Privileges are granted to members through roles. Privileges allow role members to perform various tasks and workflows in an organization. For example, some members have privileges to create and publish content, while others have privileges to view content but cannot create their own.
Default roles include a specific set of privileges that cannot be altered. When the organization administrator creates custom roles, the administrator specifies which privileges the custom role includes.
There are two levels of privileges: General privileges and Administrative privileges.
To view the privilege values, see ArcGIS Enterprise supported privileges.
General privileges
Members who perform specific tasks in the organization—create maps or edit features, for example—can be assigned the general privileges they need to work and share with groups, content, and features.
The following table lists privileges, grouped by privilege type, and provides a description of each privilege. The table also lists which default roles include the privilege.
General privileges | Default roles that include the privilege | |
---|---|---|
Members | View This privilege grants the ability to view members of the organization. When checked, the View privilege allows members to view the Members tab on the Organization page. If not checked, members cannot see the Organization page. | User, Publisher, Administrator |
Groups | Create, update, and delete This privilege allows members to create groups in the portal and control the groups they own. | User, Publisher, Administrator |
Join organizational groups Members of roles that are granted this privilege can be added to organizational groups or request to join groups in the organization. Members can only request to join organizational groups if you also grant the role the View groups shared with portal privilege. If the role does not have the privilege, members do not see the groups and, therefore, cannot request to join them. | All default roles Note:Only members of the User, Publisher, and Administrator default roles can join shared update groups. | |
View groups shared with portal This privilege allows members to discover groups that are configured to allow portal members to view them. | User, Publisher, Administrator | |
Content | Create, update, and delete This privilege allows members to create items in the portal and control the items they own. This privilege is required if you grant any of the privileges that allow members to publish, register data stores, or create notebooks. | User, Publisher, Administrator |
Publish hosted feature layers This privilege allows members to publish hosted feature layers to the portal from within the portal and from other apps, such as ArcGIS Pro. This privilege is also required when using apps that create hosted feature layers, such as ArcGIS Survey123 and ArcGIS Workforce. | Publisher, Administrator | |
Publish hosted tile layers This privilege allows members to publish hosted tile layers from tile packages, features, and other clients such as ArcGIS Pro, and allows members to publish hosted 3D tiles layers from 3D tiles packages and ArcGIS Pro, and allows members to manage layers published from packages. | Publisher, Administrator | |
Publish hosted scene layers This privilege allows members to publish hosted scene layers to the portal from within the portal and from other apps, such as ArcGIS Pro. | Publisher, Administrator | |
Publish hosted dynamic imagery layers Note:This privilege requires that your deployment be configured for raster analysis. | Publisher, Administrator | |
Publish server-based layers This privilege allows members to publish ArcGIS Server web layers to ArcGIS Server sites that are federated with the portal. This privilege is also required for members who will bulk publish layers from a data store item. | Publisher, Administrator | |
Publish hosted knowledge graphs This privilege allows members to publish hosted knowledge graphs in ArcGIS Pro. This privilege is only visible if an ArcGIS Knowledge Server site is configured for your organization. | Publisher, Administrator | |
View content shared with organization This privilege allows members to access items that are shared with the portal organization. | All default roles | |
Register data stores This privilege allows members of the role to add data store items to the portal. | Publisher, Administrator | |
Create feature layers in bulk from a data store This privilege allows the owner of a database data store item to publish feature and map image layers from all feature classes and tables that can be accessed in the database. | Publisher, Administrator | |
View location tracks This privilege grants the ability to view members' location tracks using shared track views when location sharing is enabled. | Administrator | |
Create and edit notebooks This privilege allows members to open and run notebooks, including shared notebooks and notebooks created from a notebook file (*.ipynb) imported into the portal, and create and edit notebooks using the ArcGIS Notebooks Standard runtime. This privilege is also required for users who will be running web tools published from a notebook. Note:This privilege is only visible if Notebook Server is configured for your organization. Additional privileges (such as managing content or running specialized analysis tools) may be required depending on the workflows performed by the notebook author. | Administrator | |
Schedule notebooks This privilege allows role members to schedule ArcGIS Notebooks to be run in the future. To schedule a particular notebook, the user must own the notebook or have administrative privileges. Note:This privilege is only visible if Notebook Server is configured for your organization. The Create and edit notebooks privilege must be enabled for this privilege to be set. | Administrator | |
