Configure security settings

Default administrators and those with the correct privileges can configure security settings for policies, sharing and searching, password policies, sign in options, multifactor authentication, access notices, trusted servers, portal access, and more.

Tip:

Visit ArcGIS Trust Center for more in-depth security, privacy, and compliance information.

  1. Verify that you are signed in as a default administrator or as a member of a custom role with the administrative privilege to manage security and infrastructure enabled.
  2. At the top of the site, click Organization and click the Settings tab.
  3. Click Security on the left side of the page.
  4. Configure any of the following security settings:

Access and permissions

Change any of the following policy settings as needed:

  • Allow anonymous access to your organization—Enable this option to allow anonymous users access to your organization's website. If this option is not enabled, anonymous users cannot access the website. They also cannot view your maps with Bing Maps (if your organization is configured for Bing Maps).

    Tip:

    If you disable anonymous access, organization members can still share public items using the public URL.

    If you enable anonymous access, make sure that the groups selected for the site configuration groups are shared with the public; otherwise, anonymous users may not be able to properly view or access the public content of those groups.

    Note:

    Verified organizations must allow anonymous access to the organization. Verified organizations that want to disable anonymous access must first have their verified status removed.

  • Display an option in your Sign In panel to allow members of other organizations to sign in using their ArcGIS Online credentials solely to access the organization content your members have shared with them—Enable this option to allow members of other ArcGIS Online organizations to access items shared with them by members of your organization. When this option is enabled, a separate sign in link is displayed at the bottom of the sign in window, which allows users to sign in through www.arcgis.com and access the items shared with them.
  • Allow members to edit biographical information and who can see their profile—Enable this option to allow members to modify the biographical information in their profile and specify who can see their profile.
  • Allow members to download licensed Esri applications, such as ArcGIS Pro, from their settings page—Enable this option to allow organization members who have the necessary license to download the app using a link on their settings page. Disabling this option hides the download link for members.

Note:

You may also see the following option if your organization was created prior to mid September 2018 and configured with this setting disabled. It is recommended that you enable this security setting:

  • Allow access to the organization through HTTPS only—Enable this option to ensure that your organization's data as well as any temporary identification tokens that allow access to your data are encrypted during communications over the internet. Once enabled, check your organization to confirm that nothing is affected, such as your home page, maps, scenes, and apps. For example, you may need to update layers to use HTTPS in your maps and scenes.

Sixty days after enabling this setting, the disable option will no longer be available on the Organization page.

Sharing and searching

Change any of the following sharing and search settings as needed:

  • Members can share content publicly—Enable this option to allow members to make their profile visible to everyone (public), share their web apps and other items with the public, or embed their maps or groups in websites.

    If you disable this setting, members cannot make their profile public, share their content publicly, or embed content in websites. Social media buttons are also disabled. As an administrator, you can share members' items with the public. You can also make a member's profile visible to everyone (public) so the member can be invited to groups outside the organization.

    If you disable anonymous access to your organization, you can share maps, apps, and groups by sharing the item with everyone (public) and changing the URL of the item from your organization's private URL to the public ArcGIS Online URL (www.arcgis.com). For example, you can share one of your organization's maps with anonymous users by changing the URL from https://samplegis.maps.arcgis.com/home/webmap/viewer.html?webmap=fb39737f95a74b009e94d2274d44fd55 to https://www.arcgis.com/home/webmap/viewer.html?webmap=fb39737f95a74b009e94d2274d44fd55.

  • Members can search for content outside the organization—Enable this option to allow members to see maps, layers, apps, and files owned by users outside the organization.

    If you disable this setting, members cannot access content outside the organization. As an administrator, you can search for items outside the organization.

  • Show social media links on item and group pages—Enable this option to include links to Facebook and Twitter on item and group pages.

Password policy

When members change their passwords, they must conform to the organization's policy. If they don't, a message appears with the policy details. The password policy of the organization does not apply to organization-specific logins such as SAML logins, or app credentials that use app IDs and app secrets.

