Managing access to your portal
This topic only applies to 10.2.1 and later versions.
One of the key aspects of planning a deployment of Portal for ArcGIS is deciding how to manage accounts that will access your portal and what privileges are granted to the accounts. Determining how accounts will be managed is a matter of choosing an identity store.
Understanding identity stores
The identity store for your portal defines where the credentials of your portal accounts are stored and how authentication occurs. Portal for ArcGIS supports two types of identity stores: built-in and enterprise identity stores.
Built-in identity store
Portal for ArcGIS is preconfigured so you can easily create accounts in your portal. You can use the Create an account link on the portal website home page to add a built-in account to your portal and start contributing content to the organization or access resources created by other members. When you create accounts in your portal in this manner, you are leveraging the built-in identity store, which stores portal account user names, passwords, and their roles.
You must use the built-in identity store to create the initial administrator account for your portal, but you can switch to an enterprise identity store later. The built-in identity store is useful to get your portal up and running and also for development and testing. However, production environments will typically leverage an enterprise identity store.
Enterprise identity store
Portal for ArcGIS is designed so you can use enterprise logins to control access to your ArcGIS organization. For example, you can use credentials from your LDAP store to control access to the portal. By using an enterprise identity store, the management of account credentials and the authentication process is completely external to Portal for ArcGIS.
For example, if your organization wants to set policies for password expiration and complexity, you must use an enterprise identity store. The biggest advantage of using an enterprise identity store is that the organization can centrally manage login information in one repository and use it against the portal; there is no duplication of accounts.
Accessing the portal using enterprise logins is also much easier for end users because they do not need to remember yet another user name and password. When you configure your portal with an enterprise identity store, you enable a single sign-on experience so your users will not need to again enter their credentials.
Portal for ArcGIS supports enterprise identity stores against LDAP. To learn more, see Using your portal with LDAP and web-tier authentication.
Understanding access privileges
Once you have decided how you want the credentials and authentication of your accounts in Portal for ArcGIS managed, you will need to decide what privileges you want for users that access your ArcGIS organization. Permissions are defined by whether or not the user accessing your portal is part of the ArcGIS organization. Users that access the portal without an ArcGIS organizational account can only search for and use public items. For example, if a public web map is embedded into a website, users looking at the map will be accessing an item of your portal, even though they do not have an account.
It is up to you if you want to enable this type of access. You can always disable access to persons that do not already belong to the ArcGIS organization. To learn how to do this, see Disabling anonymous access.
Users can access your portal with elevated privileges if they are members of your ArcGIS organization. Members of the ArcGIS organization are listed on the My Organization tab of the portal website. The following table describes the different levels of privileges.
Access without an ArcGIS organizational account | Access with an ArcGIS organizational account | |||
---|---|---|---|---|
User role | Publisher role | Administrator role | ||
Search and use public items (such as web maps and web applications) | Yes | Yes | Yes | Yes |
Search and use private items (such as web maps and web applications) | No | Yes | Yes | Yes |
Create and share items (such as web maps and web applications) | No | Yes | Yes | Yes |
Use Collector for ArcGIS, Esri Maps for Office, or Dashboard for ArcGIS applications | No | Yes | Yes | Yes |
Publish new content as tiled or feature services | No | No | Yes | Yes |
Manage items created by others | No | No | No | Yes |
Manage users and their privileges | No | No | No | Yes |
Administer the ArcGIS organization | No | No | No | Yes |
When a new ArcGIS organizational account is added to your portal, by default, it will be granted the user role. However, the portal administrator can change the role at any time. To learn more, see Managing user roles.
Managing ArcGIS organizational accounts
An ArcGIS organizational account is a user account that has been added to the organization panel of your portal website. Throughout the documentation and user experience in the portal website, these users are typically referred to as members of the organization.
As an administrator, it is important that you fully control not only the privileges granted to each of the members in your ArcGIS organization but also who is allowed to be a member of it.
The maximum number of ArcGIS organizational accounts in your portal is defined by the authorization file you used to activate the software. At any point in time, you can compare the total number of members in your organization and the maximum allowed from the My Organization tab in the portal website.
Managing accounts when using the built-in store
When using the built-in store, the portal website will, by default, show a link that any user can use to join the ArcGIS organization. This makes it easy for people to join your organization, but you can't really restrict who joins; anyone with access to your portal can create an account. If you want more control, you can disable this self-serve experience and then provision in bulk your portal with a predefined number of accounts. To learn more about creating ArcGIS organizational accounts in bulk, see Adding members to your portal. At any time, you can also remove members from your portal website or change their privileges.
Managing accounts when using an enterprise identity store
Portal for ArcGIS will not allow you to delete, edit, or create any new accounts in your enterprise store, but you can register existing enterprise accounts in your organization. For this reason, the sign-up page in the portal website will not be available when you configure your portal with an enterprise identity store.
As an administrator, you will typically select enterprise logins you want to add into the organization and add them in bulk. To learn more about creating ArcGIS organizational accounts in bulk, see Adding members to your portal. At any time, you can also remove members from your portal website or change their privileges.
Alternatively, you can choose to add any enterprise account that connects to your portal or any of its items automatically. To learn more, see Automatic registration of enterprise accounts.
It is important to understand that when the portal is configured with an enterprise identity store, anonymous access to the ArcGIS organization is disabled; that is, any user accessing your portal must authenticate against your enterprise store first. Once authenticated, the privileges of the user will be determined by whether they have an ArcGIS organizational account or not.
When upgrading Portal for ArcGIS 10.2.1 to 10.2.2, the setting that enables or disables automatic account creation is not preserved; automatic account creation is disabled after upgrading. This is unintended behavior and will be addressed in a future software release. If you enabled automatic account creation at 10.2.1, you can resolve this issue by immediately re-enabling the setting after upgrading to 10.2.2. For full instructions, see Automatic registration of enterprise accounts.
In Portal for ArcGIS 10.2, enterprise accounts were automatically registered as members of the organization. This means that your organization may have unintentionally exceeded the maximum number of members. When you upgrade Portal for ArcGIS 10.2 to 10.2.2, the legacy behavior persists; accounts are still automatically registered by default. Conversely, new installations of Portal for ArcGIS 10.2.1 or 10.2.2 do not allow automatic account creation. If you have upgraded your portal from 10.2 to 10.2.2, you may want to consider turning this behavior off to have more control over which users are added as members in your organization. For full instructions, see Automatic registration of enterprise accounts.