Back to Top

Privileges granted to roles

In this topic

  1. General privileges
  2. Administrative privileges
  3. Privileges for common workflows

Privileges are granted to members through roles. Privileges allow role members to perform various tasks and workflows in an organization. For example, some members have privileges to create and publish content, while others have privileges to view content but cannot create their own.

Default roles include a specific set of privileges that cannot be altered. When the organization administrator creates custom roles, the administrator specifies which privileges the custom role includes.

There are two levels of privileges: General privileges and Administrative privileges.

General privileges

Members who perform specific tasks in the organization—create maps or edit features, for example—can be assigned the general privileges they need to work and share with groups, content, and features.

The following table lists privileges, grouped by privilege type, and provides a description of each privilege. The table also lists which default roles include the privilege.

In addition to these privileges that you can grant to custom roles and that are included with default roles, all users can use geosearch and subscriber content regardless of their role.

General privilegesDefault roles that include the privilege

Members

View

Allows members to view the Members tab of the organization page. Without this privilege, members cannot see the organization page.

User, Publisher, Facilitator, Administrator

Groups

Create, update, and delete

Allows members to create groups in the organization and control the groups they own.

User, Publisher, Facilitator, Administrator

Join organizational groups

Allows members to be added to or request to join groups in the organization. Members can only request to join organizational groups if they also have the privilege to view groups shared with the organization. Without the privilege to view groups shared with the organization, members do not see the groups and, therefore, cannot request to join them.

All default roles

Note:

Only members of the User, Publisher, Facilitator, and Administrator default roles can join shared update groups.

Join external groups

Allows members to be added to or request to join groups external to your organization. Members can only request to join external groups if they also have the privilege to view groups shared with the organization. Without the privilege to view groups shared with the organization, members do not see the groups and, therefore, cannot request to join them.

User, Publisher, Facilitator, Administrator

View groups shared with organization

Allows members to discover and view groups that are configured to allow organization members to view them.

User, Publisher, Facilitator, Administrator

Invite partnered organization members

Allows members to create groups that include members from partnered organizations, as well as invite members of partnered organizations to groups.

User, Publisher, Facilitator, Administrator

Add members from other organizations

Allows members to create groups that include members from other organizations, as well as invite members of other organizations to groups.

User, Publisher, Facilitator, Administrator

Content

Create, update, and delete

Allows members to create items in the organization and control items they own.

User, Publisher, Facilitator, Administrator

Publish hosted feature layers

Allows members to publish hosted feature layers from supported files and clients.

Publisher, Facilitator, Administrator

Publish hosted tile layers

Allows members to publish hosted tile layers from tile packages, features, and other clients. Allows members to publish hosted 3D tiles layers from 3D tiles packages and ArcGIS Pro; and allows members to manage layers published from packages.

Publisher, Facilitator, Administrator

Publish hosted scene layers

Allows members to publish hosted scene layers from scene layer packages, feature layers, and other clients, and allows members to manage scene layers published from packages.

Publisher, Facilitator, Administrator

Publish hosted tiled imagery layers

Allows members to publish hosted tiled imagery layers from a single image or collection of images, and allows members to export a tile package from a hosted tiled imagery layer.

Publisher, Facilitator, Administrator

Publish hosted dynamic imagery layers

Allows members to publish hosted dynamic imagery layers from a single image or collection of images.

Publisher, Facilitator, Administrator

View content shared with the organization

Allows members to view content shared with the organization.

All default roles

Create and edit notebooks

Allows members to create and edit interactive notebooks.

Administrator

Schedule notebooks

Allows members to schedule future automated runs of a notebook.

Administrator

View location tracks

Allows members to view members' location tracks using shared track views when location sharing is enabled.

Administrator

Publish feeds

Allows members to publish feeds to collect and display real-time data using ArcGIS Velocity.

Note:

This privilege is only visible if your organization has ArcGIS Velocity licenses.

Publisher, Facilitator, Administrator

Publish real-time analytics

Allows members to publish real-time analytics to analyze and process real-time data using ArcGIS Velocity.

Note:

This privilege is only visible if your organization has ArcGIS Velocity licenses.

Publisher, Facilitator, Administrator

Publish big data analytics

Allows members to publish big data analytics to analyze historical observation data using ArcGIS Velocity.

Note:

This privilege is only visible if your organization has ArcGIS Velocity licenses.

Publisher, Facilitator, Administrator

Reassign content

Allows members to transfer ownership of content they own to another member in the same organization. The member to whom ownership is transferred must have the privilege to receive content.

Administrator

Receive content

Allows members to receive content transferred to them from members who have the privilege to reassign content.

This privilege is not required to receive content transferred by organization administrators.

Administrator

Create and run data pipelines

Allows members to create, edit, and run data pipelines.

