Privileges are a set of strings used to manage access to secure resources in ArcGIS. They are assigned to two types of entities:
- ArcGIS accounts used by ArcGIS users.
- Access tokens used by applications.
Privileges for accounts
All ArcGIS accounts have a list of privileges associated with them that determine the services, content, and operations the user is authorized to access.
All ArcGIS Location Platform accounts have a predefined list of privileges assigned when your Location Platform account is created. For a full list, go to List of privileges > ArcGIS Location Platform.
Privileges for ArcGIS Online accounts are managed through roles assigned to members by an organization administrator. To learn more, go to User types, roles, and privileges in the ArcGIS Online documentation.
Privileges for ArcGIS Enterprise accounts are managed through roles assigned to members by an organization administrator. To learn more, go to User types, roles, and privileges in the ArcGIS Enterprise documentation.
Privileges for access tokens
Applications use access tokens to access and perform operations with ArcGIS resources. All access tokens have privileges associated with them that determine the services, content, and operations they are authorized to access.
How privileges are granted to an access token depends on the type of authentication and developer credential you use. API key and app authentication allow you to set the privileges in your portal with developer credentials. User authentication assigns an access token privileges based on the user type and roles associated with the signed-in user account.
| Type of authentication | Type of developer credential | Privilege management |
|---|---|---|
| API key authentication | API key credentials | Privileges are granted using an item in your portal. |
| App authentication | OAuth credentials | Privileges are granted using an item in your portal. |
| User authentication | OAuth credentials | Privileges are inherited from the account when an ArcGIS user signs in. |
Credentials with privileges
Developer credentials with privileges are supported in ArcGIS Location Platform, ArcGIS Online, and ArcGIS Enterprise. They are used to implement API key authentication and App authentication.
Privilege scopes
All privileges have a scope that describes the capabilities and level of permissions required to perform an operation. There are two types of scopes for privileges:
-
Standard scope: Privileges that do not require additional permissions from your account to perform operations. For example, accessing ArcGIS services or ArcGIS Location Services. These can be used to build public applications.
-
Personal scope: Privileges that require additional permissions from your account to perform operations. For example, creating items or performing administration tasks in your portal. These can only be used to build personal applications and automation scripts or private applications for your organization.
The following table shows the scope for each group of privileges:
| Item access privileges | Location service privileges | Analysis privileges | Portal privileges (General) | Portal privileges (Admin) | |
|---|---|---|---|---|---|
| Standard scope | 1 | ||||
| Personal scope | 1 |
- 1. Saving analysis results as a feature service requires personal privileges
List of privileges
The privileges available depend on the type of ArcGIS product and account you have, and the roles assigned to your account. The following table lists categories of privileges available for different products:
| Category | Label | Privilege string | Description |
|---|---|---|---|
| Basemaps | Basemap styles service | premium | Allow application to access the basemap styles service. Learn more |
| Basemaps | Static basemap tiles | premium | Allow application to access the static basemap tiles service. Learn more |
| Data enrichment | GeoEnrichment service | premium | Allow application to access the GeoEnrichment service. Learn more |
| Elevation | Elevation service | premium | Allow application to access the elevation service. Learn more |
| Geocoding | Geocode (stored) | premium | Allow application to access the geocoding service and perform stored geocodes. Learn more |
| Geocoding | Geocode (not stored) | premium | Allow application to access the geocoding service and perform geocodes that are not stored. Learn more |
| Places | Place finding | premium | Allow application to access the places service. Learn more |
| Routing | Routing | premium | Allow application to access the routing service and perform standard routing operations. Learn more |
| Routing | Closest facility | premium | Allow application to access the routing service and perform closest facility routing operations. Learn more |
| Routing | Location allocation | premium | Allow application to access the routing service and perform location allocation operations. Learn more |
| Routing | Optimized routing | premium | Allow application to access the routing service and perform optimized routing operations. Learn more |
| Routing | Origin/destination cost matrix | premium | Allow application to access the routing service and generate travel cost matrices. Learn more |
| Routing | Service area | premium | Allow application to access the routing service and generate service areas. Learn more |
| Routing | Multi-vehicle routing | premium | Allow application to access the routing service and perform fleet routing operations. Learn more |
| Routing | Last mile | premium | Allow application to access the routing service and perform routing operations for last mile delivery. Learn more |
| Category | Label | Privilege string | Description |
