As a default administrator or member with the appropriate privileges, you determine whether HTTPS is required for all transactions and whether anonymous access is allowed to your portal. You can also configure security settings for sharing and searching, password policies, sign in options, access notices, information banners, trusted servers, and more.
Tip:
Visit ArcGIS Trust Center for more in-depth security, privacy, and compliance information.
- Confirm that you are signed in as a default administrator or as a member of a custom role with the administrative privilege to manage security and infrastructure enabled.
- At the top of the site, click Organization and click the Settings tab.
- Click Security on the side of the page.
- Configure any of the following security settings:
Access and permissions
Change any of the following policy settings as needed:
- Allow access to the portal through HTTPS only—By default, the portal enforces HTTPS-only communication to ensure that your organization's data as well as any temporary identification tokens that allow access to your data are encrypted during communications over the internet. Turning off this toggle button allows both HTTP and HTTPS communication. Changes to this setting may affect the performance of the site.
Allow anonymous access to your portal—Enable this option to allow anonymous users access to your organization's website. If this option is not enabled, anonymous access is disabled, and anonymous users cannot access the website. They also cannot view your maps with Bing Maps (if your organization is configured for Bing Maps).
If you enable anonymous access, ensure that the groups selected for the site configuration groups are shared with the public; otherwise, anonymous users may not be able to properly view or access the public content of those groups.
- Allow members to edit biographical information and who can see their profile—Enable this option to allow members to modify the biographical information in their profile and specify who can see their profile.
Sharing and searching
Change any of the following sharing and search settings as needed:
Members who are not administrators can make their content, groups, and profile public—Enable this option to allow members to make their profile or groups visible to everyone (public), share their web apps and other items with the public, and embed their content or groups in websites. If you disable this option, default administrators and members assigned the administrative privilege to share member content with the public can still make other members' content, groups, and profiles public.
- Show social media links on item and group pages—Enable this option to include links to Facebook and Twitter on item and group pages.
Sign-in policy
Configure a password policy and lockout settings as required for your organization.
Password policy
When members change their passwords, they must conform to the organization's policy. If they don't, a message appears with the policy details. The password policy of the organization does not apply to organization-specific logins, such as SAML logins, or app credentials that use app IDs and app secrets.
Click Manage password policy to configure the password length, complexity, and history requirements for members with built-in accounts. You can specify the character length and whether the password must contain at least one of any of the following: uppercase letter, lowercase letter, number, or special character. You can also configure the number of days before the password expires and the number of past passwords that the member cannot reuse. Passwords are case sensitive and cannot be the same as the username. Click Use portal defaults to reset the organization to use the standard ArcGIS Enterprise password policy (at least eight characters with at least one letter and one number; spaces are not allowed).
Note:
Weak passwords may not be accepted. A password is considered weak if it's a commonly used password such as password1 or includes repetitive or sequential characters—for example, aaaabbbb or 1234abcd.
Note:
If email settings are configured in your organization, an automatic email notification will be sent to your administrative contacts when the password policy is changed.
Lockout settings
By default, when a member attempts to sign in to their ArcGIS Enterprise organization using a built-in account, they are locked out of the website for 15 minutes after five failed attempts in a 15-minute period. Click Manage lockout settings to change the number of failed sign-in attempts permitted, or the lockout duration if that number is exceeded, or both. Click Restore defaults to return to the default lockout settings.
Logins
You can customize the organization's sign-in page to allow members to sign in using any of the following methods: ArcGIS logins, Security Assertion Markup Language (SAML) logins (previously known as enterprise logins), and OpenID Connect logins.
You can also customize the order in which the login methods appear on the organization's sign-in page. To reorder a login method, click its handle and drag it to a new position. Click Preview to see what the sign-in page will look like.
Turn on the ArcGIS login button to allow users to sign in to ArcGIS using their ArcGIS logins. When enterprise logins have been configured, you can turn off the ArcGIS login toggle button to direct users to the external identity provider's sign-in page instead of the organization's sign-in page.
