Authorization and access models

Once authentication is complete and a user has a valid access token for ArcGIS, authorization and access rules are applied. These can take a variety of forms and ArcGIS has been designed and built to support complex, organization-specific authorization models or structures.

Authorization of access

This type of authorization refers to what content, services, or interfaces a user may access. In ArcGIS, authorization of access is managed through the ArcGIS sharing model, which builds on principles such as the following:

  • Content items in ArcGIS are owned by a specific user account. An individual user can manage, edit, delete, and perform any operation on the content they own.
  • Items can be shared to groups in ArcGIS. Groups are constructs that are created in ArcGIS, which have group-specific metadata, and a list of participating members.
  • Groups can also be based on enterprise groups, where group membership that is defined in an external, organizational directory, can be propagated to ArcGIS through Active Directory, LDAP or SAML authentication processes. In this case, the user’s membership in an ArcGIS group is defined by this enterprise group membership This is established at the time of login to ArcGIS and re-established on each future login.
  • Items can also be shared to the organization or to everyone.
    • When sharing to the organization, any user who can establish a valid session to the organization by authenticating can access and interact with it.
    • When sharing to everyone, anyone with HTTPS connectivity to the system can view the content. It is anonymously accessible either to the system’s WAN or to the internet, depending on how the network is configured. Network access controls can further limit this exposure.

User access is determined at the time of request. If the sharing settings change, or if a user is removed from a group, they will immediately lose access to the content that is shared to that group, or to that content item.

Authorization of capabilities

Beyond access to content, another type of authorization is what you can do in a particular system. This includes access to capabilities, interfaces, or applications within the ArcGIS system. This authorization is also generally managed by ArcGIS, and uses several different principles:

  • Every user in an ArcGIS system is assigned a User type, which defines their level of access to capabilities. User type examples include Viewer, Creator or GIS Professional.
  • Each user also has an assigned role, which more specifically controls their authorization through a set of assigned privileges for that role within the ArcGIS system. Privileges include the ability to create content, share to everyone, run Python notebooks, or create hosted imagery services.
  • There are certain capabilities or levels of access that are included with a User type by default. Additionally, add-on applications or user type extensions can be assigned to specific users to grant them access to additional capabilities.

These distinctions are further described in User types, roles, and privileges. Capabilities and access are established when a user logs in, so any changes to access or privileges may need the user to re-authenticate for the update to be applied to their session.

Integrate with external authorization patterns

While most organizations manage access and permissions for ArcGIS users directly in ArcGIS interfaces, some organizations seek to manage this access externally, for which several options are available.

  1. Group membership can be maintained through use of enterprise groups, where user membership is based on either a claim included with a SAML assertion during login, or a query to a remote group store defined in the security configuration, which is also queried during user login.
  2. Most identity providers for SAML or OIDC-based logins include a configuration where users are assigned or provisioned to the ArcGIS application through some process. Users that are not provisioned will not be able to login through SAML or OIDC, and various processes can be defined to either automatically provision ArcGIS access to new accounts, or follow some type of request process.
  3. ArcGIS provides REST APIs for all user-based authorization actions, such as creating and managing groups, adding members to groups, changing user roles or user types, and so on. Automation through an external script or system such as a Python notebook can also be used to automate the authorization of user access, by querying a remote source or using something like a Survey123 form to trigger a process that grants a user additional authorization following a review.