Publisher, Facilitator, Administrator

Generate API keys

Allows members to create and embed API keys as a longer-term authentication option in app items.

Administrator

Assign privileges to OAuth 2.0 applications

Allows members to define privileges for OAuth 2.0 credentials in app items. The privileges a member can assign are based on their own privileges in the organization; for example, a member of a role that does not have administrative privileges cannot assign administrative privileges to the OAuth app.

This privilege also allows members to specify which of their own items can be accessed by the OAuth app.

Administrator

Sharing

Share with groups

Allows members to share items they own with groups to which they belong.

User, Publisher, Facilitator, Administrator

Share with organization

Allows members to share items they own with your organization.

User, Publisher, Facilitator, Administrator

Share with public

Allows members to share items they own with the public, including those who are not signed in.

User, Publisher, Facilitator, Administrator

Make groups visible to organization

Allows members to make groups discoverable by your organization.

User, Publisher, Facilitator, Administrator

Make groups visible to public

Allows members to make groups discoverable by the public, including those who are not signed in.

User, Publisher, Facilitator, Administrator

Make groups available to Open Data

Allows members to designate groups as being available for use in Open Data sites.

User, Publisher, Facilitator, Administrator

Premium Content

Geocoding

Allows members to use ArcGIS World Geocoding Service (or a view of this locator) to convert addresses or places to map points and store the results—for example, when publishing spreadsheets (.csv or Microsoft Excel files) as hosted feature layers. This does not apply to your locators configured for the organization.

All default roles

Network Analysis

Allows members to perform network analysis tasks such as routing and drive-time areas.

All default roles

Spatial Analysis

Allows members to perform spatial analysis tasks such as creating buffers.

User, Publisher, Facilitator, Administrator

GeoEnrichment

Allows members to use GeoEnrichment to enrich features.

User, Publisher, Facilitator, Administrator

Demographics

Allows members to use premium demographic data.

All default roles

Imagery Analysis

Allows members to perform imagery and raster analysis tasks such as calculating slope.

Publisher, Facilitator, Administrator

Advanced notebooks

Allows members to import and use ArcPy modules in ArcGIS Notebooks.

Administrator

Run web tools

Allows members to run web tools published from notebooks.

Note:

Additional privileges (such as publishing hosted web layers, creating items, managing content, or running specialized analysis tools) may also be required depending on the workflows performed by the notebook author. See Privileges for common workflows below for related privileges required to complete common tasks.

Administrator

Feature report

Allows members to create feature reports in ArcGIS Survey123.

User, Publisher, Facilitator, Administrator

Features

Edit

Allows members to edit features in editable layers that are not public, based on the edit options enabled on the layer.

Data Editor, User, Publisher, Facilitator, Administrator

Edit with full control

Allows members to add, delete, and update features and attributes in editable hosted feature layers, regardless of the editing operations enabled on the layer.

Administrator

Administrative privileges

The privileges in the table below are included in the default administrator role and can also be assigned to custom roles. Including administrative privileges in custom roles allows members to assist default administrators with managing members, groups, and content in the organization.

Note:

Some administrative privileges are reserved for members of the default administrator role and are not available for custom roles.

Administrative privileges

Members

View all

Allows role members to view all member account information.

Update

Allows role members to reset passwords, update member account information, and assign (and unassign) member categories.

Note:

Only members of the default administrator role can reset the passwords of other members of the default administrator role.

Delete

Allows role members to delete organization member accounts.

Invite

Allows role members to invite members to the organization.

Disable

Allows role members to disable and enable organization member accounts.

Change roles

Allows role members to change the roles assigned to organization members.

Note:

Only members of the default administrator role can change another member's role to and from the default administrator role.

Manage licenses

Allows role members to manage licenses for organization members.

Manage categories

Allows role members to configure member categories for the organization.

Groups

View all

Allows role members to view groups owned by other organization members.

Update

Allows role members to update groups owned by other organization members.

Delete

Allows role members to delete groups owned by other organization members.

Reassign ownership

Allows role members to reassign ownership of groups.

Assign members

Allows role members to assign organization members to groups, remove members from groups, and update members' group roles in the organization.

Link to organization-specific group

Allows role members to link ArcGIS Online group membership to organization-specific groups.

Create with leaving disallowed

Allows role members to create and own groups that do not allow group members to leave (administrative groups).

Create with update capabilities

Allows role members to create and own groups that allow group members to update all items in the group (shared update groups).

Content

View all

Allows role members to view content owned by all organization members.

Update

Allows role members to update and categorize content owned by all organization members, and allows role members to edit data in all hosted feature layers and hosted feature layer views, even when editing is not enabled on those layers.

Delete

Allows role members to delete content owned by other organization members and to restore content from any organization member's recycle bin.

Reassign ownership

Allows role members to reassign ownership of content.