The ArcGIS default password policy requires that passwords be at least eight characters and contain at least one letter and one number. If you want to update the password policy for your organization, click Manage password policy to configure the password length, complexity, and history requirements for members with ArcGIS accounts. You can specify the character length and whether the password must contain at least one of any of the following: uppercase letter, lowercase letter, number, or special character. You can also configure the number of days before the password expires and the number of past passwords that the member cannot reuse. To revert back to ArcGIS default policy at any time, click Use default ArcGIS policy.

Note:

Weak passwords won't be accepted. A password is considered weak if it's a commonly used password such as password1 or includes repetitive or sequential characters—for example, aaaabbbb or 1234abcd.

Logins

You can customize the organization's sign-in page to allow members to sign in using any of the following methods: ArcGIS logins, Security Assertion Markup Language (SAML) logins (previously known as enterprise logins), OpenID Connect logins, and social logins.

Turn on the ArcGIS login toggle button to allow users to sign in to ArcGIS using their ArcGIS logins.

Use the Set up SAML login button to configure SAML logins if you want members to sign in to ArcGIS using your organization's existing SAML identity provider.

Use the Set up OpenID Connect login button to configure OpenID Connect logins if you want members to sign in using your organization's existing OpenID Connect identity provider.

See this video for the advantages of using organization-specific logins such as SAML and OpenID Connect logins.

You can also allow organization members to sign up for and sign in to ArcGIS using the logins they use with social networks such as Facebook, Google, GitHub, and Apple. To enable social logins, turn on the Social logins toggle button, and turn on the toggle buttons for the social networks you want to enable.

Multifactor authentication

Organizations that want to give members the option of setting up multifactor authentication for sign in to ArcGIS can enable the Allow members to choose whether to set up multifactor authentication for their individual accounts toggle button. Multifactor authentication provides an extra level of security by requiring a verification code in addition to a user name and password when members sign in.

If you enable this setting, organization members can set up multifactor authentication through their profile page and receive verification codes on their mobile phones or tablets from a supported authentication app (currently, Google Authenticator for Android and iOS and Authenticator for Windows Phone). Multifactor authentication is not supported for SAML logins, OpenID Connect logins, or ArcGIS organizational accounts created with social logins. Members who enable multifactor authentication have a check mark in the Multifactor Authentication Multifactor authentication column of the member table on the Members tab on the Organization page.

If you enable multifactor authentication for your organization, you must designate at least two administrators who will receive email requests to disable multifactor authentication as needed on member accounts. ArcGIS Online sends emails on behalf of members who request help with multifactor authentication through the Having trouble signing in with your code? link (on the page where the member is asked to enter the authentication code). At least two administrators are required to ensure that at least one will be available to help members with any multifactor authentication issues.

Multifactor authentication works with ArcGIS accounts in Esri apps that support OAuth 2.0. This includes the ArcGIS Online website, ArcGIS Desktop 10.2.1 and later, ArcGIS apps, My Esri, and apps in ArcGIS Marketplace. In ArcGIS Desktop 10.2.1 and later, multifactor authentication can be used to connect to ArcGIS Online services from the ready-to-use services node in the catalog window.

Multifactor authentication must be disabled to access apps without OAuth 2.0 support. For some apps—such as ArcGIS Desktop 10.2.1 and later—that support OAuth 2.0, multifactor authentication must still be disabled before making a connection from ArcGIS Desktop to ArcGIS Server services available as part of ArcGIS Online. This includes geocoding and geoprocessing services that perform routing and elevation analysis. Multifactor authentication must also be disabled when storing credentials with Esri premium content.

Access notice

You can configure and display a notice of terms for users who access your site.

You can configure an access notice for organization members or all users who access your organization, or both. If you set an access notice for organization members, the notice is displayed after members sign in. If you set an access notice for all users, the notice is displayed when any user accesses your site. If you set both access notices, organization members see both notices.

