Privileges granted to roles

Privileges are granted to members through roles. Privileges allow role members to perform various tasks and workflows in an organization. For example, some members have privileges to create and publish content, while others have privileges to view content but cannot create their own.

Default roles include a specific set of privileges that cannot be altered. When the organization administrator creates custom roles, the administrator specifies which privileges the custom role includes.

There are two levels of privileges: General privileges and Administrative privileges.

To view the privilege values, see ArcGIS Enterprise supported privileges.

General privileges

Members who perform specific tasks in the organization—create maps or edit features, for example—can be assigned the general privileges they need to work and share with groups, content, and features.

The following table lists privileges, grouped by privilege type, and provides a description of each privilege. The table also lists which default roles include the privilege.

General privilegesDefault roles that include the privilege

Members

View

This privilege grants the ability to view members of the organization. When checked, the View privilege allows members to view the Members tab on the Organization page. If not checked, members cannot see the Organization page.

User, Publisher, Administrator

Groups

Create, update, and delete

This privilege allows members to create groups in the portal and control the groups they own.

User, Publisher, Administrator

Join organizational groups

Members of roles that are granted this privilege can be added to organizational groups or request to join groups in the organization. Members can only request to join organizational groups if you also grant the role the View groups shared with portal privilege. If the role does not have the privilege, members do not see the groups and, therefore, cannot request to join them.

All default roles

Note:

Only members of the User, Publisher, and Administrator default roles can join shared update groups.

View groups shared with portal

This privilege allows members to discover groups that are configured to allow portal members to view them.

User, Publisher, Administrator

Content

Create, update, and delete

This privilege allows members to create items in the portal and control the items they own. This privilege is required if you grant any of the privileges that allow members to publish, register data stores, or create notebooks.

User, Publisher, Administrator

Publish hosted feature layers

This privilege allows members to publish hosted feature layers to the portal from within the portal and from other apps, such as ArcGIS Pro. This privilege is also required when using apps that create hosted feature layers, such as ArcGIS Survey123 and ArcGIS Workforce.

Publisher, Administrator

Publish hosted tile layers

This privilege allows members to publish hosted tile layers from tile packages, features, and other clients such as ArcGIS Pro, and allows members to publish hosted 3D tiles layers from 3D tiles packages and ArcGIS Pro, and allows members to manage layers published from packages.

Publisher, Administrator

Publish hosted scene layers

This privilege allows members to publish hosted scene layers to the portal from within the portal and from other apps, such as ArcGIS Pro.

Publisher, Administrator

Publish hosted dynamic imagery layers

Note:

This privilege requires that your deployment be configured for raster analysis.

Publisher, Administrator

Publish server-based layers

This privilege allows members to publish ArcGIS Server web layers to ArcGIS Server sites that are federated with the portal. This privilege is also required for members who will bulk publish layers from a data store item.

Publisher, Administrator

Publish hosted knowledge graphs

This privilege allows members to publish hosted knowledge graphs in ArcGIS Pro. This privilege is only visible if an ArcGIS Knowledge Server site is configured for your organization.

Publisher, Administrator

View content shared with organization

This privilege allows members to access items that are shared with the portal organization.

All default roles

Register data stores

This privilege allows members of the role to add data store items to the portal.

Publisher, Administrator

Create feature layers in bulk from a data store

This privilege allows the owner of a database data store item to publish feature and map image layers from all feature classes and tables that can be accessed in the database.

Publisher, Administrator

View location tracks

This privilege grants the ability to view members' location tracks using shared track views when location sharing is enabled.

Administrator

Create and edit notebooks

This privilege allows members to open and run notebooks, including shared notebooks and notebooks created from a notebook file (*.ipynb) imported into the portal, and create and edit notebooks using the ArcGIS Notebooks Standard runtime. This privilege is also required for users who will be running web tools published from a notebook.

Note:

This privilege is only visible if Notebook Server is configured for your organization. Additional privileges (such as managing content or running specialized analysis tools) may be required depending on the workflows performed by the notebook author.

