Organizations can use, create, and share a wide range of geographic content, including maps, scenes, apps, layers, and analytics. The ability of individual organization members to access and work with content in different ways depends on the privileges they have in the organization. Levels allow organizations to control the scope of privileges that can be assigned to members through roles.
Levels
Organizations use levels to allocate accounts based on the privileges that members need. Members are assigned a level when they are invited to the organization. The level determines which privileges are available to the member. ArcGIS offers two levels of membership.
Level 1 membership is for members who only need privileges to view content, such as maps and apps, that has been shared with them through the organization, as well as join groups. Level 2 membership is for members who need to view, create, and share content and own groups, in addition to other tasks.
For example, a content creator assigned a level 2 account can create and share a site selection app with a group of users in their organization. This app allows users to select a specific site and view attribute information about the site that should only be available to internal employees. A member with a level 1 account can join the group and view and interact with the app.
Roles
A role defines the set of privileges assigned to a member. Privileges are assigned to members through a default role or a custom role. Members are assigned a role when they are invited to the organization.
If you're not sure what role you were assigned or if you need more information about your role, click the Role Information button 
in the Role section of your profile.
Note:
Once the member joins, their role can be changed by administrators and those with privileges to change member roles. Changing roles to or from administrator can be done only by administrators.
Default roles
ArcGIS Online defines a set of privileges for the following four default roles:
- Viewer—View items such as maps, apps, demographics, and elevation analysis layers that have been shared with the member. Join groups owned by the organization. Use geocoding, geosearch, and network analysis (routing and directions). Members assigned the Viewer role cannot create, own, or share content, or perform analysis or data enrichment. The Viewer role can be assigned to level 1 or level 2 accounts.
- User—Viewer privileges plus the ability to see a customized view of the site, use the organization's maps, apps, layers, and tools, and join groups owned by the organization. Members assigned the User role can also create maps and apps, edit features, add items, share content, and create groups. The User role can be assigned to level 2 accounts.
- Publisher—User privileges plus the ability to publish features and map tiles as hosted web layers. Members assigned the Publisher role can also perform analysis on layers in maps. The Publisher role can be assigned to level 2 accounts.
- Administrator—Publisher privileges plus privileges to manage the organization and other users. An organization must have at least one administrator. However, there is no limit to the number of Administrator roles that can be assigned within an organization. It is recommended that an organization have at least two administrators, while restricting this role to those who require the additional privileges associated with it. The Administrator role can be assigned to level 2 accounts.
The following table shows the privileges defined for each of the default roles.
| Privilege | Default role | |||
|---|---|---|---|---|
Viewer | User | Publisher | Administrator | |
Use maps and apps |  | | | |
Use geosearch | | | | |
Use geocoding | | | | |
Use demographics | | | | |
Use elevation analysis | | | | |
Use directions and routing (network analysis) | | | | |
Join groups without item update capability | | | | |
Join groups with item update capability | | | | |
| | | ||
Use spatial analysis | | | | |
Use GeoEnrichment | | | | |
Create content | | | | |
Share maps, apps, and scenes | | | | |
Create groups | | | | |
Edit features | | | | |
Publish hosted web layers | | | ||
Perform analysis | | | ||
Manage Open Data sites | | |||
Invite users to organization | | |||
Manage organization resources | | |||
View subscription status | | |||
Configure website | | |||
Create custom roles | | |||
ArcGIS Marketplace provider (requires organization authorization) | | |||
Set up enterprise logins | | |||
Manage credit budgets | | |||
Enable and disable Esri access on member accounts | | |||
Disable multifactor authentication on member accounts | | |||
Change member role to or from administrator | | |||
Remove other administrators from the organization | | |||
Share content with public when organization does not allow members to share outside the organization | | |||
Create and own groups that allow members to update all items in the group | | |||
Note:
Most of the privileges listed above can also be assigned as part of a custom role; however, some administrative privileges are not available for custom roles as they are reserved for default administrators.
Custom roles
Organizations may want to refine the default roles into a more fine-grained set of privileges by creating custom roles. For example, your organization may want to assign some members the same privileges as a default User but without allowing them to edit feature data. This could be achieved by creating a custom role based on the default User role, turning off the editing privileges, and calling the custom role User without Editing or something similar.
Only default administrators—that is, those who have been assigned the Administrator role—can create, configure, and assign custom roles. Default administrators configure custom roles based on any combination of available general and administrative privileges. If you have a custom role, ask your administrator for a list of associated privileges.
The privileges that can be granted to a member through a custom role cannot exceed those associated with their assigned member level. For example, if a level 1 member is assigned a custom role that has more privileges than a level 1 account allows, the additional privileges will be disabled for that member.
