Portal security

The portal security model in ArcGIS protects data, services, and applications. It includes security controls to prevent unauthorized access. It ensures the confidentiality, integrity, and availability of geospatial data and applications.

Portal service

The portal service helps authenticate, organize, and share geospatial information in ArcGIS. The service provides security for everything in a portal. It enables you to securely access your organization's resources for the creation of maps, applications, and spatial datasets.

The key security features the portal service supports are:

Aspect
Description
Users (identity)All members of an organization have an identity that is defined by their ArcGIS account. The tasks a user can perform are determined by their user type, role, and privileges assigned to their account. A portal service ensures users only perform tasks supported by their identity. Learn more here.
SharingThere are four different sharing levels for accessing content. This includes owner (private), organization, group, and everyone (public). Learn more here.
AuthenticationThe portal service supports all types of authentication with the use of access tokens. The portal service allows you to use authentication to get access tokens that can then be used to access secure resources in ArcGIS. Learn more here.
Developer credentialsYou can create and manage developer credentials for your applications using the portal service. Developer credentials register your application with a portal and define the security properties. Learn more here.

Additionally, you use the portal service to securely:

Access content items

To access an item in the portal using the portal service, you can create access tokens. These tokens can be in the form of API keys or OAuth 2.0 tokens, each defining the scope and permissions available to the application based on the authentication method used to obtain them.

You can get an access token by:

Share content

Sharing in ArcGIS is the process of making geographic content available in both ArcGIS Online and ArcGIS Enterprise. The share setting enables you to determine the accessibility level of an item, thereby securing both the item and its underlying data.

You use the portal service to share an item to:

  • Change an item's discoverability
  • Configure an item's privacy settings
  • Grant access to specific user groups or organizations
  • Require access tokens for data services.

Sharing levels

The sharing levels in a portal provide users with flexibility in controlling the accessibility of their content, allowing them to configure access based on the audience and the sensitivity of the information. By selecting the appropriate sharing level for each item, users can collaborate and properly secure their content within a portal.

The following is a list of the sharing levels available for the different types of ArcGIS products:

  • Owner (private): Only the owner has access. The hosted layer (item) and data service are private and will not be visible or accessible to others. A valid access token or scoped API key is required. Learn more about scoping items to an API key in API keys.

Manage users and groups

Using the portal service, you can access and control user identities and group settings in your organization. You can configure privileges for users accessing the organization and define access levels based on whether users are part of the ArcGIS organization.

Through the portal service, you can create groups to organize content, control access to resources, and help collaboration among members. Group owners have the authority to:

  • Invite members.
  • Manage content and membership requests.
  • Edit group properties.
  • Change sharing settings like update roles, remove members, transfer ownership, and delete groups.

Types of authentication

Portal service provides secure access to your content in your portal. It does this by supporting different types of authentication. Authentication in ArcGIS ensures only authorized users have access to the ArcGIS resources and services.

You authenticate to:

  • Ensure authorized users can access protected information, location services, and private data.
  • Manage users and groups to provide access to resources based on user roles and permissions.
  • Enable integration of apps with ArcGIS which allows users to sign in to access resources.

You can use the following authentication options to access items in your portal. Learn more about the differences between the authentication types in Authentication comparison.

Type
Description
Best use
API key authenticationInvolves using a long-lived API key to access ArcGIS resources, granting public-facing apps access to specific services, including private content and client referrers.* Create personal automation scripts that access the portal service.
* Quickly and easily generate access tokens for your apps.
* Create long-lived access tokens that remain valid for up to one year.
User authenticationAllows users with an ArcGIS account to sign in to an application and access content, services, and resources based on their account type, roles, and privileges.* Create private apps that require users to sign in with an ArcGIS account.
* Create apps that let members of your organization perform portal management operations.
* Access and manage secure items stored in a user's portal.
App authenticationGrants short-lived access tokens based on application credentials, authorizing apps to access specific resources within ArcGIS Online.* Create automation scripts that access the portal service.
* Create public apps that do not require users to sign in.
* Build apps that access location services and private items such as hosted layers or data services.

Developer credentials

To support authentication workflow and manage your custom applications, you create developer credentials. Developer credentials is an item type created in your portal that contain parameters used in authentication. They are required to implement every type of authentication. When you register your application in ArcGIS, you are provided with these authorization credentials that allow your app to access ArcGIS services and resources. The client ID and client secret are used to securely authenticate your application and obtain an access token.

There are two types of developer credentials: API key credentials and Oauth credentials. The table below lists these credentials and the types of authentication workflow they support.

Type of developer credentialsType of authentication
API key credentialsAPI key authentication
OAuth credentialsUser authentication
App authentication

Authentication with privileges

Privileges are used to access to secure resources and capabilities in a portal. Privileges are typically granted by creating and assigning roles to accounts which allow you to:

  • Manage content such as create, update, and delete content.
  • Manage groups such as create, update, delete groups.
  • Share content with groups, organization, or publicly.
  • Edit features in hosted feature layers.
  • Manage users, configure organization settings (for administrators only).

Privileges are associated with an access token which define the operations an application is permitted to perform in your portal. How privileges are managed depend on the type of authentication being used:

  • Access tokens from API key authentication and app authentication have privileges managed by the developer credentials.
  • Access tokens from User authentication have privileges based on the a user's ArcGIS account.

REST authentication operations

The following REST operations from ArcGIS REST APIs are used to authorize and manage access tokens to access secure ArcGIS resources.

Operation
Description
AuthorizeUser authentication starts with the authorization step at the oauth2/authorize/ endpoint. Apps are required to direct users to the authorize REST endpoint.
TokenThe oauth2/token/ endpoint grants an access token when queried with a valid authorization code, client secret, or refresh token.
Generate tokenThe generateToken operation create an access token in exchange for user credentials. The access token represents an authenticated user for limited time to all other API functionality.

ArcGIS accounts

An ArcGIS account is required to implement authentication. Below is a summary of the products, accounts, and subscriptions you can use:

ProductAccountSubscriptionPlan
ArcGIS Location PlatformArcGIS Location Platform accountArcGIS Developer subscriptionEssentials plan (default)
See all plans
ArcGIS OnlineArcGIS Online account (User type: Creator or higher)ArcGIS Online subscriptionSee all plans
ArcGIS EnterpriseArcGIS Enterprise accountSee all plans

ArcGIS Enterprise

Some organizations require stricter security measures or do not permit the use of distributed online environments like ArcGIS Online. For these cases, the on-premise ArcGIS Enterprise provides a robust solution by operating within corporate firewall environments. This setup ensures that all your data and services remain under the direct control of your organization adhering to strict security policies and compliance requirements.

Portal for ArcGIS is a component of ArcGIS Enterprise, allowing organizations to deploy GIS capabilities on their own infrastructure. This deployment supports secure access to maps, apps, and data, while also enabling collaboration within the organization. It integrates seamlessly with existing IT environments, leveraging enterprise authentication systems, security protocols, and data management practices.

For more information about how ArcGIS Enterprise and Portal for ArcGIS can meet your organization's security needs, visit the ArcGIS Enterprise product page.

Services

Tools

Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.