|---|---|---|---|
| Feature analysis | Spatial analysis service | premium | Allow application to access the spatial analysis service. Learn more |
| Content | Create, update, and delete | portal | Allow member to create, edit, and delete their own content. Learn more |
| Content | Publish hosted feature layers | portal | Allow member to publish hosted feature layers from shapefiles, CSVs, etc. Learn more |
| Category | Label | Privilege string | Description |
|---|---|---|---|
| Members | View | portal | Allow application to view members of the organization. |
| Groups | Join organizational groups | portal | Allow application to join groups within your organization. |
| Groups | Join external groups | portal | Allow application to join groups external to your organization. |
| Groups | View groups shared with organization | portal | Allow application to view groups shared with the organization. |
| Content | Create, update, and delete | portal | Allow application to create, edit, and delete their own content. |
| Content | Publish hosted feature layers | portal | Allow application to publish hosted feature layers from shapefiles, CSVs, etc. |
| Content | Publish hosted tile layers | portal | Allow application to publish hosted tile layers from tile packages, features, etc. |
| Content | Publish hosted scene layers | portal | Allow application to publish hosted scene layers. |
| Content | Published hosted tiled imagery layers | portal | Allow application to publish hosted tiled imagery layers from a single image or collection of images. Requires an ArcGIS Image for ArcGIS Online user type extension. |
| Content | View content shared with organization | portal | Allow application to view content shared to the organization. |
| Content | View location tracks | portal | Allow application to view members' location tracks via shared track views when location sharing is enabled. |
| Content | Reassign content | portal | Allow application to reassign ownership of content owned by the account to another member. |
| Content | Receive content | portal | Allow application to receive content assigned to them by another member. |
| Content | Create and run data pipelines | portal | Allow application to create, edit, and run data pipelines. |
| Content | View hosted feature services | portal | Allow application to view hosted feature services. |
| Content | View hosted tile services | portal | Allow application to view hosted tile services. |
| Content | Categorize items | portal | Allow application to set the category of items you own. |
| Sharing | Share with groups | portal | Allow application to share content to groups. |
| Sharing | Share with organization | portal | Allow application to share content to your organization. |
| Sharing | Share with public | portal | Allow application to share their content publicly if permitted by the organization's public sharing policy. |
| Sharing | Make groups visible to organization | portal | Allow application to make groups discoverable by your organization. |
| Sharing | Make groups visible to public | portal | Allow application to make groups discoverable by the public. |
| Sharing | Make groups available to Open Data | opendata | Allow application to designate groups as being available for use in Open Data sites. |
| Features | Edit | features | Allow application to edit features in editable layers that are not public, based on the edit options enabled on the layer. |
| Features | Edit with full control | features | Allow application to add, delete, and update features in an editable, hosted feature layer, regardless of the editing options enabled on the layer. |
| Category | Label | Privilege string | Description |
|---|---|---|---|
| Groups | View all | portal | Allow application to view all groups within your organization. |
| Groups | Update | portal | Allow application to update groups within your organization. |
| Groups | Delete | portal | Allow application to delete groups within your organization. |
| Groups | Reassign ownership | portal | Allow application to reassign groups to other members within your organization. |
| Groups | Assign members | portal | Allow application to assign your members to, update your member's group role, and remove your members from groups within your organization. |
| Groups | Create with update capabilities | portal | Allow application to create groups with update capabilities. |
| Groups | Create with leaving disallowed | portal | Allow application to create and own groups that do not allow members to leave (administrative groups). |
| Content | View all | portal | Allow application to view all content within your organization. |
| Content | Update items | portal | Allow application to update and categorize content and edit hosted feature layers in your organization. |
| Content | Delete items | portal | Allow application to delete content within your organization. |
| Content | Reassign item ownership | portal | Allow application to reassign content to other members within your organization. |
| Content | Categorize items | portal | Allow application to set the categories of organization content. |
| Content | Manage categories | portal | Allow application to configure organization content categories. |
| Content | Publish web tools | portal | Allow application to publish web tools. |
| Content | Share member content with organization | portal | Allow application to share content owned by other members in your organization with the organization. |
| Content | Create and manage administrative reports | portal | Allow application to create and manage administrative reports for your organization |
