Portal security | Documentation

The portal security model in ArcGIS protects data, services, and applications. It includes security controls to prevent unauthorized access. It ensures the confidentiality, integrity, and availability of geospatial data and applications.

Portal service

The portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more helps authenticate, organize, and share geospatial information in ArcGIS. The service provides security for everything in a portal. It enables you to securely access your organization's resources for the creation of mapsA map is a collection of layers that are displayed in 2D. It is typically composed of a basemap layer and data layers.Learn more, applications, and spatial datasets.

The key security features the portal service supports are:

Aspect	Description
Users (identity)	All membersMember is an individual with an ArcGIS account who can sign in, access tools and applications, and collaborate with other organization members in a portal.Learn more of an organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more have an identity that is defined by their ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more. The tasks a user can perform are determined by their user type, role, and privileges assigned to their account. A portal service ensures users only perform tasks supported by their identity. Learn more here.
Sharing	There are four different sharing levels for accessing content. This includes owner (private), organization, group, and everyone (public). Learn more here.
Authentication	The portal service supports all types of authentication with the use of access tokensAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more. The portal service allows you to use authentication to get access tokens that can then be used to access secure resources in ArcGIS. Learn more here.
Developer credentials	You can create and manage developer credentialsDeveloper credentials are a type of item in a portal that contains parameters for authentication. There are two types of developer credentials: API key credentials and OAuth credentials.Learn more for your applications using the portal service. Developer credentials register your application with a portal and define the security properties. Learn more here.

Additionally, you use the portal service to securely:

Access content items like web mapsA web map is a map stored as a JSON object that defines properties such as the basemap layer, data layers, layer styles, and pop-up styles. Its JSON structure is defined by the web map specification.Learn more, web scenesA web scene is a scene stored as a JSON object that defines properties such as the basemap layer, data layers, layer styles, and pop-up styles. Its JSON structure is defined by the web scene specification.Learn more, and feature layersA layer is a reference to a collection of geographic data that is used to access and display data. The data for layers are typically provided by the basemap layer service and data services.Learn more.
Share content to specific users or group of users.
Manage users and groups.

Access content items

To access an item in the portal using the portal service, you can create access tokensAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more. These tokens can be in the form of API keys or OAuth 2.0 tokens, each defining the scope and permissions available to the application based on the authentication method used to obtain them.

You can get an access token by:

Sharing in ArcGIS is the process of making geographic content available in both ArcGIS Online and ArcGIS Enterprise. The share setting enables you to determine the accessibility level of an item, thereby securing both the item and its underlying data.

You use the portal service to share an item to:

Change an item's discoverability
Configure an item's privacy settings
Grant access to specific user groups or organizations
Require access tokens for data services.

The sharing levels in a portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more provide users with flexibility in controlling the accessibility of their content, allowing them to configure access based on the audience and the sensitivity of the information. By selecting the appropriate sharing level for each item, users can collaborate and properly secure their content within a portal.

The following is a list of the sharing levels available for the different types of ArcGIS products:

Owner (private): Only the owner has access. The hosted layer (item) and data service are private and will not be visible or accessible to others. A valid access token or scoped API key is required. Learn more about scoping items to an API key in API keys.

Manage users and groups

Using the portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more, you can access and control user identities and group settings in your organization. You can configure privileges for users accessing the organization and define access levels based on whether users are part of the ArcGIS organization.

Through the portal service, you can create groups to organize contentContent is a collection of items in a portal that belong to a user, group, or organization.Learn more, control access to resources, and help collaboration among members. Group owners have the authority to:

Invite members.
Manage content and membership requests.
Edit group properties.
Change sharing settings like update roles, remove members, transfer ownership, and delete groups.

Types of authentication

Portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more provides secure access to your contentContent is a collection of items in a portal that belong to a user, group, or organization.Learn more in your portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more. It does this by supporting different types of authentication. Authentication in ArcGIS ensures only authorized users have access to the ArcGIS resources and services.

You authenticate to:

Ensure authorized users can access protected information, location services, and private data.
Manage users and groups to provide access to resources based on user roles and permissions.
Enable integration of apps with ArcGIS which allows users to sign in to access resources.

You can use the following authentication options to access items in your portal. Learn more about the differences between the authentication types in Authentication comparison.

Type	Description	Best use
API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more	Involves using a long-lived API key to access ArcGIS resources, granting public-facing apps access to specific services, including private content and client referrers.	* Create personal automation scripts that access the portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more. * Quickly and easily generate access tokensAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more for your apps. * Create long-lived access tokens that remain valid for up to one year.
User authentication	Allows users with an ArcGIS account to sign in to an application and access content, services, and resources based on their account type, roles, and privileges.	* Create sign-in apps that require users to authenticate with an ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more. * Create apps that let members of your organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more perform portal managementA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more operations. * Access and manage secure items stored in a user's portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more.
App authentication	Grants short-lived access tokens based on application credentials, authorizing apps to access specific resources within ArcGIS Online.	* Create automation scripts that access the portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more. * Create public appsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more that do not require users to sign in. * Build apps that access location servicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more and private items such as hosted layersA hosted layer is an item in a portal that contains the properties and settings for a hosted data service or a layer in a hosted data service.Learn more or data servicesData services, also known as hosted data services, are services created dynamically to store and provide access to your data in ArcGIS. Examples are feature services, vector tile services, map tile services, image services, and scene services.Learn more.

