Skip To Content

Control access in ArcGIS Monitor

The security of your ArcGIS Monitor deployment relies on proper, stringent authentication and authorization of your users. Authentication is the process of verifying the identity of a user, while authorization is the process of verifying that an authenticated user has the permission to access the requested resource or perform the requested operation. To enforce permissions for secured resources and operations, a user is first authenticated, then their authorization is verified. These terms are defined by your security model.

The security model for Monitor determines who can register and manage resources such as components and collections, and who can perform administrative tasks.

Users, roles, and permissions

Monitor manages access to secured resources using a role-based access control system. There are three main components in a role-based access control system: users, roles, and permissions.

Users

A user is any person or software agent accessing a Monitor resource. An identity store is a list of users who can make resource requests. Monitor uses a built-in identity store.

Roles

A role is assigned to a set of users and is used to grant a specific level of access to Monitor resources. Users who comprise a role are usually related by function, title, or some other relationship. For example, users who will perform administration should be assigned the Administrator role, while users who only need to view and explore components or metrics should be assigned the Viewer role. In the Monitor built-in identity store, a user can only be assigned to a single role. Monitor includes the following purpose-built roles:

  • Administrator—The Administrator role is given unrestricted access to Monitor capabilities. Administrators can fully manage system settings, register and unregister Monitor Agent machines and components, configure security settings, manage users, and manage all other capabilities in Monitor. This role should be restricted to users who perform Monitor administration functions.
  • Manager—The Manager role is given limited access to Monitor capabilities. Managers can manage all monitoring-related capabilities such as components, observers, metrics, collections, and incidents. However, they cannot configure or change Monitor system or security settings. This role should be restricted to users who manage monitored environments, but do not need access to configure Monitor system or security settings.
  • Viewer—The Viewer role is given restricted access to Monitor capabilities. Viewers can only view resources such as components, metrics, collections, and incidents, as well as create their own analysis views. This role should be assigned to users who only need to consume information in Monitor.

Permissions

Permissions grant authority to perform a certain task or access a certain resource. Permissions are inherent to a role and cannot be changed. Individual users can only acquire permissions by inheriting them from their assigned role. The following table lists the permissions assigned to each role:

PermissionViewer roleManager roleAdministrator role

View any alert

Yes

Yes

Yes

Manage any alert

No

Yes

Yes

View any analysis

Yes

Yes

Yes

Manage own analysis

Yes

Yes

Yes

Create own analysis

Yes

Yes

Yes

View any collection

Yes

Yes

Yes

Manage any collection

No

Yes

Yes

Create any collection

No

Yes

Yes

Delete any collection

No

Yes

Yes

View any agent

No

Yes

Yes

Manage any agent

No

Yes

Yes

Register any agent

No

Yes

Yes

Unregister any agent

No

Yes

Yes

View any component

Yes

Yes

Yes

Manage any component

No

Yes

Yes

View any metric

Yes

Yes

Yes

Manage any metric

No

Yes

Yes

View any observer

No

Yes

Yes

Manage any observer

No

Yes

Yes

Register any component

No

Yes

Yes

Unregister any component

No

Yes

Yes

View any label

Yes

Yes

Yes

Manage any label

No

Yes

Yes

Create any label

No

Yes

Yes

Delete any label

No

Yes

Yes

View any Notification

No

Yes

Yes

Manage any Notification

No

Yes

Yes

Create any Notification

No

Yes

Yes

Delete any Notification

No

Yes

Yes

View any Incident

Yes

Yes

Yes

Manage any Incident

No

Yes

Yes

Create any Incident

No

Yes

Yes

Delete any Incident

No

Yes

Yes

View Logs

No

Yes

Yes

Manage users

No

No

Yes

Manage system configuration

No

No

Yes

Related topics