| Organization settings | Security and infrastructure | portal | Allow application to manage the organization's security and infrastructure settings. |
| Organization settings | Organization website | portal | Allow application to manage the organization's website settings. |
| Organization settings | Collaborations | portal | Allow application to manage the organization's collaborations. |
| Organization settings | Credits | portal | Allow application to manage the organization's credit budgeting settings. |
| Organization settings | Utility services | portal | Allow application to manage the organization's utility service settings |
| Category | Label | Privilege string | Description |
|---|---|---|---|
| Basemaps | Basemap styles service | premium | Allow application to access the basemap styles service. Learn more |
| Data enrichment | GeoEnrichment service | premium | Allow application to access the GeoEnrichment service. Learn more |
| Geocoding | Geocode service | premium | Allow application to access the geocoding service. Learn more |
| Routing | Routing (Network analysis) | premium | Allow application to access the routing service. Learn more |
| Category | Label | Privilege string | Description |
|---|---|---|---|
| Feature analysis | Spatial analysis service | premium | Allow application to access the spatial analysis service. Learn more |
| Content | Create, update, and delete | portal | Allow member to create, edit, and delete their own content. Learn more |
| Content | Publish hosted feature layers | portal | Allow member to publish hosted feature layers from shapefiles, CSVs, etc. Learn more |
| Image analysis | Image analysis service | premium | Allow application to access image services to perform analysis. Learn more |
| Content | Published hosted tiled imagery layers | portal | Allow application to publish hosted tiled imagery layers from a single image or collection of images. Requires an ArcGIS Image for ArcGIS Online user type extension. Learn more |
| Content | Publish hosted dynamic imagery layers | portal | Allow application to publish hosted dynamic imagery layers from a single image or collection of images. Learn more |
| Category | Label | Privilege string | Description |
|---|---|---|---|
| Members | View | portal | Allow application to view members of the organization. |
| Groups | Create, update, and delete | portal | Allow application to create, edit, and delete their own groups. |
| Groups | Join organizational groups | portal | Allow application to join groups within your organization. |
| Groups | Join external groups | portal | Allow application to join groups external to your organization. |
| Groups | View groups shared with organization | portal | Allow application to view groups shared with the organization. |
| Groups | Invite partnered organization members | portal | Allow application to invite members from partnered collaboration organizations to groups. |
| Groups | Add members from other organizations | portal | Allow application to create groups that allow members from other organizations, as well as invite external members to groups. |
| Content | Create, update, and delete | portal | Allow application to create, edit, and delete their own content. |
| Content | Publish hosted feature layers | portal | Allow application to publish hosted feature layers from shapefiles, CSVs, etc. |
| Content | Publish hosted tile layers | portal | Allow application to publish hosted tile layers from tile packages, features, etc. |
| Content | Publish hosted scene layers | portal | Allow application to publish hosted scene layers. |
| Content | Published hosted tiled imagery layers | portal | Allow application to publish hosted tiled imagery layers from a single image or collection of images. Requires an ArcGIS Image for ArcGIS Online user type extension. |
| Content | Publish hosted dynamic imagery layers | portal | Allow application to publish hosted dynamic imagery layers from a single image or collection of images. |
| Content | View content shared with organization | portal | Allow application to view content shared to the organization. |
| Content | View location tracks | portal | Allow application to view members' location tracks via shared track views when location sharing is enabled. |
| Content | Reassign content | portal | Allow application to reassign ownership of content owned by the account to another member. |
| Content | Receive content | portal | Allow application to receive content assigned to them by another member. |
| Content | Create and run data pipelines | portal | Allow application to create, edit, and run data pipelines. |
| Content | Publish real-time analytics | portal | Allow application to publish real-time analytics to analyze and process real-time data using ArcGIS Velocity. |
| Content | Categorize items | portal | Allow application to set the category of items you own. |
| Content | Publish big data analytics | portal | Allow application to publish big data analytics and process historical observation data using ArcGIS Velocity. |
| Content | Publish feeds | portal | Allow application to publish feeds. |
| Content | Generate API keys | portal | Allow application to generate API keys. |
| Content | Assign privileges to OAuth 2.0 applications | portal | Allow application to assign privileges to OAuth 2.0 applications. |
| Sharing | Share with groups | portal | Allow application to share content to groups. |
| Sharing | Share with organization | portal | Allow application to share content to your organization. |
| Sharing | Share with public | portal | Allow application to share their content publicly if permitted by the organization's public sharing policy. |