Note:
The ArcGIS login option only hides the ArcGIS option on the organization's sign-in page. You can still access resources hosted by ArcGIS in your ArcGIS applications by manually generating a token or by using ArcGIS APIs and SDKs. To disable an ArcGIS account, see Disable member accounts.
Use the New SAML login button to configure a SAML-compliant identity provider with your portal if you want members to sign in to the portal using your organization's existing SAML identity provider.
Use the New OpenID Connect login button to configure OpenID Connect logins if you want members to sign in using your organization's existing OpenID Connect identity provider.
Multifactor authentication
Note:
This option controls multifactor authentication for built-in accounts. To configure multifactor authentication for accounts based on SAML or OpenID Connect logins, go to your identity provider to configure the corresponding options.
Multifactor authentication for built-in accounts can only be enabled if your organization has email settings configured.
Organizations that want to allow members to set up multifactor authentication for signing in to ArcGIS can turn on the Enable multifactor authentication for organization toggle button. Multifactor authentication provides an extra level of security by requiring a verification code in addition to a username and password when members sign in.
If you enable this setting, organization members can set up multifactor authentication through their settings page and receive verification codes on their mobile phones or tablets from a supported authenticator app (currently, Google Authenticator for Android and iOS and Authenticator for Windows Phone).
Tip:
Members who enable multifactor authentication have a check mark in the Multifactor Authentication column of the member table on the Members tab on the Organization page.
If you enable multifactor authentication for your organization, you must designate at least two administrators who will receive email requests to disable multifactor authentication as needed on member accounts. ArcGIS Enterprise sends emails on behalf of members who request help with multifactor authentication through the Having trouble signing in with your code? link (on the page where the member is asked to provide the authentication code). At least two administrators are required to ensure that at least one will be available to help members with any multifactor authentication issues.
Multifactor authentication works with Esri apps that support OAuth 2.0. This includes the portal website, ArcGIS Pro, ArcGIS apps, and My Esri.
Multifactor authentication must be disabled to access apps without OAuth 2.0 support. This includes geocoding and geoprocessing services that perform routing and elevation analysis. Multifactor authentication must also be disabled when storing credentials with Esri premium content.
Access notice
You can configure and display a notice of terms for users who access your site.
You can configure an access notice for organization members or all users who access your organization, or both. If you set an access notice for organization members, the notice is displayed after members sign in. If you set an access notice for all users, the notice is displayed when any user accesses your site. If you set both access notices, organization members see both notices.
To configure an access notice for organization members or all users, click Set access notice in the appropriate section, turn on the toggle button to display the access notice, and provide a notice title and text. Choose the Accept and Decline option if you want users to accept the access notice before proceeding to the site, or select OK only if you want users to only click OK to proceed. Click Save when finished.
Note:
HTML tags are not permitted in the access notice.
To edit the access notice for organization members or all users, click Edit access notice in the appropriate section and make changes to the title, text, or action button options. If you no longer want the access notice displayed, use the toggle button to disable the access notice. After disabling the access notice, the previously typed text and configuration will be retained if the access notice is re-enabled in the future. Click Save when finished.
Information banner
You can use information banners to alert all users who access your organization about your site's status and content. For example, inform users about maintenance schedules, classified information alerts, and read-only modes by creating custom messages to appear at the top and bottom of your site. The banner appears on the Home, Gallery, Map Viewer, Scene Viewer, Notebook, Groups, Content, and Organization pages, and on sites created in ArcGIS Enterprise Sites if enabled in the app.
To enable the information banner for your organization, click Set information banner and turn on Display information banner. Add text in the Banner text field and choose a background color and font color. A contrast ratio appears for your selected text and background color. Contrast ratio is a measure of legibility based on WCAG 2.1 accessibility standards; a contrast ratio of 4.5 is recommended to adhere to these standards.
