Skip To Content

Control access in ArcGIS Monitor

The security of your ArcGIS Monitor deployment depends on proper, stringent authentication and authorization of your users. Authentication is the process of verifying the identity of a user, and authorization is the process of verifying that an authenticated user has the permission to access the requested resource or perform the requested operation. To enforce permissions for secured resources and operations, a user is first authenticated; then their authorization is verified. These terms are defined by your security model.

The security model for Monitor determines who can register and manage resources such as components and collections, and who can perform administrative tasks.

Users, roles, and permissions

Monitor manages access to secured resources using a role-based access control system. There are three main components in a role-based access control system: users, roles, and permissions.

Users

A user is any person or software agent accessing a Monitor resource. An identity store is a list of users who can make resource requests. Monitor uses a built-in identity store.

Roles

A role is assigned to a set of users and is used to grant a specific level of access to Monitor resources. Users who comprise a role are usually related by function, title, or some other relationship. For example, users who will perform administration tasks should be assigned the Administrator role, while users who only need to view and explore components or metrics should be assigned the Viewer role. In the Monitor built-in identity store, a user can only be assigned a single role. Monitor includes the following purpose-built roles:

  • Administrator—Administrators have unrestricted access to Monitor capabilities. Administrators can fully manage system settings, register and unregister Monitor Agent machines and components, configure security settings, and manage users and all other capabilities in Monitor. This role should be restricted to users who perform Monitor administration functions.
  • Manager—Managers have limited access to Monitor capabilities. Managers can manage all monitoring-related capabilities such as components, observers, metrics, collections, and incidents. However, they cannot configure or change Monitor system or security settings. This role should be restricted to users who manage monitored environments but do not need access to configure Monitor system or security settings.
  • Viewer—Viewers have restricted access to Monitor capabilities. Viewers can view resources such as components, metrics, alerts, and collections. This role should be assigned to users who only need to consume information in Monitor.

Permissions

Permissions grant authority to perform a certain task or access a certain resource. Permissions are inherent to a role and cannot be changed. Individual users acquire permissions by inheriting them from their assigned role. The following table lists the permissions assigned to each role:

PermissionViewer roleManager roleAdministrator role

View any alert

Yes

Yes

Yes

Manage any alert

No

Yes

Yes

Register any agent

No

Yes

Yes

View any agent

No

Yes

Yes

Manage any agent

No

Yes

Yes

Unregister any agent

No

Yes

Yes

Create analysis

No

Yes

Yes

View any analysis

Yes

Yes

Yes

Manage own analysis

No

Yes

Yes

Manage any analysis

No

No

Yes

Delete own analysis

No

Yes

Yes

Delete any analysis

No

No

Yes

Create collection

No

Yes

Yes

View any collection

Yes

Yes

Yes

Manage any collection

No

Yes

Yes

Delete any collection

No

Yes

Yes

Register any component

No

Yes

Yes

View any component

Yes

Yes

Yes

Manage any component

No

Yes

Yes

Unregister any component

No

Yes

Yes

Create dataview

No

Yes

Yes

View any dataview

No

Yes

Yes

Manage own dataview

No

Yes

Yes

Manage user-created dataview

No

No

Yes

Delete own dataview

No

Yes

Yes

Delete any user-created dataview

No

No

Yes

Create Incident

No

Yes

Yes

View any Incident

No

Yes

Yes

Manage any Incident

No

Yes

Yes

Delete any Incident

No

Yes

Yes

Create label

No

Yes

Yes

View any label

No

Yes

Yes

Manage any label

No

Yes

Yes

Delete any label

No

Yes

Yes

View system logs

No

Yes

Yes

View any metric

Yes

Yes

Yes

Manage any metric

No

Yes

Yes

Create any Notification

No

Yes

Yes

View any Notification

No

Yes

Yes

Manage any Notification

No

Yes

Yes

Delete any Notification

No

Yes

Yes

View any observer

No

Yes

Yes

Manage any observer

No

Yes

Yes

Manage system configuration

No

No

Yes

Manage users

No

No

Yes

Related topics