| Sharing | Make groups visible to organization | portal | Allow application to make groups discoverable by your organization. |
| Sharing | Make groups visible to public | portal | Allow application to make groups discoverable by the public. |
| Sharing | Make groups available to Open Data | oprndata | Allow application to designate groups as being available for use in Open Data sites. |
| Features | Edit | features | Allow application to edit features in editable layers that are not public, based on the edit options enabled on the layer. |
| Features | Edit with full control | features | Allow application to add, delete, and update features in an editable, hosted feature layer, regardless of the editing options enabled on the layer. |
| Premium content | Create notebooks | premium | Allow application to create and edit interactive notebooks. |
| Premium content | Schedule notebooks | premium | Allow application to schedule future automated runs of a notebook. |
| Premium content | Create advanced notebooks | premium | Allow application to import and use ArcPy modules in ArcGIS Notebooks. |
| Premium content | Demographic maps | premium | Allow application to access demographic maps in ArcGIS Living Atlas. |
| Premium content | Feature report | premium | Allow application to create feature reports in ArcGIS Survey123. |
| Premium content | Run web tools | portal | Allow application to run web tools. |
| Category | Label | Privilege string | Description |
|---|---|---|---|
| Members | View all | portal | Allow application to view full member account information within your organization. |
| Members | Update | portal | Allow application to reset passwords, update member account information, and update member categories within your organization. |
| Members | Delete | portal | Allow application to delete member accounts within your organization. |
| Members | Invite | portal | Allow application to invite members to your organization. |
| Members | Disable | portal | Allow application to enable and disable member accounts within your organization. |
| Members | Change roles | portal | Allow application to change the role a member account is assigned. Note, only members with the Administrator role can assign or unassign the Administrator role to other accounts. |
| Members | Manage licenses | portal | Allow application to assign licenses to members of your organization. |
| Members | Manage categories | portal | Allow application to configure organization member categories. |
| Groups | View all | portal | Allow application to view all groups within your organization. |
| Groups | Update | portal | Allow application to update groups within your organization. |
| Groups | Delete | portal | Allow application to delete groups within your organization. |
| Groups | Reassign ownership | portal | Allow application to reassign groups to other members within your organization. |
| Groups | Assign members | portal | Allow application to assign your members to, update your member's group role, and remove your members from groups within your organization. |
| Groups | Link to organization-specific group | portal | Allow application to link group membership to an organization-specific group. |
| Groups | Create with update capabilities | portal | Allow application to create groups with update capabilities. |
| Groups | Create with leaving disallowed | portal | Allow application to create and own groups that do not allow members to leave (administrative groups). |
| Content | View all | portal | Allow application to view all content within your organization. |
| Content | Update items | portal | Allow application to update and categorize content and edit hosted feature layers in your organization. |
| Content | Delete items | portal | Allow application to delete content within your organization. |
| Content | Reassign item ownership | portal | Allow application to reassign content to other members within your organization. |
| Content | Categorize items | portal | Allow application to set the categories of organization content. |
| Content | Manage categories | portal | Allow application to configure organization content categories. |
| Content | Publish web tools | portal | Allow application to publish web tools. |
| Content | Share member content with organization | portal | Allow application to share content owned by other members in your organization with the organization. |
| Content | Share member content with public | portal | Allow application to share content owned by other members in your organization with the public. |
| Content | Create and manage administrative reports | portal | Allow application to create and manage administrative reports for your organization |
| ArcGIS Marketplace Subscriptions | Create and manage | marketplace | Allow application to create listings, list items, manage subscriptions within ArcGIS Marketplace, as well as manage purchasers and contact information for your organization. Use of this privilege depends on your organization obtaining listing and publishing access to the ArcGIS Marketplace. |
| ArcGIS Marketplace Subscriptions | Purchase and get free products | marketplace | Allow application to send purchase requests and access free products from providers in ArcGIS Marketplace. To allow members to purchase products using credit cards, you must designate them as Marketplace purchasers. Learn more |
| ArcGIS Marketplace Subscriptions | Start trials | marketplace | Allow application to start trial subscriptions within ArcGIS Marketplace |
| Organization settings | Security and infrastructure | portal | Allow application to manage the organization's security and infrastructure settings. |