Manage categories

Allows role members to configure content categories for the organization.

Publish web tools

Allows role members to publish web tools.

Share member content with organization

Allows role members to share content owned by other members of your organization with the organization.

Share member content with public

Allows role members to share content owned by other members of your organization with the public.

Create and manage administrative reports

Allows role members to create and manage administrative reports for the organization.

ArcGIS Marketplace subscriptions

Create and manage

Allows role members to create listings, list items, and manage subscriptions in ArcGIS Marketplace, and manage purchasers and contact information for the organization.

Note:

Use of this privilege depends on your organization obtaining listing and publishing access to ArcGIS Marketplace.

Purchase and get free products

Role members can send purchase requests and access free products from providers in ArcGIS Marketplace.

Note:

To allow members to purchase products using credit cards, you must designate them as ArcGIS Marketplace purchasers.

Start trials

Allows role members to start trials in ArcGIS Marketplace.

Organization settings

Security and infrastructure

Manage the organization's security settings.

Allows role members to configure the following in the organization settings:

  • General—Organization verification, Short name, Administrative contacts, Esri User Experience Improvement Program
  • Items—Comments
  • New member defaults—User type, Role, Add-on licenses, Groups, Member categories, Credits, Esri access
  • Security—Access and permissions, Sign-in policy, Logins, Multifactor authentication, Email verification, Access notice, Information banner, Trusted servers, Allow origins, Allow portal access, Apps

Organization website

Manage the organization's website settings.

Allows role members to configure the following in the organization settings:

  • General—Organization profile (Name, Logo, Summary), Organization verification, Contact link, Organization defaults (Region, Language, Short name), Administrative contacts, Esri User Experience Improvement Program, Shared theme, App launcher
  • Home Page—Header, Content blocks, Footer, Colors, and Typography
  • Gallery—Show in gallery
  • Map—Primary map viewer, Basemap gallery, Map defaults (Default basemap, Default extent, Units), Bing Maps, ArcGIS Configurable Apps, Web styles, Analysis layers
  • Items—Metadata, Organization categories
  • Groups—Featured groups, ArcGIS Configurable Apps
  • Open Data:Open Data site

Collaborations

Allows role members to configure and manage the organization's collaborations in the organization settings.

Credits

Allows role members to configure credits in the organization settings and enable credit budgeting.

Member roles

Allows role members to create and manage custom roles in the organization settings and change member roles.

Utility services

Manage the organization's utility service settings.

Allows role members to configure the following in the organization settings:

  • Utility services—Printing, Geocoding, GeoEnrichment, Directions and Routing
  • Organization extensions—Enable location sharing

Privileges reserved for members of the default administrator role

Some administrative privileges are reserved for members of the default administrator role and are not available for custom roles. For example, only members of the default administrator role can remove other administrators from the organization. The following is a list of privileges reserved for members of the default administrator role:

  • Enable and disable Esri access on member accounts.
  • Change member role to or from administrator.
  • Delete other administrators from the organization.
  • Change member email addresses for ArcGIS organizational accounts.
  • Reset the passwords of other members of the default administrator role.
  • Assign custom roles with administrative privileges to new members when adding them to the organization.
  • Manage scheduled administrative reports owned by members.

Privileges for common workflows

Some workflows require a combination of privileges. In some cases, members are responsible for performing multiple workflows. For example, a GIS analyst may need to use certain analysis tools as well as publish hosted feature layers, which require the privileges listed in the table below for the Use the analysis tools and Publish hosted feature and WFS layers workflows. If you are unable to perform a function that you think your role should allow you to perform, verify that the organization administrator has enabled the full set of privileges required for the function.

General workflows

Workflow Required privileges

Use the analysis tools

  • Content—Create, update, and delete
  • Content—Publish hosted feature layers
  • Premium Content—Spatial Analysis
Note:

Some tools require the following additional privileges:

  • Premium Content—GeoEnrichment
  • Premium Content—Network Analysis
  • Premium Content—Imagery Analysis

Publish hosted feature and WFS layers

  • Content—Create, update, and delete
  • Content—Publish hosted feature layers

Publish hosted tile layers

  • Content—Create, update, and delete
  • Content—Publish hosted tile layers

Publish hosted scene layers

  • Content—Create, update, and delete
  • Content—Publish hosted feature layers
  • Content—Publish hosted scene layers

Publish hosted elevation layers

  • Content—Create, update, and delete
  • Content—Publish hosted tile layers

Publish hosted imagery layers

  • Content—Create, update, and delete
  • Content—Publish hosted tiled imagery layers
  • Content—Publish hosted dynamic imagery layers

Publish apps from Map Viewer, Map Viewer Classic, or a group page

  • Content—Create, update, and delete
  • Sharing—Share with groups
  • Sharing—Share with organization
  • Sharing—Share with public

Embed maps or groups

  • Content—Create, update, and delete
  • Sharing—Share with public

Make groups available to Open Data sites

  • Sharing—Make groups visible to public
  • Sharing—Make groups available to Open Data

Reassign ownership of your items to another member

  • Members—View
  • Content—Create, update, and delete
  • Content—Reassign content
Note:

Only members who have the privilege to receive content can become owners of your reassigned content.