Privileges
Privileges allow organization members to perform different tasks and workflows in an organization. For example, some members have privileges to create and publish content, while others have privileges to view content but cannot create their own.
General privileges
Members who perform specific tasks within the organization—create maps or edit features, for example—can be assigned the general privileges they need to work and share with groups, content, and features.
| General privileges | |
|---|---|
Members | View |
Groups | Create, update, and delete |
Join organizational groups | |
Join external groups | |
View groups shared with organization | |
Content | Create, update, and delete |
Publish hosted feature layers | |
Publish hosted tile layers | |
Publish hosted scene layers | |
View content shared with the organization | |
Sharing | Share with groups |
Share with organization | |
Share with public | |
Make groups visible to organization | |
Make groups visible to public | |
Make groups available to Open Data | |
Premium Content | Geocoding: Use ArcGIS World Geocoding Service (or a view of this locator) to convert addresses or places to map points (geocoding) such as when publishing a CSV file of addresses as hosted feature layers or adding a CSV file of addresses to a map (does not apply to your own locators configured for the organization) |
Network Analysis: Perform network analysis tasks such as create drive-time areas | |
Spatial Analysis: Perform spatial analysis tasks such as create buffers | |
GeoEnrichment: Use GeoEnrichment to enrich features | |
Demographics: Use premium demographic map layers | |
Elevation Analysis: Perform elevation analysis tasks on elevation data | |
Features | Edit: Edit features based on permissions set on the layer |
Edit with full control: Edit features with full control on editable hosted feature layers | |
Open Data | Manage Open Data site(s) Note:This privilege is only available if open data capabilities are enabled for the organization. |
Administrative privileges
The privileges listed below allow custom roles to assist the default administrators with managing members, groups, and content in the organization. These custom administrative roles do not include the full set of privileges reserved for default administrators—that is, those assigned the Administrator role.
| Administrative privileges | |
|---|---|
Members | View all: View all member account information |
Update: Update member account information, including resetting passwords | |
Delete: Delete member accounts | |
Invite: Invite members to the organization | |
Disable: Disable members from the organization | |
Change roles: Change roles of members Note:Only default administrators can change the role to and from the Administrator role. | |
Manage licenses: Manage licenses for members | |
Groups | View all: View group owned by members |
Update: Update group owned by members | |
Delete: Delete group owned by members | |
Reassign ownership: Reassign ownership of groups | |
Assign members: Assign members to groups and remove members from groups | |
Link to enterprise group: Link ArcGIS Online groups to enterprise groups | |
Create with update capabilities: Create and own groups that allow group members to update all items in the group | |
Content | View all: View content owned by members |
Update: Update and categorize content owned by members | |
Delete: Delete content owned by members | |
Reassign ownership: Reassign ownership of content | |
Manage categories: Configure content categories for the organization | |
ArcGIS Marketplace subscriptions | Request purchase information: Request purchase information in ArcGIS Marketplace |
Start trials: Start trials in ArcGIS Marketplace | |
Privileges reserved for default administrators
Certain administrative privileges are reserved for default administrators and are not available for custom roles. For example, only default administrators can configure the website and remove other administrators from the organization. The following is a list of privileges reserved for default administrators:
- Configure website
- Configure custom roles
- Set up enterprise logins
- Change member role to or from administrator
- Remove other administrators from the organization
- Share content with the public when the organization does not allow members to share outside the organization
- Assign credits
- View and review credit status
Privileges for common workflows
Some workflows require a combination of privileges.In some cases, members are responsible for performing multiple workflows. For example, a GIS analyst may need to use certain analysis tools as well as publish hosted feature layers, which require the privileges listed in the table below for the Use the analysis tools and Publish hosted feature and WFS layers workflows. If you cannot perform a function that you think your role should allow you to perform, verify that your administrator has enabled the full set of privileges required for the function.
| Workflow | Required privileges | |
|---|---|---|
General privileges | Administrative privileges | |
Use the analysis tools |
Note:Some tools require the following additional privileges:
| |
Publish hosted feature and WFS layers |
| |
Publish hosted tile layers |
| |
Publish hosted scene layers |
| |
Publish hosted elevation layers |
| |
Publish apps from Map Viewer or group page |
| |
Embed maps or groups |
| |
Manage content owned by members |
| |
Manage groups owned by members |
| |
Manage member profiles |
| |
Make groups available to open data sites |
| |
View subscription status |
| |
Add, update, and delete features in hosted feature layers that have editing enabled for add or update only |
| |