Reassign content Allows members to transfer ownership of content they own to another member in the same organization. The member to whom ownership is transferred must have the privilege to receive content. | Administrator | |
Receive content Allows members to receive content transferred to them from members who have the privilege to reassign content. This privilege is not required to receive content transferred by organization administrators. | Administrator | |
Generate API keys Allows members to create and embed API keys as a longer-term authentication option in app items. | Administrator | |
Assign privileges to OAuth 2.0 applications Allows members to define privileges for OAuth 2.0 credentials in app items. The privileges a member can assign are based on their privileges to perform location service analyses. This privilege also allows members to specify which of their own items can be accessed by the OAuth app. | Administrator | |
Sharing | Share with groups This privilege allows members to share items they own with any groups to which the member belongs. | User, Publisher, Administrator |
Share with portal This privilege allows members to share any items they own with the portal organization. | User, Publisher, Administrator | |
Share with public This privilege allows members to share items they own with everyone, even users who do not sign in to the portal. | User, Publisher, Administrator | |
Make groups visible to portal When you create a group, you specify who can see the group or search for the group. This privilege is required to allow group creators to configure the group to allow portal members to view the group. This privilege is only useful if the role also includes the privilege to create, update, and delete groups. | User, Publisher, Administrator | |
Make groups visible to public When you create a group, you specify who can see the group or search for the group. This privilege is required to allow group creators to configure the group to allow anonymous portal users to view the group. This privilege is only useful if the role also includes the privilege to create, update, and delete groups. | User, Publisher, Administrator | |
Content and Analysis | Geocoding Use ArcGIS World Geocoding Service to convert addresses or places to map points and store the results—for example, when publishing spreadsheets (.csv or Microsoft Excel files) as hosted feature layers. This does not apply to your locators configured for the organization. | All default roles |
Network Analysis This privilege grants the ability to perform network analysis tasks such as creating drive-time areas. | All default roles | |
Standard Feature Analysis This privilege grants the ability to perform spatial analysis tasks such as creating buffers. | User, Publisher, Administrator | |
GeoEnrichment This privilege grants the ability to use the GeoEnrichment service to access demographic information. | User, Publisher, Administrator | |
Imagery Analysis This privilege grants the ability to use raster analysis tools. This privilege requires that your deployment be configured for raster analysis. | Publisher, Administrator | |
Advanced notebooks This privilege grants the ability to author notebooks using advanced runtimes. Note:This privilege is only visible if a Notebook Server is configured for your organization. Additional privileges (such as managing content or running specialized analysis tools) may be required depending on the workflows performed by the notebook author. | Administrator | |
Run web tools This privilege allows a member to run web tools published from notebooks. Note:This privilege is only visible if a Notebook Server is configured for your organization. Additional privileges (such as managing content or running specialized analysis tools) may be required depending on the workflows performed by the notebook author. | Administrator | |
Features | Edit This privilege grants the ability to edit features based on permissions set on the layer and update schema on a knowledge graph layer. | Data Editor, User, Publisher, Administrator |
Edit with full control Add, delete, and update features and attributes in editable hosted feature layers, even if the layers are configured to allow fewer editing operations. This privilege also allows members to update schema on a knowledge graph layer. | Administrator | |
Version Management | Manage all This privilege allows role members to view, alter, and delete all branch versions accessed through an ArcGIS Server web feature layer. This privilege also allows role members to manage version locks on these layers. When you enable this privilege, the following privileges are also enabled by default:
Members of a custom role that has these three privileges are referred to as version administrators. | User, Publisher, Administrator |
Webhooks | Feature layer This privilege allows role members to create, edit, and delete their own feature layer webhooks. | Administrator |
Note:
At this release, privileges that correspond to unsupported apps and capabilities in ArcGIS Enterprise on Kubernetes are not supported.
Administrative privileges
The privileges in the table below are included in the default administrator role and can also be assigned to custom roles. Including administrative privileges in custom roles allows members to assist default administrators with managing members, groups, and content in the organization.
Note:
Some administrative privileges are reserved for members of the default administrator role and are not available for custom roles.