Developer credentials

To support authentication workflow and manage your custom applications, you create developer credentialsDeveloper credentials are a type of item in a portal that contains parameters for authentication. There are two types of developer credentials: API key credentials and OAuth credentials.Learn more. Developer credentials is an itemAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more type created in your portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more that contain parameters used in authentication. They are required to implement every type of authentication. When you register your application in ArcGIS, you are provided with these authorization credentials that allow your app to access ArcGIS services and resources. The client ID and client secret are used to securely authenticate your application and obtain an access token.

There are two types of developer credentials: API key credentialsAPI key credentials are an item that contains the parameters used to create and manage long-lived access tokens for API key authentication. They are a type of developer credential.Learn more and Oauth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more. The table below lists these credentials and the types of authentication workflow they support.

Type of developer credentials	Type of authentication
API key credentials	API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more
OAuth credentials	User authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more App authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more

Type of developer credentials

Type of authentication

API key credentials

API key authentication

OAuth credentials

User authentication
App authentication

Authentication with privileges

PrivilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more are used to access to secure resources and capabilities in a portal. Privileges are typically granted by creating and assigning roles to accounts which allow you to:

Manage content such as create, update, and delete content.
Manage groups such as create, update, delete groups.
Share content with groups, organization, or publicly.
Edit features in hosted feature layers.
Manage users, configure organization settings (for administrators only).

Privileges are associated with an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more which define the operations an application is permitted to perform in your portal. How privileges are managed depend on the type of authentication being used:

Access tokens from API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more and app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more have privileges managed by the developer credentials.
Access tokens from User authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more have privileges based on the a user's ArcGIS account.

REST authentication operations

The following REST operations from ArcGIS REST APIsArcGIS REST APIs are the API specifications for all ArcGIS location services and ArcGIS Enterprise services. They define the operations, parameters, and structures required to make HTTPS requests.Learn more are used to authorize and manage access tokensAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more to access secure ArcGIS resources.

Operation	Description
Authorize	User authentication starts with the authorization step at the `oauth2/authorize/` endpoint. Apps are required to direct users to the authorize REST endpoint.
Token	The `oauth2/token/` endpoint grants an access token when queried with a valid authorization code, client secret, or refresh token.
Generate token	The `generateToken` operation create an access token in exchange for user credentials. The access token represents an authenticated user for limited time to all other API functionality.

ArcGIS accounts

An ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more is required to implement authentication. Below is a summary of the products, accounts, and subscriptions you can use:

Product	Account	Subscription	Plan
ArcGIS Location PlatformArcGIS Location Platform, formerly known as ArcGIS Platform, is a Platform as a Service (PaaS) product that gives developers access to location services, APIs, and tools to build mapping and spatial analysis applications. It is subscription-based and requires an ArcGIS Location Platform account.Learn more	ArcGIS Location Platform accountAn ArcGIS Location Platform account, formerly known as an ArcGIS Developer account, is an identity associated with an ArcGIS Location Platform subscription.Learn more	ArcGIS Developer subscriptionAn ArcGIS subscription is a free or paid plan that defines the capabilities of an ArcGIS account and the method of billing for the consumption of location services.Learn more	Essentials plan (default) See all plans
ArcGIS OnlineArcGIS Online is a GIS mapping, analytics, data hosting, and content management software as a service (SaaS) product. It includes applications, tools, APIs, and location services for users and developers. It is subscription-based and requires an ArcGIS Online account.Learn more	ArcGIS Online accountAn ArcGIS Online account, also known as an ArcGIS Organization account, is an identity associated with an ArcGIS Online subscription. It can be used to access ArcGIS tools and develop applications with ArcGIS location services for an organization.Learn more (User type: Creator or higher)	ArcGIS Online subscriptionAn ArcGIS subscription is a free or paid plan that defines the capabilities of an ArcGIS account and the method of billing for the consumption of location services.Learn more	See all plans
ArcGIS EnterpriseArcGIS Enterprise is a GIS mapping, analytics, data hosting, and content management product that can be hosted on-premise or in a cloud infrastructure. It includes software, applications, tools, APIs, and services for users and developers.Learn more	ArcGIS Enterprise accountAn ArcGIS Enterprise account is an identity for an instance of ArcGIS Enterprise. It can be used to access ArcGIS Enterprise tools, applications, and services, and to develop applications.Learn more		See all plans

ArcGIS Enterprise

Some organizations require stricter security measures or do not permit the use of distributed online environments like ArcGIS OnlineArcGIS Online is a GIS mapping, analytics, data hosting, and content management software as a service (SaaS) product. It includes applications, tools, APIs, and location services for users and developers. It is subscription-based and requires an ArcGIS Online account.Learn more. For these cases, the on-premise ArcGIS EnterpriseArcGIS Enterprise is a GIS mapping, analytics, data hosting, and content management product that can be hosted on-premise or in a cloud infrastructure. It includes software, applications, tools, APIs, and services for users and developers.Learn more provides a robust solution by operating within corporate firewall environments. This setup ensures that all your data and services remain under the direct control of your organization adhering to strict security policies and compliance requirements.

Portal for ArcGIS is a component of ArcGIS Enterprise, allowing organizations to deploy GIS capabilities on their own infrastructure. This deployment supports secure access to mapsA map is a collection of layers that are displayed in 2D. It is typically composed of a basemap layer and data layers.Learn more, apps, and data, while also enabling collaboration within the organization. It integrates seamlessly with existing IT environments, leveraging enterprise authentication systems, security protocols, and data management practices.

For more information about how ArcGIS Enterprise and Portal for ArcGIS can meet your organization's security needs, visit the ArcGIS Enterprise product page.

Portal service

Access content items

Share content

Sharing levels

Manage users and groups

Types of authentication

Developer credentials

Authentication with privileges

REST authentication operations

ArcGIS accounts

ArcGIS Enterprise

Services

Portal service

Tools

Portal