Member roles

A role defines the set of privileges assigned to a member. Privileges are assigned to members through a default role or a custom role. Members are assigned a role when they are added to the organization.

If you're not sure what role you were assigned or if you need more information about your role, click the Role Information button Role Information in the Role section of your profile.

Note:

Once a member joins, their role can be changed by administrators and those with privileges to change member roles. Changing roles to or from administrator can be done only by administrators.

Default roles

ArcGIS Enterprise defines a set of privileges for the following default roles:

Note:

A member's user type determines the default roles that can be assigned to them. User types compatible with each role are noted below.

  • Viewer—View items such as maps, apps, demographics, and elevation analysis layers that have been shared by other ArcGIS users. Those assigned the Viewer role can join groups owned by the organization, as well as use geocoding, geosearch, and network analysis (routing and directions). Members assigned the Viewer role cannot create or share content or perform analysis or data enrichment. The Viewer role is compatible with all user types.
  • Data Editor—Viewer privileges plus the ability to edit features shared by other ArcGIS users. The Data Editor role is compatible with all user types except Viewer.
  • User—Data Editor privileges plus the ability to create groups and content. Users can use the organization's maps, apps, layers, and tools, and join groups that allow members to update all items in the group. Members assigned the User role can also create maps and apps, edit features, add items, share content, and create groups. The User role is compatible with the Creator and GIS Professional user types.
  • Publisher—User privileges plus the ability to publish hosted web layers, ArcGIS Server layers, register data stores, publish from data store items, and perform feature and raster analysis. The Publisher role is compatible with the Creator and GIS Professional user types.
  • Administrator—Publisher privileges plus privileges to manage the organization and other users.

    An organization must have at least one administrator, though two is recommended. There is no limit to the number of members who can be assigned to the Administrator role within an organization; however, for security reasons, you should only assign this role to those who require the additional privileges associated with it. The Administrator role is compatible with the Creator and GIS Professional user types.

To choose a default role assigned to new members, go to Organization > Settings > New member defaults and choose a role from the Role drop-down menu.

Keep the following in mind:

  • You can only select a default role once a default user type is selected. Only roles that are compatible with the selected default user type will be listed in the drop-down menu.
  • When you federate a server with the portal, the portal's security store controls all access to the server. This provides a convenient sign-in experience but also impacts how you access and administer the federated server. For example, when you federate, any users, roles, and permissions that you previously configured on ArcGIS Server services are no longer valid. Access to services is instead determined by portal members' roles and sharing permissions.
  • At this release, privileges that correspond to unsupported apps and capabilities in ArcGIS Enterprise on Kubernetes are not supported.

Custom roles

You may want to refine the default roles in your organization into a more fine-grained set of privileges by creating custom roles. For example, your organization may want to assign some members the same privileges as a default Publisher but without allowing them to use GeoEnrichment. This could be achieved by creating a custom role based on the default Publisher role, turning off the GeoEnrichment privilege, and naming the custom role to reflect what privileges it confers; for example, you could name this role Publisher without GeoEnrichment or something similar.

Only members of the default administrator role, or those assigned a custom administrator role with the Member roles privilege, can create and modify custom roles. These administrators can configure custom roles based on any combination of available general and administrative privileges. To help create a custom role, administrators can use one of the available predefined templates containing privileges for common workflows, such as curating data or authoring content. The templates can be used as configured or can be customized as needed by adding or removing privileges. Once a custom role has been created, any organization member who has the Change roles privilege can assign the role to members.

When you create a custom role, privileges that are dependent on one another are enabled by default. For example, to publish a hosted feature layer, role members must also have the privilege to create, update, and delete content. If you disable either of those privileges, members of the role cannot publish a hosted feature layer. See Privileges for common workflows for a list of dependent privileges required for members to complete specific tasks.

You can create custom roles that include administrative privileges to manage the portal settings. This allows administrators to delegate a specific set of administrative tasks to users without giving them the full set of privileges in the default administrator role. For example, a user with a custom role that includes the Organization website privilege will have the ability to manage the portal's website settings without the ability to perform other administrative tasks, such as managing security or server settings.

The privileges that can be granted to a member through a custom role cannot exceed those associated with the member's assigned user type. For example, a member with a Viewer user type cannot be assigned a role with editing privileges.

Tip:

If you are a member of a custom role, you can get information about the privileges it includes by clicking the Role Information button in your profile.