Administrator

Schedule notebooks

This privilege allows role members to schedule ArcGIS Notebooks to be run in the future. To schedule a particular notebook, the user must own the notebook or have administrative privileges.

Note:

This privilege is only visible if Notebook Server is configured for your organization. The Create and edit notebooks privilege must be enabled for this privilege to be set.

Administrator

Reassign content

Allows members to transfer ownership of content they own to another member in the same organization. The member to whom ownership is transferred must have the privilege to receive content.

Administrator

Receive content

Allows members to receive content transferred to them from members who have the privilege to reassign content.

This privilege is not required to receive content transferred by organization administrators.

Administrator

Generate API keys

Allows members to create and embed API keys as a longer-term authentication option in app items.

Administrator

Assign privileges to OAuth 2.0 applications

Allows members to define privileges for OAuth 2.0 credentials in app items. The privileges a member can assign are based on their privileges to perform location service analyses.

This privilege also allows members to specify which of their own items can be accessed by the OAuth app.

Administrator

Sharing

Share with groups

This privilege allows members to share items they own with any groups to which the member belongs.

User, Publisher, Administrator

Share with portal

This privilege allows members to share any items they own with the portal organization.

User, Publisher, Administrator

Share with public

This privilege allows members to share items they own with everyone, even users who do not sign in to the portal.

User, Publisher, Administrator

Make groups visible to portal

When you create a group, you specify who can see the group or search for the group. This privilege is required to allow group creators to configure the group to allow portal members to view the group. This privilege is only useful if the role also includes the privilege to create, update, and delete groups.

User, Publisher, Administrator

Make groups visible to public

When you create a group, you specify who can see the group or search for the group. This privilege is required to allow group creators to configure the group to allow anonymous portal users to view the group. This privilege is only useful if the role also includes the privilege to create, update, and delete groups.

User, Publisher, Administrator

Content and Analysis

Geocoding

Use ArcGIS World Geocoding Service to convert addresses or places to map points and store the results—for example, when publishing spreadsheets (.csv or Microsoft Excel files) as hosted feature layers. This does not apply to your locators configured for the organization.

All default roles

Network Analysis

This privilege grants the ability to perform network analysis tasks such as creating drive-time areas.

All default roles

Standard Feature Analysis

This privilege grants the ability to perform spatial analysis tasks such as creating buffers.

User, Publisher, Administrator

GeoEnrichment

This privilege grants the ability to use the GeoEnrichment service to access demographic information.

User, Publisher, Administrator

Imagery Analysis

This privilege grants the ability to use raster analysis tools. This privilege requires that your deployment be configured for raster analysis.

Publisher, Administrator

Advanced notebooks

This privilege grants the ability to author notebooks using advanced runtimes.

Note:

This privilege is only visible if a Notebook Server is configured for your organization. Additional privileges (such as managing content or running specialized analysis tools) may be required depending on the workflows performed by the notebook author.

Administrator

Run web tools

This privilege allows a member to run web tools published from notebooks.

Note:

This privilege is only visible if a Notebook Server is configured for your organization. Additional privileges (such as managing content or running specialized analysis tools) may be required depending on the workflows performed by the notebook author.

Administrator

Features

Edit

This privilege grants the ability to edit features based on permissions set on the layer and update schema on a knowledge graph layer.

Data Editor, User, Publisher, Administrator

Edit with full control

Add, delete, and update features and attributes in editable hosted feature layers, even if the layers are configured to allow fewer editing operations. This privilege also allows members to update schema on a knowledge graph layer.

Administrator

Version Management

Manage all

This privilege allows role members to view, alter, and delete all branch versions accessed through an ArcGIS Server web feature layer. This privilege also allows role members to manage version locks on these layers.

When you enable this privilege, the following privileges are also enabled by default:

  • The Edit privilege, under Features, is granted to allow role members to edit data in all versions and perform reconcile and post operations between the default and named branch versions.
  • The Edit with full control privilege, under Features, is also granted to allow role members to perform all editing operations when the web feature layer has fewer editing capabilities enabled. This is helpful to facilitate quality assurance work during the review of versioned edits. For example, if the web feature layer only has the update operation enabled, Edit with full control additionally allows the reviewer to perform insert and delete operations.