Add, update, and delete features in hosted feature layers that have editing enabled for add or update only

  • Features—Edit
  • Features—Edit with full control

Create and run data pipelines in ArcGIS Data Pipelines editor

  • Content—Create and run data pipelines
  • Content—Create, update, and delete
  • Content—Publish hosted feature layers

Administrative workflows

WorkflowRequired privileges

Manage content owned by members

  • Members (administrative)—View all
  • Groups (administrative)—View all
  • Content (administrative)—View all
  • Content (administrative)—Update
  • Content (administrative)—Delete
  • Content (administrative)—Reassign ownership
  • Content (administrative)—Share member content with organization
  • Content (administrative)—Share member content with public
  • Sharing (general)—Share with organization
  • Sharing (general)—Share with public

Manage groups owned by members

  • Members (administrative)—View all
  • Groups (administrative)—View all
  • Groups (administrative)—Update
  • Groups (administrative)—Delete
  • Groups (administrative)—Reassign ownership
  • Groups (administrative)—Assign members

Manage member profiles

  • Members (administrative)—View all
  • Members (administrative)—Update

Delete members, which also involves managing (reassigning or deleting) their content and groups

  • Members (general)—View
  • Members (administrative)—Delete
  • Members (administrative)—View all
  • Content (administrative)—View all
  • Content (administrative)—Reassign ownership
  • Content (administrative)—Delete
  • Groups (administrative)—View all
  • Groups (administrative)—Reassign ownership
  • Groups (administrative)—Delete

Note:

If you want members of the custom administrator role to always reassign groups and content owned by the members they're deleting from the organization rather than deleting those groups and content, do not assign the Content (administrative)—Delete and Groups (administrative)—Delete privileges to the custom role.

View subscription status reports

  • Members (administrative)—View all
  • Content (administrative)—View all
  • Groups (administrative)—View all

Manage the organization's security settings

  • Members (general)—View
  • Groups (general)—View groups shared with organization
  • Members (administrative)—View all
  • Groups (administrative)—View all
  • Organization Settings (administrative)—Security and infrastructure

Manage the organization's website settings

  • Members (general)—View
  • Groups (general)—Create, update, and delete
  • Groups (general)—View groups shared with organization
  • Content (general)—Create, update, and delete
  • Content (general)—View content shared with the organization
  • Sharing (general)—Share with groups
  • Sharing (general)—Share with organization
  • Sharing (general)—Share with public
  • Sharing (general)—Make groups visible to organization
  • Sharing (general)—Make groups visible to public
  • Members (administrative)—View all
  • Groups (administrative)—View all
  • Groups (administrative)—Update
  • Content (administrative)—View all
  • Content (administrative)—Update
  • Content (administrative)—Manage categories
  • Organization Settings (administrative)—Organization website

Manage the organization's collaborations

  • Members (general)—View
  • Groups (general)—Create, update, and delete
  • Groups (general)—View groups shared with organization
  • Content (general)—Create, update, and delete
  • Content (general)—Publish hosted feature layers
  • Content (general)—View content shared with organization
  • Sharing (general)—Share with groups
  • Members (administrative)—View all
  • Groups (administrative)—View all
  • Groups (administrative)—Update
  • Content (administrative)—View all
  • Content (administrative)—Update
  • Content (administrative)—Delete
  • Organization Settings (administrative)—Collaborations

Manage the organization's credit settings

  • Members (general)—View
  • Members (administrative)—View all
  • Members (administrative)—Update
  • Organization Settings (administrative)—Credits

Manage the organization's member roles

  • Members (general)—View
  • Members (administrative)—View all
  • Members (administrative)—Change roles
  • Organization Settings (administrative)—Member roles

Change a member's user type

  • Members (general)—View
  • Members (administrative)—View all
  • Members (administrative)—Update
  • Members (administrative)—Change roles
  • Members (administrative)—Manage licenses

Create and manage administrative groups

  • Groups (general)—Create, update, and delete
  • Groups (administrative)—Update
  • Groups (administrative)—Create with leaving disallowed
  • Members (administrative)—View all

Manage the organization's utility service settings

  • Members (general)—View
  • Content (general)—Create, update, and delete
  • Content (general)—Publish hosted feature layers
  • Organization Settings (administrative)—Utility services

Feedback on this topic?

In this topic
  1. General privileges
  2. Administrative privileges
  3. Privileges for common workflows