Controlling access to data published from data store items

Adding a data store item makes it easier to share GIS data across your organization. As with all data in your organization, though, you also need to keep the data secure. One way to do that is to make the data available to only those who need it. Consider each person's role in the organization, what data each person needs to access, and how the data will be used. Once you determine that, configure the following:

  • Access to and privileges on the source data
  • The ability to create data store items
  • Access to data store items
  • Access to the web layers published from the data store

Access to source data

How you control access to the source data location depends on the type of data store.

File shares

Group files in separate folders based on who needs access to the files.

Grant read privileges on each file share to the logins of those who will use ArcGIS Pro to publish from files in the file share.

Databases and cloud data warehouses

When connecting to a database, create a database user who has only read access to the subset of feature classes and tables that you will publish in bulk from the data store item. Specific privileges vary by database, but the user needs the ability to connect to the database and select only the tables and feature classes to be published.

If you intend to enable editing on specific feature services after completing the bulk publishing operation, ensure that the account used to connect to the database has the correct editing privileges on only those feature classes or tables that populate the editable feature services.

Users who will access the source data in the database from ArcGIS Pro to publish editable feature layers require privileges on the data that allow them to edit.

The credentials used to access the source data in a cloud data warehouse from ArcGIS Pro to publish require privileges on the data that allow read-only access to specific spatial and nonspatial tables.

Cloud storage

Create separate buckets or Blob storage containers and place caches for different map and scene services in each cloud storage location based on who needs access to each tile or scene layer.

Privileges to create data store items and publish layers

The organization administrator controls role membership for portal users. The default Publisher and Administrator roles automatically have the privileges required to create data store items, publish ArcGIS Server web layers, and bulk publish feature layers from database data store items in the portal. To have more control over who can create data store items, who can share the data stores with others, and what can be published from the data stores from other ArcGIS clients, organization administrators should use custom roles.

The following general content privileges are required for a custom role whose members can create database data store items that will be used only for bulk publishing:

  • Create, update, and delete
  • Publish server-based layers
  • Register data stores
  • Create feature layers in bulk from a data store

The following privileges are required for a custom role whose members can create database data store items that will be used only for publishing from ArcGIS Pro:

  • Create, update, and delete—Allows members to create and manage the data store item in the portal.
  • Register data storesAllows members to register the database with federated servers or the organization.
  • Publish server-based layersAllows members to publish web services that reference the source data.

Optionally, grant Share with groups to the custom role. This general Sharing privilege allows the data store creator to share the data store item with others so that they can publish to federated servers. Be aware that the users will need to have the exact database connection file (connecting to the same database as the same user) in ArcGIS Pro for this to be useful.

For folder and cloud data store items, you can have separate custom groups for those who create the data store items and those who publish from them. For roles whose members need to create data store items but do not need to publish, grant the following general Content and Sharing privileges:

  • Create, update, and delete—Allows members to create and manage data store items.
  • Register data stores—Allows members to register the folder or cloud location with federated servers.If the administrator has registered a folder with the organization, this privilege allows members to register subfolders within that registered folder with the organization.
  • One or more of the following: Share with groups, Share with portal, Share with public—Which privileges you grant depends on who you want to allow access to the data store item: specific portal groups, all members of the organization, or anyone with access to the portal.

For roles whose members will publish from ArcGIS Pro, grant the following general Content privileges:

  • Create, update, and delete—Allows members to create layer items in the portal.
  • Publish server-based layersAllows members to create or publish web services that reference the source data.

Access to data store items

Once you add the data store to the portal, share the data store item to make it available to the organization members who need to publish data from it. For database data store items, share the item with groups whose members will be publishing from data in ArcGIS Pro. When members of the group publish to one of the servers with which you registered the data store, ArcGIS Pro and the server recognize that the group members have access to the data store and will allow them to publish without having to register a data store separately.

You can share the data store item with the organization but, in most cases, it is recommended that you restrict access to specific groups.

  1. Create a group in the organization.
  2. Add or invite organization members to the group who have privileges to publish ArcGIS Server web layers.
  3. Share the data store item with the group.

Only group members can access the data store. Therefore, only those members can publish the data it contains.

Note:

When publishing from ArcGIS Pro, do not add data from the data store item and publish. Rather, you must access the underlying database connection file or file share location, add the data from there, and publish.

Access to web layers

Organization administrators and those who publish web layers determine who has access to the layers they publish from the data store by sharing the layers with groups, the organization, or everyone who has access to the portal.

If you use custom roles, publishers who will share the layers they create must belong to a role that has at least the general Sharing privilege to Share with groups. To allow group members to share the layers with all organization members, assign Share with portal. To allow group members to share the layers with anyone who has access to the portal, grant Share with public privileges.