Organizations can use, create, and share a wide range of geographic content, including maps, scenes, apps, and layers. The ability of individual organization members to access and work with content in different ways depends on the privileges they have in the organization. User types allow organizations to control the scope of privileges that can be assigned to members through roles.
User types
Organizations assign user types to members based on the members' needs and requirements. Members are assigned a user type when they are added to the organization. The user type determines the privileges that can be granted to the member through a default or custom role. Each user type also includes access to specific apps and app bundles.
Note:
Use the ArcGIS Enterprise portal website to get the most up-to-date information on user types.
The following user types are offered:
- Viewer—Viewers can view items that are shared with them by other ArcGIS users. This user type is ideal for members of an organization who need to view ArcGIS content in a secure environment. Viewers can’t create, edit, share, or perform analysis on items or data. This user type includes the Essential Apps Bundle.
- Editor—Editors can view and edit data in ArcGIS maps and apps that are shared with them by other ArcGIS users. This user type is ideal for users who need to access and edit data that is shared with them, using ArcGIS Configurable Apps templates or Web AppBuilder for ArcGIS. The Editor user type can also be used with custom editing applications created by customers or by Esri business partners. Editors can’t analyze, create, or share items or data. This user type includes the Essential Apps Bundle.
- Field Worker—Field Workers can view and edit data that has been shared with them by other ArcGIS users. Ideal for users who primarily interact with ArcGIS content through Esri field apps, this user type allows users in the field to view and edit data using any of the apps included in the Field Apps Bundle (Collector for ArcGIS, Survey123 for ArcGIS, and Workforce for ArcGIS) and directly through ArcGIS Enterprise. Field Workers can’t analyze, create, or share items or data. This user type includes the Essential Apps and Field Apps bundles.
- Creator—Creators have all the capabilities of the Viewer, Editor, and Field Worker user types, plus the ability to create content, administer the organization, and share content for use in Essential Apps, Field Apps, and Office Apps. The Creator user type is designed for those who need to create web maps and apps, perform in-depth spatial analysis using the analysis tools in the portal, and work with data using field apps such as Collector for ArcGIS. This user type includes the Essential Apps, Field Apps, and Office Apps bundles.
- GIS Professional—GIS Professionals have all the capabilities and app bundles of the Creator, plus access to ArcGIS Pro (Basic, Standard, or Advanced). This user type is designed for those who need the full suite of GIS apps to perform their work—that is, create web maps and apps, perform in-depth spatial analysis using analysis tools, and leverage the advanced tools of ArcGIS Pro. The GIS Professional user type can be assigned at the following three levels, which correspond to the three license levels of ArcGIS Pro:
- GIS Professional Basic—The GIS Professional Basic user type includes ArcGIS Pro Basic, which provides the tools and environment for map creation and interactive visualization.
- GIS Professional Standard—The GIS Professional Standard user type includes ArcGIS Pro Standard, which provides the tools and environment for map creation, interactive visualization, multiuser editing, and advanced data management. It also includes access to Parcel Fabric and Utility Network user type extensions.
- GIS Professional Advanced—The GIS Professional Advanced user type includes ArcGIS Pro Advanced, which provides the tools and environment for map creation, interactive visualization, multiuser editing, advanced data management, advanced analysis, high-end cartography, and extensive database management. It also includes access to Parcel Fabric and Utility Network user type extensions.
All levels of the GIS Professional user type include access to apps in all of the app bundles in addition to ArcGIS Pro. This user type does not include access to other ArcGIS Desktop products and extensions, such as ArcMap.
- Insights Analyst—Insights Analysts have all the capabilities required to use ArcGIS Insights, including creating and sharing content and performing analysis. This user type includes an Insights license. It's designed for those who primarily use Insights in their day-to-day tasks and may need to perform administrative tasks in the organization, but who don't need to access other ArcGIS apps. To learn more about this user type, see Licensing in the Insights documentation.
Note:
Apps that are not included with an assigned user type can be licensed and assigned as needed to specific members as add-on licenses. For example, ArcGIS Business Analyst and ArcGIS Insights can be purchased and assigned to members who have been granted the Creator or GIS Professional user types.
User type examples
The following examples illustrate how user types can be applied in an organization:
- A content creator assigned a Creator user type creates and shares a site selection app with a group of users in their organization. This app allows users to select a specific site and view attribute information about the site that should only be available to employees. A member assigned a Viewer user type can join the group and view and interact with the app.