Members of a custom role that has these three privileges are referred to as version administrators.

User, Publisher, Administrator

Webhooks

Feature layer

This privilege allows role members to create, edit, and delete their own feature layer webhooks.

Administrator

Note:

At this release, privileges that correspond to unsupported apps and capabilities in ArcGIS Enterprise on Kubernetes are not supported.

Administrative privileges

The privileges in the table below are included in the default administrator role and can also be assigned to custom roles. Including administrative privileges in custom roles allows members to assist default administrators with managing members, groups, and content in the organization.

Note:

Some administrative privileges are reserved for members of the default administrator role and are not available for custom roles.

Administrative privileges

Members

View all

View all member account information.

Update

Update member account information, reset passwords, and assign (and unassign) member categories.

Note:

Only members of the default administrator role can reset the passwords of other members of the default administrator role.

Delete

Remove member accounts from the portal organization.

Add

Add member accounts to the portal organization.

Disable

This privilege grants the ability to disable and enable member accounts.

Change roles

Change the role assigned to portal members.

Note:

Only members of the default administrator role can add members to or remove members from the default administrator role.

Manage licenses

Manage licenses for organization members.

Manage categories

Configure member categories for the organization

Groups

View all

View groups owned by organization members.

Update

Update groups owned by organization members.

Delete

Delete groups owned by organization members.

Reassign ownership

Reassign ownership of groups.

Assign members

Assign members to, update your members' group role in, and remove members from groups in the organization.

Link to organization-specific group

Link group membership to organization-specific groups.

Create with leaving disallowed

Create and own groups that do not allow group members to leave (administrative groups).

Create with update capabilities

Create and own groups that allow group members to update all items in the group (shared update groups).

Content

View all

View content owned by all organization members.

Update

Update and categorize content owned by all organization members, and edit data in all hosted feature layers and hosted feature layer views, even when editing is not enabled on those layers.

Delete

Delete content owned by any organization member.

Reassign ownership

Reassign ownership of content.

Manage categories

Configure content categories for the organization.

Publish web tools

Allows role members to publish web tools.

Share member content with organization

Allows role members to share content owned by other members of your organization with the organization.

Share member content with public

Allows role members to share content owned by other members of the organization with the public.

Create and manage administrative reports

Allows role members to create and manage administrative reports for the organization.

Webhooks

Geoprocessing

Create, edit, and delete geoprocessing webhooks.

Portal settings

Security and infrastructure

Manage the portal's security settings.

Members of roles with this privilege can configure the following in the portal's organization settings:

  • General—Administrative contacts
  • Items—Comments
  • New member defaults—User type, Role, Add-on licenses, Groups, Member categories
  • Security—Policies (HTTPS, Access and permissions, Sharing and searching), Password policy, Logins, Multifactor authentication, Access notice, Information banner, Trusted servers, Allow origins, Allow portal access, Apps, Email settings

Members of roles with this privilege can also import a new license file, view the portal logs, update the portal log settings, and clean the portal logs.

Organization website

Manage the portal's website settings.

Members of roles with this privilege can configure the following in the portal's organization settings:

  • General—Organization profile (Name, Summary), Contact link, Organization defaults (Language, Number and date format), Shared theme, Help source
  • Home page—Header, Content blocks, Footer, Colors, Typography
  • Gallery—Show in gallery
  • Map—Primary map viewer, Basemap gallery, Map defaults (Default basemap, Default extent, Units), Bing maps, Configurable apps, Web styles, Analysis layers
  • Items—Metadata, Organization categories, Item classification, Search using related terms
  • Groups—Featured groups, Configurable apps

Members of roles with this privilege can also view the portal logs.

Collaborations

Manage the portal's collaborations.

Members of roles with this privilege can configure and manage Collaborations in the portal's organization settings. These members can also view the portal logs.

Member roles

Manage the portal's member roles.

Members of roles with this privilege can configure Member roles in the portal's organization settings and change a member's role. These members can also view the portal logs.

