The core of the ArcGIS security model is the ArcGIS portal. Portals support configurable security features that can be managed to control access to sensitive data, manage the privileges of users, create secure groups, and more.
The underlying portal service of a portal is a REST API responsible for handling the authentication process. User and application identity is established through the portal service using SAML 2.0 federated identity management. Authentication always takes place over HTTPS and supports the OAuth 2.0 authorization protocol.
The key security features a portal supports are:
-
Identity: All members of an organization have an identity that is defined by their ArcGIS account. The tasks a user can perform are determined by their user type, role, and privileges assigned to their account. A portal ensures users only perform tasks supported by their identity.
-
Sharing: A portal supports four different sharing levels for accessing content. This includes owner (private), organization, group, and everyone (public). To access content, your ArcGIS account must be the owner or belong to the organization or group associated with the content item.
-
Authentication: A portal also supports different types of authentication. All types of authentication support the use of access tokens. A portal allows you to use authentication to get access tokens that can then be used to access secure resources in ArcGIS.
-
Developer credentials: A portal allows you to create and manage developer credentials for your applications. Developer credentials register your application with a portal and define the security properties.
Security certifications
ArcGIS portals have received the following security certifications:
-
Privacy: ArcGIS portals are certified compliant with the highest independent, international, industry accepted privacy standards, including TRUSTe Certified Privacy Seal and EU Safe Harbor (US Department of Commerce).
-
Infrastructure: Portals hosted by ArcGIS (for ArcGIS Online and ArcGIS Location Platform) utilize cloud infrastructure providers that are ISO 27001, FedRAMP, and SSAE 16 SOC1 Type2 compliant.
-
Web application: The ArcGIS portal web application has received Federal Risk and Authorization Management Program (FedRAMP) Tailor Low authorization from the U.S. Department of Interior.
Hosted data
All content and data hosted in ArcGIS portals is secure. The following security features are supported for hosted data:
- Multitenancy: Each data record within multitenant storage is stamped with the ID of the owning subscription to ensure organization data is accessible only by the organization's users.
- Features: Each organization has its own logically separate database, providing isolation of stored features.
Users and roles
Using a portal, you can access and control user identities in your organization. You can assign roles with privileges to users to configure their level of access to secure resources.
Listed below is a summary of users in ArcGIS Online, ArcGIS Location Platform, and ArcGIS Enterprise:
| Key points | Description |
|---|---|
| User Types | There are different user types available, such as Viewer, Editor, Mobile Worker, Creator, and GIS Professional. Each user type comes with specific capabilities and included apps tailored to different roles within an organization. |
| Licensing | Users in ArcGIS Online, ArcGIS Location Platform, and ArcGIS Enterprise are licensed based on their user type. This determines the level of access and functionality they have within ArcGIS. For example, a Creator user type can create, analyze, share, and store data and content within the ArcGIS Enterprise portal. |
| Licensing flexibility | User types can be purchased independently or paired with other foundational or dependent user types. Every subscription requires at least one foundational user type to activate and administer ArcGIS Online or ArcGIS Enterprise. Dependent user types rely on a foundational user type for activation and administration. |
| Named user licensing | Named user licensing in ArcGIS Enterprise is based on credentials associated with a user (username and password) rather than an authorization number linked to a computer. This licensing model allows users to access ArcGIS Pro by signing in with their organization credentials, enabling use on multiple computers simultaneously. |
Groups
Through the portal service, you can create groups to organize content, control access to resources, and help collaboration among members. Group owners have the authority to:
- Invite members.
- Manage content and membership requests.
- Edit group properties.
- Change sharing settings like update roles, remove members, transfer ownership, and delete groups.
Sharing
The sharing levels in a portal provide users with flexibility in controlling the accessibility of their content, allowing them to configure access based on the audience and the sensitivity of the information. By selecting the appropriate sharing level for each item, users can collaborate and properly secure their content within a portal.
The following is a list of the sharing levels available for the different types of ArcGIS products:
- Owner (private): Only the owner has access. The hosted layer (item) and data service are private and will not be visible or accessible to others. A valid access token or scoped API key is required. Learn more about scoping items to an API key in API keys.
- Owner (private): Only the owner has access. The hosted layer (item) and data service are private and will not be visible to others who have access to the portal. A valid access token is required.
- Organization: All members of your organization can access the hosted layer (item) and data service. A valid access token is required.
- Group: All members of a group can access the hosted layer (item) and data service. A valid access token is required.
- Everyone (public): Anyone can view the hosted layer (item) and access the data service.
- Owner (private): Only the owner has access. The hosted layer (item) and data service are private and will not be visible to others who have access to the portal. A valid access token is required.
- Organization: All members of your organization can access the hosted layer (item) and data service. A valid access token is required.
- Group: All members of a group can access the hosted layer (item) and data service. A valid access token is required.
- Everyone (public): Anyone can view the hosted layer (item) and access the data service.
On-Premises Enterprise security
Some organizations require segmentation of their solution from the Internet or do not allow distributed multitenant environments such as ArcGIS Online. The on-premises Portal for ArcGIS meets this requirement of high security needs by running inside corporate firewall environments.
Portal for ArcGIS is a component included with ArcGIS Enterprise. To learn more, go to the ArcGIS Enterprise product page.