Administrative privileges | |
---|---|
Members | View all View all member account information. |
Update Update member account information, reset passwords, and assign (and unassign) member categories. Note:Only members of the default administrator role can reset the passwords of other members of the default administrator role. | |
Delete Remove member accounts from the portal organization. | |
Add Add member accounts to the portal organization. | |
Disable This privilege grants the ability to disable and enable member accounts. | |
Change roles Change the role assigned to portal members. Note:Only members of the default administrator role can add members to or remove members from the default administrator role. | |
Manage licenses Manage licenses for organization members. | |
Manage categories Configure member categories for the organization | |
Groups | View all View groups owned by organization members. |
Update Update groups owned by organization members. | |
Delete Delete groups owned by organization members. | |
Reassign ownership Reassign ownership of groups. | |
Assign members Assign members to, update your members' group role in, and remove members from groups in the organization. | |
Link to organization-specific group Link group membership to organization-specific groups. | |
Create with leaving disallowed Create and own groups that do not allow group members to leave (administrative groups). | |
Create with update capabilities Create and own groups that allow group members to update all items in the group (shared update groups). | |
Content | View all View content owned by all organization members. |
Update Update and categorize content owned by all organization members, and edit data in all hosted feature layers and hosted feature layer views, even when editing is not enabled on those layers. | |
Delete Delete content owned by any organization member. | |
Reassign ownership Reassign ownership of content. | |
Manage categories Configure content categories for the organization. | |
Publish web tools Allows role members to publish web tools. | |
Share member content with organization Allows role members to share content owned by other members of your organization with the organization. | |
Share member content with public Allows role members to share content owned by other members of the organization with the public. | |
Create and manage administrative reports Allows role members to create and manage administrative reports for the organization. | |
Webhooks | Geoprocessing Create, edit, and delete geoprocessing webhooks. |
Portal settings | Security and infrastructure Manage the portal's security settings. Members of roles with this privilege can configure the following in the portal's organization settings:
Members of roles with this privilege can also import a new license file, view the portal logs, update the portal log settings, and clean the portal logs. |
Organization website Manage the portal's website settings. Members of roles with this privilege can configure the following in the portal's organization settings:
Members of roles with this privilege can also view the portal logs. | |
Collaborations Manage the portal's collaborations. Members of roles with this privilege can configure and manage Collaborations in the portal's organization settings. These members can also view the portal logs. | |
Member roles Manage the portal's member roles. Members of roles with this privilege can configure Member roles in the portal's organization settings and change a member's role. These members can also view the portal logs. | |
Servers Manage the portal's server settings. Members of roles with this privilege can configure the following in the portal's organization settings:
Members of roles with this privilege can also view the portal logs, update the portal log settings, and clean the portal logs. | |
Utility services Manage the portal's utility service settings. Members of roles with this privilege can configure the following in the portal's organization settings:
Members of roles with this privilege can also view the portal logs. | |
Organization webhooks Create, edit, and delete organizational webhooks and manage all webhooks in the portal. |
Note:
At this release, privileges that correspond to unsupported apps and capabilities in ArcGIS Enterprise on Kubernetes are not supported.
Privileges reserved for members of the default administrator role
Some administrative privileges are reserved for members of the default administrator role and are not available for custom roles. For example, only members of the default administrator role can remove other administrators from the organization. The following is a list of privileges reserved for members of the default administrator role:
- Change member role to or from administrator.
- Delete other administrators from the organization.
- Reset the passwords of other members of the default administrator role.
- Serve as the administrative contact for the organization.
- Create backups of the ArcGIS Enterprise deployment.
- Assign custom roles with administrative privileges to new members when adding them to the organization.
- Export and import items shared with a group.
- Manage scheduled administrative reports owned by members.
Privileges for common workflows
Some workflows require a combination of privileges. If you are unable to perform a function that you think your role should allow you to perform, verify that the organization administrator has enabled the full set of privileges required for the function.
The required privileges in the following table indicate the type of privilege (for example, Content) followed by the privilege name. Privileges are general privileges unless noted to be administrative privileges.
Workflow | Required privileges |
---|---|
Use the standard feature analysis tools |
Note:Some tools require additional privileges to use GeoEnrichment or network analysis. See Perform analysis for requirements per tool. |
Use raster analysis tools |
|
Publish hosted feature and WFS layers |
|
Publish hosted tile layers |
|
Publish hosted scene layers |
|
Publish hosted imagery layers |
|
Publish feature layers from custom data providers |
|
Create knowledge graphs from ArcGIS Pro |
|
Publish apps from a map viewer or a group page |
|
Author notebooks |
|
Add, update, and delete features on editable hosted feature layers even if the hosted feature layer is configured to only update feature attributes or only add new features |
|
Perform quality assurance reviews, reconcile, and post edits between ArcGIS Server feature services that contain branch versioned data |
|
Reassign ownership of your items to another member |
Note:Only members who have the privilege to receive content can become owners of the reassigned content. |
Manage content owned by members |
|
Manage groups owned by members |
|
Manage member profiles |
|
Delete members, which also involves managing (reassigning or deleting) their content and groups |
Note:If you want members of the custom administrator role to always reassign groups and content owned by the members they're deleting from the organization rather than deleting those groups and content, do not assign the Content—Delete and Groups—Delete privileges to the custom role. |
Manage the portal's security and infrastructure |
|
Manage the portal's website settings |
|
Manage the portal's collaborations |
|
Manage the portal's member roles |
|
Change a member's user type |
|
Manage the portal's server settings |
|
Manage the portal's utility service settings |
|
Create and manage administrative groups |
|
Import new license file |
|
Note:
At this release, privileges that correspond to unsupported apps and capabilities in ArcGIS Enterprise on Kubernetes are not supported.