- A data editor assigned the Editor user type uses the Crowdsource Manager configurable app to review and clean up data submitted by the public. The data editor can view and update the public data entries to prepare them for publication and analysis.
- A GIS specialist in a forestry organization is tasked with creating a tree inventory map for forestry technicians to use. The GIS specialist is assigned a GIS Professional Basic user type, which allows her to create complex data models, including subtypes and domains, using ArcGIS Pro. She then publishes the data to ArcGIS Enterprise and creates a web map for forestry technicians to use in Collector for ArcGIS. Once the map is created, the GIS specialist can test the functionality in Collector and share the web map with the appropriate group. Each forestry technician is given an ArcGIS member account and assigned a Field Worker user type so they can sign in to Collector, find their web maps, and edit the data as needed.
Roles
A role defines the set of privileges assigned to a member. Privileges are assigned to members through a default role or a custom role. Members are assigned a role when they are added to the organization.
If you're not sure what role you were assigned or if you need more information about your role, click the Role Information button in the Role section of your profile.
Note:
Once a member joins, their role can be changed by administrators and those with privileges to change member roles. Changing roles to or from administrator can be done only by administrators.
Default roles
ArcGIS Enterprise defines a set of privileges for the following default roles:
Note:
A member's user type determines the default roles that can be assigned to the member. User types compatible with each role are noted below.
- Viewer—View items such as maps, apps, scenes, and layers that have been shared with the public, the organization, or a group to which the member belongs. Join groups owned by the organization. Drag CSV, text, or GPX files into Map Viewer to geocode addresses or place names. Get directions in Map Viewer and apps.
Members assigned the Viewer role cannot create or share content, or perform analysis.The Viewer role is compatible with all user types.
- Data Editor—Viewer privileges plus the ability to edit features shared by other ArcGIS users. The Data Editor role is compatible with all user types except Viewer.
- User—Data Editor privileges plus the ability to create groups and content. Users can use the organization's maps, apps, layers, and tools, and join groups that allow members to update all items in the group. Members assigned the User role can also create maps and apps, edit features, add items to the portal, share content, and create groups. The User role is compatible with theCreator, GIS Professional, and Insights Analyst user types.
- Publisher—User privileges plus the ability to publish hosted web layers, ArcGIS Server layers, register data stores, publish from data store items, and perform feature and raster analysis. The Publisher role is compatible with the Creator, GIS Professional, and Insights Analyst user types.
- Administrator—Publisher privileges plus privileges to manage the organization and other users.
An organization must have at least one administrator, though two is recommended. There is no limit to the number of members who can be assigned to the Administrator role within an organization; however, for security reasons, you should only assign this role to those who require the additional privileges associated with it. The Administrator role is compatible with the Creator, GIS Professional, and Insights Analyst user types.
To choose a default role assigned to new members, go to Organization > Settings > Member Roles and choose a role from the Default role for new members drop-down menu. Click Save to apply this new setting.
Note:
You can only select a default role once a default user type is selected. Only roles that are compatible with the selected default user type will be listed in the drop-down menu.
The following table shows privileges available with the default roles.
Privilege summary | Default role | ||||
---|---|---|---|---|---|
Viewer | Data Editor | User | Publisher | Administrator | |
Use maps, apps, and scenes | |||||
Use geosearch (search for places and addresses) | |||||
Use routing and get directions (the portal must be configured for network analysis) | |||||
Geocode addresses and place names | |||||
Join groups that do not have the item update capability enabled | |||||
Edit features | |||||
Join groups that do have item update capability | |||||
Create groups | |||||
Categorize items | |||||
Create content | |||||
Share portal items | |||||
Use GeoAnalytics Tools (the portal must be configured for GeoAnalytics) | |||||
Use raster analysis tools (the portal must be configured for raster analysis) | |||||
Publish hosted web layers | |||||
Publish server-based layers | |||||
Publish scenes | |||||
Bulk publish from data store | |||||
Publish web tools | |||||
Create and edit ArcGIS Notebooks | |||||
Advanced Notebooks | |||||
Manage all members, content, and groups | |||||
Manage licenses and apps | |||||
Configure website and security | |||||
Set up a collaboration | |||||
Set up enterprise logins | |||||
Create and modify custom roles | |||||
Change member roles | |||||
Disable and delete members | |||||
Share organization content with the public when site settings don't allow members to share outside the organization | |||||
Create and own groups that allow members to update all items in the group | |||||
Make ArcGIS Marketplace content available (subscription and premium content access requires an organizational account) | |||||
View the location tracks of other users |
Note:
Most of the privileges listed above can also be assigned as part of a custom role; however, some administrative privileges are not available for custom roles as they are reserved for default administrators.