Note:
HTML tags are not permitted in the information banner.
You can preview the information banner in the Preview pane. Click Save to add the banner to your organization.
To edit the information banner, click Edit information banner and make changes to the banner text or styling. If you no longer want the information banner displayed, use the toggle button to disable the information banner. After disabling the information banner, the previously typed text and configuration will be retained if the information banner is re-enabled in future. Click Save when finished.
Trusted servers
For Trusted servers, configure the list of trusted servers you want your clients to send credentials to when making Cross-Origin Resource Sharing (CORS) requests to access services secured with web-tier authentication. This applies primarily to editing secure feature services from a stand-alone (unfederated) server running ArcGIS Server or viewing secure Open Geospatial Consortium (OGC) services. ArcGIS Server hosting services secured with token-based security do not need to be added to this list. Servers added to the trusted servers list must support CORS. Layers hosted on servers without CORS support may not function as expected. ArcGIS Server supports CORS by default at versions 10.1 and later. To configure CORS on non-ArcGIS servers, refer to the vendor documentation for the web server.
The host names must be provided individually. Wildcards cannot be used and are not accepted. The host name can be provided with or without the protocol in front of it. For example, the host name secure.esri.com can be provided as secure.esri.com or https://secure.esri.com.
Note:
Editing feature services secured with web-tier authentication requires a web browser enabled with CORS. The latest versions of Mozilla Firefox, Google Chrome, and Safari are CORS enabled. To test if your browser has CORS enabled, open https://caniuse.com/cors.
Allow origins
By default, ArcGIS REST API is open to CORS requests from web applications on any domain. If your organization wants to limit the web application domains that are allowed to access ArcGIS REST API through CORS, you must specify these domains explicitly. For example, to restrict CORS access to web applications on acme.com only, click Add and type https://acme.com in the text box and click Add domain. You can specify up to 100 trusted domains for your organization. It's not necessary to specify arcgis.com as a trusted domain, as applications running on the arcgis.com domain are always allowed to connect to ArcGIS REST API.
Allow portal access
Configure a list of portals (for example https://otherportal.domain.com/arcgis) with which you want to share secure content. This allows members of your organization to use their organization-specific logins (including SAML logins) to access the secure content when viewing it from these portals. Portals that your organization collaborates with are included automatically and do not need to be added to this list. This is only applicable for portals at ArcGIS Enterprise version 10.5 and later. This setting is not needed for sharing secured content with an ArcGIS Online organization.
The portal URLs must be provided individually and must include the protocol. Wildcards cannot be used and are not accepted. If the portal being added allows both HTTP and HTTPS access, two URLs must be added for that portal (for example http://otherportal.domain.com/arcgis and https://otherportal.domain.com/arcgis). Any portal added to the list is validated first and, therefore, must be accessible from the browser.
Apps
You can specify which external apps can be accessed by organization members and, optionally, make approved web apps available to organization members in the app launcher. You can also specify a list of Esri apps that should be blocked from members to comply with regulations, standards, and best practices.
Approve apps
All Esri apps and licensed apps are automatically approved for member access. To give organization members access to other types of apps without a Request for Permissions prompt, you must specify a list of approved apps for the organization. Approved apps can include web, mobile, or native apps hosted in your organization or outside your organization. For access to external apps, you can also restrict member sign-in to only those apps added to the approved apps list.
Note:
Approved web apps can also be made available to organization members in the app launcher. Licensed apps automatically appear in the app launcher for members with appropriate licenses. For more information, see Manage apps in the app launcher.
Do the following to approve apps for access by organization members:
- Confirm that you are signed in as a default administrator or as a member of a custom role with the administrative privilege to manage security and infrastructure.
- At the top of the site, click Organization and click the Settings tab.
- Click Security on the side of the page and click Apps to move to the Apps section of the page.
- Under Approved apps, click Add approved app.
- Search for an app using one of the following methods:
- Browse to the app in the list—By default, the list only includes apps registered with your organization.
