the editable feature services.
Users who will access the source data in the database from ArcGIS Pro or ArcMap to publish editable feature layers require privileges on the data that allow them to edit.
Create separate buckets or BLOB storage containers and place different images in each cloud storage location based on who needs access to each set of images.
Register each cloud storage location as a separate data store item that you can then share with only those organization members who need access to that set of images.
Privileges to create data store items and publish layers
The organization administrator controls role membership for portal users. The default Publisher and Administrator roles automatically have the privileges required to create data store items, publish ArcGIS Server web layers, and bulk publish feature layers from database data store items in the portal. To have more control over who can create data store items, who can share the data stores with others, and what can be published from the data stores from other ArcGIS clients, organization administrators should use custom roles.
The following privileges under General Privileges > Content are required for a custom role whose members can create database data store items that will be used only for bulk publishing:
- Create, update, and delete
- Publish server-based layers
- Register data stores
- Create feature layers in bulk from a data store
The following privileges are required for a custom role whose members can create database data store items that will be used only for publishing from ArcGIS Pro or ArcMap:
- Create, update, and delete—Allows members to create and manage the data store item in the portal.
- Register data stores—Allows members to register the database with federated servers.
- Publish server-based layers—Allows members to publish ArcGIS Server web services that reference the source data.
Optionally, grant Share with groups to the custom role. This general Sharing privilege allows the data store creator to share the data store item with others so that they can publish to federated servers. Note that the users will need to have the exact database connection file (connecting to the same database as the same user) in ArcGIS Pro or ArcMap for this to be useful.
For folder and cloud data store items, you can have separate custom groups for those who create the data store items and those who publish from them. For roles whose members need to create data store items but do not need to publish, grant the following general Content and Sharing privileges:
- Create, update, and delete—Allows members to create and manage data store items.
- Register data stores—Allows members to register the folder or cloud location with federated servers.
- One or more of the following: Share with groups, Share with portal, Share with public—Which privileges you grant depends on who you want to allow access to the data store item: specific portal groups, all members of the organization, or anyone with access to the portal.
For roles whose members will create imagery layers from the data stores or publish from ArcGIS Pro, grant the following general Content privileges:
- Create, update, and delete—Allows members to create layer items in the portal.
- Publish server-based layers—Allows members to create or publish ArcGIS Server web services.
Access to data store items
Once you add the data store to the portal, share the data store item to make it available to the organization members who need to publish data from it. For database data store items, share the item with groups whose members will be publishing from data in ArcGIS Pro or publishing from service definition files in ArcGIS Server Manager. When members of the group publish to one of the federated servers with which you registered the data store, ArcGIS Pro and the federated server recognize that the group members have access to the data store and will allow them to publish without having to register a data store separately.
You could share the data store item with the organization but, in most cases, you should restrict access to specific groups.
Only group members can access the data store. Therefore, only those members can publish the data it contains.
When publishing from ArcGIS Pro, do not add data from the data store item and publish. Rather, you must access the underlying database connection file or file share location, add the data from there, and publish.
Access to web layers
Organization administrators and those who publish web layers determine who has access to the layers they publish from the data store by sharing the layers with groups, the organization, or everyone who has access to the portal.
If you use custom roles, publishers who will share the layers they create must belong to a role that has at least the general Sharing privilege to Share with groups. To allow group members to share the layers with all organization members, assign Share with portal. To allow group members to share the layers with anyone who has access to the portal, grant Share with public privileges.