Note:
When you federate a server with your portal, the portal's security store controls all access to the server. This provides a convenient sign in experience but also impacts how you access and administer the federated server. For example, when you federate, any users, roles, and permissions that you previously configured on ArcGIS Server services are no longer valid. Access to services is instead determined by portal members' roles and sharing permissions. See Administer a federated server to learn more about how federating will impact your site.
Custom roles
You may want to refine the default roles in your organization into a more fine-grained set of privileges by creating custom roles. For example, your organization may want to assign some members the same privileges as a default Publisher but without allowing them to use GeoEnrichment. This could be achieved by creating a custom role based on the default Publisher role, turning off the GeoEnrichment privilege, and calling the custom role Publisher without GeoEnrichment or something similar.
Only default administrators, or those assigned a custom administrator role with the Member roles privilege, can create and modify custom roles. These administrators can configure custom roles based on any combination of available general and administrative privileges. Once a custom role has been created, any organization member who has the Change roles privilege can assign the role to members.
Note:
A member assigned a custom role that has any publishing privilege (for features, tiles, or scenes) will also be able to create other types of ArcGIS Server services on servers federated with your portal. This functionality may be restricted in a future release to prevent such workflows. It is recommended that if users need the ability to publish ArcGIS Server services, they be added to the default Publisher role.
You have the ability to create custom roles that include administrative privileges to manage the portal settings. This allows administrators to delegate a specific set of administrative tasks to users without giving them the full set of privileges in the default administrator role. For example, a user with a custom role that includes the Organization website privilege will have the ability to manage the portal's website settings without the ability to perform other administrative tasks, such as managing security or server settings.
The privileges that can be granted to a member through a custom role cannot exceed those associated with the member's assigned user type. For example, a member with a Viewer user type cannot be assigned a role with editing privileges.
Privileges
Privileges allow organization members to perform different tasks and workflows in an organization. For example, some members have privileges to create and publish content, while others have privileges to view content but cannot create their own.
General privileges
Members who perform specific tasks within the organization—create maps or edit features, for example—can be assigned the general privileges they need to work and share with groups, content, and features.
General privileges | |
---|---|
Members | View When checked, the View privilege allows members of the role to view the Organization page. If not checked, members cannot see this page. |
Groups | Create, update, and delete |
Join organizational groups | |
View groups shared with portal | |
Content | Create, update, and delete |
Publish hosted feature layers | |
Publish hosted tile layers | |
Publish hosted scene layers | |
Publish server-based layers | |
View content shared with organization | |
Register data stores This privilege allows members of the role to add data store items to the portal. | |
Create feature layers in bulk from a data store This privilege allows the owner of a database data store item to publish feature and map image layers from all feature classes and tables that can be accessed in the database. | |
View location tracks | |
Create and Edit Notebooks This privilege allows role members to author ArcGIS Notebooks using the Standard runtime. Note:Additional privileges (such as to manage content or run specialized analysis tools) may be required depending on the workflows performed by the notebook author. | |
Sharing | Share with groups |
Share with portal | |
Share with public | |
Make groups visible to portal | |
Make groups visible to public | |
Content and Analysis | Geocoding Use ArcGIS World Geocoding Service to convert addresses or places to map points (geocoding), for example when adding a CSV file of addresses to a map. This does not apply to your own locators configured for the organization. Note:This does not control the ability to publish a Microsoft Excel file of addresses as a hosted feature layer. |
Network Analysis Allows members of the role to perform network analysis tasks such as create drive-time areas | |
Standard Feature Analysis Role members can perform spatial analysis tasks such as create buffers. | |
GeoEnrichment This privilege allows role members to use the GeoEnrichment service to access demographic information. | |
GeoAnalytics Feature Analysis Members of roles with this privilege can use GeoAnalytics Tools. | |
Raster Analysis Members of roles with this privilege can use raster analysis tools. | |
Advanced Notebooks This privilege allows role members to author ArcGIS Notebooks using the Advanced runtime. Note:Additional privileges (such as to manage content or run specialized analysis tools) may be required depending on the workflows performed by the notebook author. | |
Features | Edit This privilege allows role members to edit features based on permissions set on the layer. |
Edit with full control No matter what level of editing is enabled on hosted feature layers, members of roles with this privilege can add, update, and delete features. |
Administrative privileges
The privileges listed below allow custom roles to assist the default administrators with managing members, groups, and content in the organization.