To configure an access notice for organization members or all users, click Set access notice in the appropriate section, turn on the toggle button to display the access notice, and provide a notice title and text. Choose the ACCEPT and DECLINE option if you want users to accept the access notice before proceeding to the site, or select OK only if you want users to only click OK to proceed. Click Save when finished.

To edit the access notice for organization members or all users, click Edit access notice in the appropriate section and make changes to the title, text, or action button options. If you no longer want the access notice displayed, use the toggle button to disable the access notice. After disabling the access notice, the previously entered text and configuration will be retained if the access notice is re-enabled in future. Click Save when finished.

Information banner

You can use information banners to alert all users who access your organization about your site's status and content. For example, inform users about maintenance schedules or classified information alerts by creating custom messages to appear at the top and bottom of your site. The banner appears on the Home, Gallery, Map Viewer, Scene Viewer, Groups, Content, and Organization pages.

To enable the information banner for your organization, click Set information banner and turn on Display information banner. Add text in the Banner text field and choose a background color and font color. A contrast ratio appears for your selected text and background color. Contrast ratio is a measure of legibility based on WCAG 2.1 accessibility standards; a contrast ratio of 4.5 is recommended to adhere to these standards.

You can preview the information banner in the Preview pane. Click Save to add the banner to your organization.

To edit the information banner, click Edit information banner and make changes to the banner text or styling. If you no longer want the information banner displayed, use the toggle button to disable the information banner. After disabling the information banner, the previously entered text and configuration will be retained if the information banner is re-enabled in future. Click Save when finished.

Trusted servers

For Trusted servers, configure the list of trusted servers you want your clients to send credentials to when making Cross-Origin Resource Sharing (CORS) requests to access services secured with web-tier authentication. This applies primarily to editing secure feature services from a stand-alone (unfederated) ArcGIS Server or viewing secure OGC services. ArcGIS Server hosting services secured with token-based security do not need to be added to this list. Servers added to the trusted servers list must support CORS. Additionally, CORS must be configured to allow the specific domains that will be used to communicate with the server, such as your ArcGIS Online organization domain. Layers hosted on servers without CORS support may not function as expected. ArcGIS Server supports CORS by default at versions 10.1 and later. To configure CORS on non-ArcGIS servers, refer to the vendor documentation for the web server.

The host names must be entered individually. Wildcards cannot be used and are not accepted. The host name can be entered with or without the protocol in front of it. For example, the host name secure.esri.com can be entered as secure.esri.com or https://secure.esri.com.

Note:

Editing feature services secured with web-tier authentication requires a web browser enabled with CORS. CORS is enabled on all supported browsers.

Allow origins

By default, ArcGIS REST API is open to Cross-Origin Resource Sharing (CORS) requests from web applications on any domain. If your organization wants to limit the web application domains that are allowed to access ArcGIS REST API through CORS, you must specify these domains explicitly. For example, to restrict CORS access to web applications on acme.com only, click Add and enter https://acme.com in the text box and click Add domain. You can specify up to 100 trusted domains for your organization. It's not necessary to specify arcgis.com as a trusted domain, as applications running on the arcgis.com domain are always allowed to connect to ArcGIS REST API.

Allow portal access

Configure a list of portals (for example https://otherportal.domain.com/arcgis) with which you want to share secure content. This allows members of your organization to use their organization-specific logins (including SAML logins) to access the secure content when viewing it from these portals. This is only applicable for portals at Portal for ArcGIS version 10.5 and later. This setting is not needed for sharing secured content between ArcGIS Online organizations. To share content privately between organizations, see Share items with another organization.

The portal URLs must be entered individually and must include the protocol. Wildcards cannot be used and are not accepted. If the portal being added allows both HTTP and HTTPS access, two URLs must be added for that portal (for example http://otherportal.domain.com/arcgis and https://otherportal.domain.com/arcgis). Any portal added to the list is validated first and, therefore, must be accessible from the browser.