| Organization settings | Organization website | portal | Allow application to manage the organization's website settings. |
| Organization settings | Collaborations | portal | Allow application to manage the organization's collaborations. |
| Organization settings | Credits | portal | Allow application to manage the organization's credit budgeting settings. |
| Organization settings | Member roles | portal | Allow application to manage the organization's member roles. |
| Organization settings | Utility services | portal | Allow application to manage the organization's utility service settings |
| Category | Label | Privilege string | Description |
|---|---|---|---|
| Feature analysis | Spatial analysis service | premium | Allow application to access the spatial analysis service. Learn more |
| Content | Create, update, and delete | portal | Allow member to create, edit, and delete their own content. Learn more |
| Content | Publish hosted feature layers | portal | Allow member to publish hosted feature layers from shapefiles, CSVs, etc. Learn more |
| Image analysis | Image analysis service | premium | Allow application to access image services to perform analysis. Learn more |
| Content | Published hosted tiled imagery layers | portal | Allow application to publish hosted tiled imagery layers from a single image or collection of images. Learn more |
| Content | Publish hosted dynamic imagery layers | portal | Allow application to publish hosted dynamic imagery layers from a single image or collection of images. Learn more |
| Category | Label | Privilege string | Description |
|---|---|---|---|
| Members | View | portal | Allow application to view members of the organization. |
| Groups | Create, update, and delete | portal | Allow application to create, edit, and delete their own groups. |
| Groups | Join organizational groups | portal | Allow application to join groups within your organization. |
| Groups | View groups shared with organization | portal | Allow application to view groups shared with the organization. |
| Groups | Add members from other organizations | portal | Allow application to create groups that allow members from other organizations, as well as invite external members to groups. |
| Content | Generate API keys | portal | Allow application to generate API keys. |
| Content | Assign privileges to OAuth 2.0 applications | portal | Allow application to assign privileges to OAuth 2.0 applications. |
| Content | Create, update, and delete | portal | Allow application to create, edit, and delete their own content. |
| Content | Publish hosted feature layers | portal | Allow application to publish hosted feature layers from shapefiles, CSVs, etc. |
| Content | Publish hosted tile layers | portal | Allow application to publish hosted tile layers from tile packages, features, etc. |
| Content | Publish hosted scene layers | portal | Allow application to publish hosted scene layers. |
| Content | Published hosted tiled imagery layers | portal | Allow application to publish hosted tiled imagery layers from a single image or collection of images. Requires an ArcGIS Image for ArcGIS Online user type extension. |
| Content | Publish hosted dynamic imagery layers | portal | Allow application to publish hosted dynamic imagery layers from a single image or collection of images. |
| Content | View content shared with organization | portal | Allow application to view content shared to the organization. |
| Content | View location tracks | portal | Allow application to view members' location tracks via shared track views when location sharing is enabled. |
| Content | Reassign content | portal | Allow application to reassign ownership of content owned by the account to another member. |
| Content | Receive content | portal | Allow application to receive content assigned to them by another member. |
| Content | Publish livestream video | portal | Allow application to publish livestream videos. |
| Content | Publish real-time analytics | portal | Allow application to publish real-time analytics to analyze and process real-time data using ArcGIS Velocity. |
| Content | Publish server-based layers | portal | Allow application to publish server-based layers. |
| Content | Publish video | portal | Allow application to publish videos. |
| Content | Register data stores | portal | Allow application to register video stores. |
| Content | View hosted feature services | portal | Allow application to view hosted feature services. |
| Content | View hosted tile services | portal | Allow application to view hosted tile services. |
| Content | Categorize items | portal | Allow application to set the category of items you own. |
| Content | Manage feature layer webhooks | portal | Allow application to manage webhooks for feature layers. |
| Content | Bulk publish from data stores | portal | Allow application to bulk publish data from data stores. |
| Content | Publish big data analytics | portal | Allow application to publish big data analytics and process historical observation data using ArcGIS Velocity. |
| Content | Publish feeds | portal | Allow application to publish feeds. |
| Content | Publish knowledge graphs | portal | Allow application to publish knowledge graphs. |
| Sharing | Share with groups | portal | Allow application to share content to groups. |
| Sharing | Share with organization | portal | Allow application to share content to your organization. |
| Sharing | Share with public | portal | Allow application to share their content publicly if permitted by the organization's public sharing policy. |
