ArcGIS Enterprise on Kubernetes provides multiple ways for organizations to manage how their members access and interact with its content. One way is by assigning members specific privileges through custom roles that include administrative privileges, such as the ability to manage an organization's security configuration. These custom roles allow organizations to delegate administrative tasks without having to assign the default administrator role to multiple members.
Access to the API is restricted to a select number of privileges. When one of these privileges is included in a role assigned to an organization member, that member can access the API endpoints associated with, or required by, their role's privileges. All other endpoints are inaccessible through both the HTML directory and direct URL paths.
The following table shows which privileges are authorized to access the ArcGIS Enterprise Admin API:
| Privilege category | Privilege name |
|---|---|
Members |
|
Groups |
|
Content |
|
Portal Settings |
|
In addition to the privileges listed above, users assigned the default Publisher role can also access the ArcGIS Enterprise Admin API.
Privilege-based access
The following sections provide a high-level summary of each privilege that provides access to the API directory. The summaries for each privilege list both the front-end and back-end workflows that administrators have access to.
Manage licenses
Administrators assigned the Manage licenses privilege can manage the licenses for organization members. For the Enterprise Administrator API, administrators assigned this privilege can access any endpoints related to licensing workflows, such as Import License and Validate License. These administrators can also access log-related endpoints, such as Query Logs and Log Settings.
Link to organization-specific group
Administrators assigned the Link to organization-specific group privilege can link group membership to organization-specific groups. For the Enterprise Administrator API, administrators assigned this privilege can access any operations and resources related to group management, such as Refresh Group Membership and Get Enterprise Groups for User. These administrators can also access log-related endpoints, such as Query Logs and Log Settings.
Update
Administrators assigned the Update privilege can update portal content. For the Enterprise Administrator API, administrators assigned this privilege can access endpoints related to registering data items in data stores, such as Register Data Item and Validate Data Item. These administrators can also access endpoints related to GIS services, such as Create Service and Start Service.
Delete
Administrators assigned the Delete privilege can delete portal content. For the Enterprise Administrator API, administrators assigned this privilege can access endpoints related to GIS services, such as Create Service and Start Service and endpoints related to logs, such as Query Logs and Log Settings.
Security and infrastructure
Administrators assigned the Security and infrastructure privilege can configure the portal's security settings, such as enabling comments on organization items, managing the user types and add-on licenses assigned by default to new members, and configuring security policies. For the Enterprise Administrator API, administrators assigned this privilege can access most API endpoints. This includes security-related endpoints, such as Update Security Configuration and Import Trust Certificate, backup-related endpoints, such as Register Backup Store and Create Backup, and health-check related endpoints, such as Run Health Check and Query Reports. These administrators can also view and modify resources that describe the state of the organization, such as Logs, Overview, and Mode.
Organization website
Administrators assigned the Organization website privilege can configure the portal's organization settings. For the Enterprise Administrator API, administrators assigned this privilege can access any endpoints related to organization language or external content availability, such as Add Language and Update External Content.
Servers
Administrators assigned the Servers privilege can configure federation for the organization, view and clean portal logs, and update portal log settings. For the Enterprise Administrator API, administrators assigned this privilege can access any endpoints that are part of the federation workflow, such as Federate Server and Validate Server. These administrators can also access log-related endpoints, such as Query Logs and Clean Logs, and upgrade-related endpoints, such as Upgrade and Rollback.
Organization webhooks
Administrators assigned the Organization webhooks privilege can manage all webhooks, including organizational webhooks. For the Enterprise Administrator API, administrators assigned this privilege can access the Webhook Settings endpoint.