Servers

Manage the portal's server settings.

Members of roles with this privilege can configure the following in the portal's organization settings:

Members of roles with this privilege can also view the portal logs, update the portal log settings, and clean the portal logs.

Utility services

Manage the portal's utility service settings.

Members of roles with this privilege can configure the following in the portal's organization settings:

Members of roles with this privilege can also view the portal logs.

Organization webhooks

Create, edit, and delete organizational webhooks and manage all webhooks in the portal.

Note:

At this release, privileges that correspond to unsupported apps and capabilities in ArcGIS Enterprise on Kubernetes are not supported.

Privileges reserved for members of the default administrator role

Some administrative privileges are reserved for members of the default administrator role and are not available for custom roles. For example, only members of the default administrator role can remove other administrators from the organization. The following is a list of privileges reserved for members of the default administrator role:

  • Change member role to or from administrator.
  • Delete other administrators from the organization.
  • Reset the passwords of other members of the default administrator role.
  • Serve as the administrative contact for the organization.
  • Create backups of the ArcGIS Enterprise deployment.
  • Assign custom roles with administrative privileges to new members when adding them to the organization.
  • Export and import items shared with a group.
  • Manage scheduled administrative reports owned by members.

Privileges for common workflows

Some workflows require a combination of privileges. If you are unable to perform a function that you think your role should allow you to perform, verify that the organization administrator has enabled the full set of privileges required for the function.

The required privileges in the following table indicate the type of privilege (for example, Content) followed by the privilege name. Privileges are general privileges unless noted to be administrative privileges.

WorkflowRequired privileges

Use the standard feature analysis tools

  • Content—Create, update, and delete
  • Content—Publish hosted feature layers
  • Content and Analysis—Standard Feature Analysis
Note:

Some tools require additional privileges to use GeoEnrichment or network analysis. See Perform analysis for requirements per tool.

Use raster analysis tools

  • Content—Create, update, and delete
  • Content—Publish hosted feature layers
  • Content and Analysis—Imagery Analysis

Publish hosted feature and WFS layers

  • Content—Create, update, and delete
  • Content—Publish hosted feature layers

Publish hosted tile layers

  • Content—Create, update, and delete
  • Content—Publish hosted tile layers

Publish hosted scene layers

  • Content—Create, update, and delete
  • Content—Publish hosted feature layers
  • Content—Publish hosted scene layers

Publish hosted imagery layers

  • Content—Create, update, and delete
  • Content—Publish dynamic imagery layers

Publish feature layers from custom data providers

  • Content—Create, update, and delete
  • Content—Publish hosted feature layers
  • Content—Publish server-based layers

Create knowledge graphs from ArcGIS Pro

  • Content—Create, update, and delete
  • Content—Publish hosted knowledge graphs

Publish apps from a map viewer or a group page

  • Content—Create, update, and delete
  • Content—Share with groups
  • Content—Share with portal
  • Content—Share with public

Author notebooks

  • Content—Create, update, and delete
  • Content—Publish hosted feature layers
  • Content—Create and edit notebooks
  • Content and Analysis—Advanced notebooks (required to use ArcPy in notebooks)

Add, update, and delete features on editable hosted feature layers even if the hosted feature layer is configured to only update feature attributes or only add new features

  • Features—Edit features
  • Features—Edit with full control

Perform quality assurance reviews, reconcile, and post edits between ArcGIS Server feature services that contain branch versioned data

  • Version Management—Manage all
  • Features—Edit features
  • Features—Edit with full control

Reassign ownership of your items to another member

  • Members—View
  • Content—Create, update, and delete
  • Content—Reassign content
Note:

Only members who have the privilege to receive content can become owners of the reassigned content.