| Sharing | Make groups visible to organization | portal | Allow application to make groups discoverable by your organization. |
| Sharing | Make groups visible to public | portal | Allow application to make groups discoverable by the public. |
| Features | Edit | features | Allow application to edit features in editable layers that are not public, based on the edit options enabled on the layer. |
| Features | Edit with full control | features | Allow application to add, delete, and update features in an editable, hosted feature layer, regardless of the editing options enabled on the layer. |
| Features | Manage feature layer versions | features | Allow application to manage feature layer version control settings. |
| Premium content | Create notebooks | premium | Allow application to create and edit interactive notebooks. |
| Premium content | Schedule notebooks | premium | Allow application to schedule future automated runs of a notebook. |
| Premium content | Create advanced notebooks | premium | Allow application to import and use ArcPy modules in ArcGIS Notebooks. |
| Premium content | Demographic maps | premium | Allow application to access demographic maps in ArcGIS Living Atlas. |
| Premium content | Feature report | premium | Allow application to create feature reports in ArcGIS Survey123. |
| Premium content | Run web tools | portal | Allow application to run web tools. |
| Category | Label | Privilege string | Description |
|---|---|---|---|
| Members | View all | portal | Allow application to view full member account information within your organization. |
| Members | Update | portal | Allow application to reset passwords, update member account information, and update member categories within your organization. |
| Members | Delete | portal | Allow application to delete member accounts within your organization. |
| Members | Invite | portal | Allow application to invite members to your organization. |
| Members | Disable | portal | Allow application to enable and disable member accounts within your organization. |
| Members | Change roles | portal | Allow application to change the role a member account is assigned. Note, only members with the Administrator role can assign or unassign the Administrator role to other accounts. |
| Members | Manage licenses | portal | Allow application to assign licenses to members of your organization. |
| Members | Manage categories | portal | Allow application to configure organization member categories. |
| Groups | View all | portal | Allow application to view all groups within your organization. |
| Groups | Update | portal | Allow application to update groups within your organization. |
| Groups | Delete | portal | Allow application to delete groups within your organization. |
| Groups | Reassign ownership | portal | Allow application to reassign groups to other members within your organization. |
| Groups | Assign members | portal | Allow application to assign your members to, update your member's group role, and remove your members from groups within your organization. |
| Groups | Link to organization-specific group | portal | Allow application to link group membership to an organization-specific group. |
| Groups | Create with update capabilities | portal | Allow application to create groups with update capabilities. |
| Groups | Create with leaving disallowed | portal | Allow application to create and own groups that do not allow members to leave (administrative groups). |
| Content | View all | portal | Allow application to view all content within your organization. |
| Content | Update items | portal | Allow application to update and categorize content and edit hosted feature layers in your organization. |
| Content | Delete items | portal | Allow application to delete content within your organization. |
| Content | Reassign item ownership | portal | Allow application to reassign content to other members within your organization. |
| Content | Categorize items | portal | Allow application to set the categories of organization content. |
| Content | Manage categories | portal | Allow application to configure organization content categories. |
| Content | Publish web tools | portal | Allow application to publish web tools. |
| Content | Geoprocessing webhook | portal | Allow application to create geoprocessing webhooks. |
| Content | Manage servers | portal | Allow application to manage servers. |
| Content | Manage webhooks | portal | Allow application to manage webhooks. |
| Content | Share member content with organization | portal | Allow application to share content owned by other members in your organization with the organization. |
| Content | Share member content with public | portal | Allow application to share content owned by other members in your organization with the public. |
| Content | Create and manage administrative reports | portal | Allow application to create and manage administrative reports for your organization |
| Organization settings | Security and infrastructure | portal | Allow application to manage the organization's security and infrastructure settings. |
| Organization settings | Organization website | portal | Allow application to manage the organization's website settings. |
| Organization settings | Collaborations | portal | Allow application to manage the organization's collaborations. |
| Organization settings | Member roles | portal | Allow application to manage the organization's member roles. |
| Organization settings | Utility services | portal | Allow application to manage the organization's utility service settings |
Tutorials
Create an API key
Create and configure API key credentials to get a long-lived API key access token.