One of the key aspects of planning a deployment of ArcGIS Enterprise is deciding how to manage accounts that will access your portal and what privileges are granted to the accounts. Determining how accounts will be managed is a matter of choosing an identity store.
Note:
Each member in ArcGIS Enterprise and ArcGIS Online requires their own license. That said, both products support organization-specific logins with SAML and OpenID Connect so you can streamline authentication between systems. This means you can use the same username and password for both organizations - however, you can't log in to ArcGIS Enterprise and expect to see the same content you would see logging into your ArcGIS Online account. They are separate organizations, each with their own identity stores and set of associated content.
Understand identity stores
The identity store for your organization defines where the credentials of your portal accounts are stored, how authentication occurs, and how group membership is managed. The ArcGIS Enterprise organization supports two types of identity stores: built-in and organization-specific identity stores.
Built-in identity store
When you create built-in accounts and groups in the organization, you are using the built-in identity store, which performs authentication and stores account usernames, passwords, roles, and group membership. You must use the built-in identity store to create the initial administrator account for your organization, but you can later switch to an organization-specific identity store. The built-in identity store is useful to get your portal up and running, and also for development and testing. However, production environments typically use an organization-specific identity store.
Organization-specific identity store
ArcGIS Enterprise is designed so you can use organization-specific accounts and groups to control access to your ArcGIS organization. This process is described throughout the documentation as setting up organization-specific logins.
The advantage of this approach is that you do not need to create additional accounts in the portal. Members use the login that is already set up in the organization-specific identity store. The management of account credentials, including policies for password complexity and expiration, is completely external to the portal. Authentication can be handled at the portal tier, using portal tier authentication, or through an external identity provider, using SAML.
Similarly, you can also create groups in the portal that link to existing Windows Active Directory, LDAP, or SAML groups in your identity store. This allows the management of group membership to be completely external to the portal. When members sign in to the portal, access to content, items, and data is controlled by the membership rules defined in the Active Directory, LDAP, or SAML group. Also, organization-specific accounts can be added in bulk from the Active Directory, LDAP, or SAML groups in your organization.
For example, a recommended practice is to disable anonymous access to your organization, connect your portal to the desired Active Directory, LDAP, or SAML groups in your organization, and add the organization-specific accounts based on those groups. In this way, you restrict access to the portal based on specific Active Directory, LDAP, or SAML groups in your organization.
Support multiple identity stores
Using SAML 2.0, you can allow access to your portal using multiple identity stores. Users can sign in with built-in accounts and accounts managed in multiple SAML-compliant identity providers configured to trust one another. This is a good way to manage users who may reside within or outside your organization. For details, see Configure a SAML-compliant identity provider with a portal.
Understand access privileges
Once you've decided how accounts will be managed in ArcGIS Enterprise, you need to decide what privileges you want users who access your ArcGIS organization to have. Privileges are defined by whether the user accessing your portal is part of the ArcGIS organization.
Users who access the portal without an ArcGIS organizational account can only search for and use public items. For example, if a public web map is embedded into a website, users looking at the map will be accessing an item of your portal, even though they do not have an account. It is up to you to enable this type of access. You can always disable access to persons who do not already belong to the ArcGIS organization. To learn how to do this, see Disable anonymous access.
Users can access your portal with elevated privileges if they are members of your ArcGIS organization. Members of your ArcGIS organization are listed on the Organization page of the portal website. Members of an organization are organized by user types, which correspond to various roles with different privileges. To learn more, see User types, roles, and privileges.
When a new ArcGIS organizational account is added to your portal, it is granted the user role by default. However, the portal administrator can change the role at any time.
Manage ArcGIS organizational accounts
An ArcGIS organizational account is a user account that has been added to the organization panel of your portal website. Throughout the documentation and user experience in the portal website, these users are typically referred to as members of the organization.
As an administrator, it is important that you fully control not only the privileges granted to each member of your ArcGIS organization but also who is allowed to be a member of it.
The maximum number of ArcGIS organizational accounts in your portal is defined by the license file you used to license the portal. At any time, you can compare the total number of members assigned a user type and remaining available user type licenses from the Overview or Licenses tabs on the Organization page in the portal website. On the Overview tab, you can view the total licenses assigned and available in the Members overview. On the Licenses tab, you can view assigned and available licenses per user type on the User types tab.
Manage accounts when using the built-in store
When using the built-in store, those with administrative privileges to manage members can manage built-in accounts using the Members tab in the organization settings. To learn more about creating ArcGIS organizational accounts in bulk, see Add members to your portal. You can also remove members from your portal website or change their privileges at any time.
Manage accounts when using an organization-specific identity store
The ArcGIS Enterprise portal will not allow you to delete, edit, or create accounts in your identity store, but you can register existing organization-specific accounts in your organization.
As an administrator, you will typically select organization-specific logins that you want to add to the organization and add them in bulk. To learn more about creating ArcGIS organizational accounts in bulk, see Add members to your portal. You can also remove members from your portal website or change their privileges at any time.
Alternatively, you can add any organization-specific account that connects to your portal or any of its items automatically. To learn more, see Automatic registration of organization-specific accounts.
It's important to understand that when the portal is configured with an organization-specific identity store, anonymous access to the ArcGIS organization is disabled; that is, any user accessing your portal must authenticate against your identity store first. Once authenticated, the privileges of the user will be determined by whether or not they have an ArcGIS organizational account.
Account lockout policy
Software systems often enforce an account lockout policy to protect against mass automated attempts to guess a user's password. If a user makes a certain number of failed login attempts within a particular time interval, they may be denied further attempts for a designated time period. These policies are balanced against the reality that sometimes users will forget their names and passwords and fail to sign in successfully.
The enforced portal lockout policy depends on which type of identity store you're using:
Built-in identity store
The built-in identity store locks out a user after five consecutive invalid attempts. The lockout lasts for 15 minutes. This policy applies to all accounts in the identity store, including the initial administrator account. This policy cannot be modified or replaced.
Organization-specific identity store
When you use an organization-specific identity store, the account lockout policy is inherited from the store. You may be able to modify the account lockout policy for the store. Consult the documentation specific to the store type to learn how to change the account lockout policy.