Administrative privileges | |
---|---|
Members | View all: View all member account information |
Update: Update member account information, including resetting passwords | |
Delete: Remove member accounts from the portal organization | |
Add: Add member accounts to the portal organization | |
Disable: Make member accounts inactive | |
Change roles: Change the role assigned to portal members Note:Only members of the default administrator role can add members to or remove members from the default administrator role. | |
Manage licenses: Manage licenses for organization members | |
Groups | View all: View groups owned by portal members |
Update: Update groups owned by portal members | |
Delete: Delete groups owned by portal members | |
Reassign ownership: Reassign ownership of groups | |
Assign members: Add members to groups | |
Link to enterprise group: Link groups to enterprise groups | |
Create with update capabilities: Create a group that allows all members of the group to update all items shared to the group, regardless of item ownership or editor settings | |
Content | View all: View content owned by members |
Update: Update content owned by members | |
Delete: Delete content owned by members | |
Reassign ownership: Reassign ownership of content | |
Manage categories: Configure content categories for the organization | |
Publish web tools: Publish web tools created in ArcGIS Pro to a federated server | |
Portal settings | Security and infrastructure: Manage the portal's security settings Members of roles with this privilege can configure the following in the portal's organization settings:
Members of roles with this privilege can also import a new license file, view the portal logs, update the portal log settings, and clean the portal logs. |
Organization website: Manage the portal's website settings Members of roles with this privilege can configure the following in the portal's organization settings:
Members of roles with this privilege can also view the portal logs. | |
Collaborations: Manage the portal's collaborations Members of roles with this privilege can configure and manage Collaborations in the portal's organization settings. These members can also view the portal logs. | |
Member roles: Manage the portal's member roles Members of roles with this privilege can configure Member Roles in the portal's organization settings and change a member's role. These members can also view the portal logs. | |
Servers: Manage the portal's server settings Members of roles with this privilege can configure the following in the portal's organization settings:
Members of roles with this privilege can also view the portal logs, update the portal log settings, and clean the portal logs. | |
Utility services: Manage the portal's utility service settings Members of roles with this privilege can configure the following in the portal's organization settings:
Members of roles with this privilege can also view the portal logs. |
Privileges reserved for default administrators
Certain administrative privileges are reserved for default administrators and are not available for custom roles. For example, only default administrators can remove other administrators from the organization. The following is a list of privileges reserved for default administrators:
- Change member role to or from administrator
- Delete other administrators from the organization
- Share organization content with the public when site settings don't allow members to share outside the organization
- Create backups of your ArcGIS Enterprise deployment
Privileges for common workflows
Some workflows require a combination of privileges. If you are unable to perform a function that you think your role should allow you to perform, verify that your administrator has enabled the full set of privileges required for the function.
Workflow | Required privileges |
---|---|
Use the standard feature analysis tools |
Note:Some tools require additional privileges to use GeoEnrichment or network analysis. See Perform analysis for requirements per tool. |
Use GeoAnalytics Tools |
|
Use raster analysis tools |
|
Publish hosted feature and WFS layers |
|
Publish hosted tile layers |
|
Publish hosted scene layers |
|
Publish apps from Map Viewer or a group page |
|
Embed maps or groups |
|
Author ArcGIS Notebooks |
|
Manage content owned by members |
|
Manage groups owned by members |
|
Manage member profiles |
|
Manage the portal's security and infrastructure |
|
Manage the portal's website settings |
|
Manage the portal's collaborations |
|
Manage the portal's member roles |
|
Change a member's user type |
|
Manage the portal's server settings |
|
Manage the portal's utility service settings |
|
Import new license file |
|
Add, update, and delete features on editable hosted feature layers even if the hosted feature layer is configured to Only update feature attributes or Only add new features |
|