Manage content owned by members

  • Members—View all (Administrative privilege)
  • Groups—View all (Administrative privilege)
  • Content—View all (Administrative privilege)
  • Content—Update (Administrative privilege)
  • Content—Delete (Administrative privilege)
  • Content—Reassign ownership (Administrative privilege)
  • Content—Share member content with organization (Administrative privilege)
  • Content—Share member content with public (Administrative privilege)
  • Sharing—Share with portal
  • Sharing—Share with public

Manage groups owned by members

  • Members—View all (Administrative privilege)
  • Groups—View all (Administrative privilege)
  • Groups—Update (Administrative privilege)
  • Groups—Delete (Administrative privilege)
  • Groups—Reassign ownership (Administrative privilege)
  • Groups—Assign members (Administrative privilege)

Manage member profiles

  • Members—View all (Administrative privilege)
  • Members—Update (Administrative privilege)

Delete members, which also involves managing (reassigning or deleting) their content and groups

  • Members—View
  • Members—Delete (Administrative privilege)
  • Members—View all (Administrative privilege)
  • Content—View all (Administrative privilege)
  • Content—Reassign ownership (Administrative privilege)
  • Content—Delete (Administrative privilege)
  • Groups—View all (Administrative privilege)
  • Groups—Reassign ownership (Administrative privilege)
  • Groups—Delete (Administrative privilege)

Note:

If you want members of the custom administrator role to always reassign groups and content owned by the members they're deleting from the organization rather than deleting those groups and content, do not assign the Content—Delete and Groups—Delete privileges to the custom role.

Manage the portal's security and infrastructure

  • Members—View
  • Groups—View groups shared with organization
  • Members—View all (Administrative privilege)
  • Groups—View all (Administrative privilege)
  • Portal settings—Security and infrastructure (Administrative privilege)

Manage the portal's website settings

  • Members—View
  • Groups—View groups shared with organization
  • Content—Create, update, and delete
  • Content—View content shared with organization
  • Sharing—Share with groups
  • Sharing—Share with portal
  • Sharing—Share with public
  • Sharing—Make groups visible to the portal
  • Sharing—Make groups visible to the public
  • Members—View all (Administrative privilege)
  • Groups—View all (Administrative privilege)
  • Groups—Update (Administrative privilege)
  • Content—View all (Administrative privilege)
  • Content—Update (Administrative privilege)
  • Content—Manage categories (Administrative privilege)
  • Portal settings—Organization website (Administrative privilege)

Manage the portal's collaborations

  • Members—View
  • Groups—Create, update, and delete
  • Groups—View groups shared with organization
  • Content—Create, update, and delete
  • Content—Publish hosted feature layers
  • Content—View content shared with organization
  • Sharing—Share with groups
  • Members—View all (Administrative privilege)
  • Groups—View all (Administrative privilege)
  • Groups—Update (Administrative privilege)
  • Content—View all (Administrative privilege)
  • Content—Update (Administrative privilege)
  • Content—Delete (Administrative privilege)
  • Portal settings—Collaborations (Administrative privilege)

Manage the portal's member roles

  • Members—View
  • Members—View all (Administrative privilege)
  • Members—Change role (Administrative privilege)
  • Portal settings—Member roles (Administrative privilege)

Change a member's user type

  • Members—View
  • Members—View all (Administrative privilege)
  • Members—Update (Administrative privilege)
  • Members—Change role (Administrative privilege)
  • Members—Manage licenses (Administrative privilege)

Manage the portal's server settings

  • Members—View
  • Content—Create, update, and delete
  • Portal settings—Servers (Administrative privilege)
  • Portal settings—Utility services (Administrative privilege)

Manage the portal's utility service settings

  • Members—View
  • Content—Create, update, and delete
  • Content—Publish hosted feature layers
  • Portal settings—Utility services (Administrative privilege)

Create and manage administrative groups

  • Members—View all
  • Groups (general)—Create, update, and delete
  • Groups (administrative)—Update
  • Groups (administrative)—Create with leaving disallowed

Import new license file

  • Members—View
  • Groups—View groups shared with organization
  • Members—View all (Administrative privilege)
  • Members—Manage licenses (Administrative privilege)
  • Groups—View all (Administrative privilege)
  • Portal settings—Security and infrastructure (Administrative privilege)
Note:

At this release, privileges that correspond to unsupported apps and capabilities in ArcGIS Enterprise on Kubernetes are not supported.