The portal security model in ArcGIS protects data, services, and applications. It includes security controls to prevent unauthorized access. It ensures the confidentiality, integrity, and availability of geospatial data and applications.
Portal service
The portal service helps authenticate, organize, and share geospatial information in ArcGIS. The service provides security for everything in a portal. It enables you to securely access your organization's resources for the creation of maps, applications, and spatial datasets.
The key security features the portal service supports are:
Aspect | Description |
|---|---|
| Users (identity) | All members of an organization have an identity that is defined by their ArcGIS account. The tasks a user can perform are determined by their user type, role, and privileges assigned to their account. A portal service ensures users only perform tasks supported by their identity. Learn more here. |
| Sharing | There are four different sharing levels for accessing content. This includes owner (private), organization, group, and everyone (public). Learn more here. |
| Authentication | The portal service supports all types of authentication with the use of access tokens. The portal service allows you to use authentication to get access tokens that can then be used to access secure resources in ArcGIS. Learn more here. |
| Developer credentials | You can create and manage developer credentials for your applications using the portal service. Developer credentials register your application with a portal and define the security properties. Learn more here. |
Additionally, you use the portal service to securely:
- Access content items like web maps, web scenes, and feature layers.
- Share content to specific users or group of users.
- Manage users and groups.
Access content items
To access an item in the portal using the portal service, you can create access tokens. These tokens can be in the form of API keys or OAuth 2.0 tokens, each defining the scope and permissions available to the application based on the authentication method used to obtain them.
You can get an access token by:
Share content
Sharing in ArcGIS is the process of making geographic content available in both ArcGIS Online and ArcGIS Enterprise. The share setting enables you to determine the accessibility level of an item, thereby securing both the item and its underlying data.
You use the portal service to share an item to:
- Change an item's discoverability
- Configure an item's privacy settings
- Grant access to specific user groups or organizations
- Require access tokens for data services.
Sharing levels
The sharing levels in a portal provide users with flexibility in controlling the accessibility of their content, allowing them to configure access based on the audience and the sensitivity of the information. By selecting the appropriate sharing level for each item, users can collaborate and properly secure their content within a portal.
The following is a list of the sharing levels available for the different types of ArcGIS products:
- Owner (private): Only the owner has access. The hosted layer (item) and data service are private and will not be visible or accessible to others. A valid access token or scoped API key is required. Learn more about scoping items to an API key in API keys.
- Owner (private): Only the owner has access. The hosted layer (item) and data service are private and will not be visible to others who have access to the portal. A valid access token is required.
- Organization: All members of your organization can access the hosted layer (item) and data service. A valid access token is required.
- Group: All members of a group can access the hosted layer (item) and data service. A valid access token is required.
- Everyone (public): Anyone can view the hosted layer (item) and access the data service.
- Owner (private): Only the owner has access. The hosted layer (item) and data service are private and will not be visible to others who have access to the portal. A valid access token is required.
- Organization: All members of your organization can access the hosted layer (item) and data service. A valid access token is required.
- Group: All members of a group can access the hosted layer (item) and data service. A valid access token is required.
- Everyone (public): Anyone can view the hosted layer (item) and access the data service.
Manage users and groups
Using the portal service, you can access and control user identities and group settings in your organization. You can configure privileges for users accessing the organization and define access levels based on whether users are part of the ArcGIS organization.
Through the portal service, you can create groups to organize content, control access to resources, and help collaboration among members. Group owners have the authority to:
- Invite members.
- Manage content and membership requests.
- Edit group properties.
- Change sharing settings like update roles, remove members, transfer ownership, and delete groups.
Types of authentication
Portal service provides secure access to your content in your portal. It does this by supporting different types of authentication. Authentication in ArcGIS ensures only authorized users have access to the ArcGIS resources and services.
You authenticate to:
- Ensure authorized users can access protected information, location services, and private data.
- Manage users and groups to provide access to resources based on user roles and permissions.
- Enable integration of apps with ArcGIS which allows users to sign in to access resources.
You can use the following authentication options to access items in your portal:
| Type | Description |
|---|---|
| API key authentication | Involves using a permanent API key to access ArcGIS resources, granting public-facing applications access to specific services, including private content and client referrers. |
| User authentication | Allows users with an ArcGIS account to sign in to an application and access content, services, and resources based on their account type, roles, and privileges. |
| App authentication | Grants short-lived access tokens based on application credentials, authorizing applications to access specific resources within ArcGIS Online. |
Developer credentials
To support authentication workflow and manage your custom applications, you create developer credentials. Developer credentials is an item type created in your portal that contain parameters used in authentication. They are required to implement every type of authentication. When you register your application in ArcGIS, you are provided with these authorization credentials that allow your app to access ArcGIS services and resources. The client ID and client secret are used to securely authenticate your application and obtain an access token.
There are two types of developer credentials: API key credentials and Oauth credentials. The table below lists these credentials and the types of authentication workflow they support.
| Type of developer credentials | Type of authentication |
|---|---|
| API key credentials | API key authentication |
| OAuth credentials | User authentication App authentication |
REST authentication operations
The following REST operations from ArcGIS REST APIs are used to authorize and manage access tokens to access secure ArcGIS resources.
Operation | Description |
|---|---|
| Authorize | User authentication starts with the authorization step at the oauth2/authorize/ endpoint. Apps are required to direct users to the authorize REST endpoint. |
| Token | The oauth2/token/ endpoint grants an access token when queried with a valid authorization code, client secret, or refresh token. |
| Generate token | The generate operation create an access token in exchange for user credentials. The access token represents an authenticated user for limited time to all other API functionality. |
ArcGIS accounts
An ArcGIS account is required to implement authentication. Below is a summary of the products, accounts, and subscriptions you can use:
| Product | Account | Subscription | Plan |
|---|---|---|---|
| ArcGIS Location Platform | ArcGIS Location Platform account | ArcGIS Developer subscription | Essentials plan (default) See all plans |
| ArcGIS Online | ArcGIS Online account (User type: Creator or higher) | ArcGIS Online subscription | See all plans |
| ArcGIS Enterprise | ArcGIS Enterprise account | See all plans |
ArcGIS Enterprise
Some organizations require stricter security measures or do not permit the use of distributed online environments like ArcGIS Online. For these cases, the on-premise ArcGIS Enterprise provides a robust solution by operating within corporate firewall environments. This setup ensures that all your data and services remain under the direct control of your organization adhering to strict security policies and compliance requirements.
Portal for ArcGIS is a component of ArcGIS Enterprise, allowing organizations to deploy GIS capabilities on their own infrastructure. This deployment supports secure access to maps, apps, and data, while also enabling collaboration within the organization. It integrates seamlessly with existing IT environments, leveraging enterprise authentication systems, security protocols, and data management practices.
For more information about how ArcGIS Enterprise and Portal for ArcGIS can meet your organization's security needs, visit the ArcGIS Enterprise product page.