- Search by name
- Search by item URL—The item URL is found on the Overview tab (URL section) of the app's item page.
- Search by App ID—If you own or have access to the app item, you can find the App ID on the Settings tab (Application Settings > Registered Info) of the app's item page. Another way to find the App ID is by opening the app in a private browser window, clicking the sign-in link for the app, and looking for the client_id value in the URL displayed in the browser's address bar.
- Select an app to approve.
- If you selected a web app, you can optionally turn off the Show in app launcher toggle button to hide the web app in the app launcher.
To show the web app in the app launcher, leave this toggle button turned on and follow the steps in Manage apps in the app launcher.
- Click Save to add the app to the approved apps list.
Blocked Esri apps
If your organization wants to restrict access to some of the apps that are included with user types and cannot be controlled through licensing, you can configure a list of blocked apps.
Blocked apps are removed from the app launcher and their items cannot be created from the content page or from a web map. Administrators can still see blocked apps when managing licenses and adding new members but cannot select them. App items that are created before an app is blocked remain visible in the organization, but members cannot sign in to them. If a blocked app is shared with your organization, members cannot sign in and use the app.
To block apps, click Manage blocked Esri apps, select the apps you want to block, and click Save.
Administrators can remove apps from their organization's blocked apps list by deselecting them in the Manage blocked Esri apps window or by clicking the Remove button next to the app in the list.
Configure email settings
You can configure email settings for your organization, which can be used to send email notifications to members. The following email notifications can be configured:
- Password policy notifications—An automatic email notification will be sent to your administrative contacts when the password policy is changed. If no administrative contacts are set, the oldest administrator account in the organization or the initial administrator account will receive the email notification.
- Reset password notifications—Administrators can reset a member's password on the Members tab, which will send an email to the member with a temporary password. A member can also request a reset password link when they indicate they have forgotten their password on the organization sign-in page. Emails will be sent to the email address associated with a member's profile.
- Multifactor authentication notifications—Your organization must have email settings configured to enable multifactor authentication. If multifactor authentication is configured, designated administrators will receive email notifications to disable multifactor authentication for specific members if needed.
- Item comment notifications—When comments are enabled in the organization, item owners will receive email notifications of new comments published to their items.
- Profile and settings notifications—Members will be notified of changes to their profile and settings such as their password, security question, and profile visibility.
Follow these steps to configure email settings:
- To configure email notifications for your organization, under Email settings, click Configure.
If email settings are already configured, click Manage email settings to open the Configure email settings window.
- On the SMTP settings page, do the following:
- Provide the SMTP server address.
This is the IP address or fully qualified domain name (FQDN) of the SMTP server, for example, smtp.domain.com.
- Provide the SMTP port.
This is the port the SMTP server will communicate over. Some of the most common communication ports are 25, 465, and 587. The default value is 25.
- Under Encryption method, select the encryption method for email messages sent from your organization.
You can select Plain Text, STARTTLS, or SSL.
- Turn on SMTP authentication required if authentication is required to connect with the SMTP server specified.
You can leave this option off if SMTP authentication is not required.
- If SMTP authentication required is enabled above, provide the username and password of a user who is authorized to access the SMTP server.
- Provide the email address from which organization emails will be sent.
It is recommended that the member associated with this email address be listed under the Administrative contacts for your organization.
- Provide the email address label that will display with the sent from email address.
The information is displayed as the sender in the from line for all email notifications. You can use the name associated with the from email address, or use a label such as DO NOT REPLY to discourage members from replying directly to the from email address.
- Provide the SMTP server address.
- Click Next.
It is recommended that you send a test email to verify that you have configured your email settings correctly.
- Provide an email address that you can use to verify that the test email is delivered successfully, and click Send Email.
A notification appears to indicate whether the email is sent successfully. You can check the portal logs for more information.
- Click Finish to configure email settings.
To disable email notifications from your organization, click Disable email settings.