Esri has been making incremental improvements in our products over the last several releases relative to our incorporation of custom roles and the assignment of various permissions and privileges. Because these improvements have been rolled out across versions of our products, a user could potentially accidentally assign more privileges than expected if they are not aware of the variances in behavior between product versions. For this reason, Esri wants customers to be especially aware of how the security model adjusts when custom administrative permissions are utilized.
This FAQ provides awareness of the as-is state across versions and products and will be updated as improvements are made for new releases.
The ArcGIS Enterprise portal has a security model based on permissions and privileges. Permissions are granted by the owner of an item and allow another user or group of users access to that item. In contrast, privileges are “rights”, such as the right to edit feature services, create groups, administer users, or perform other tasks.
Privileges are assigned to user roles. A role is a set of privileges that are usually related to a user’s workflows or duties. In the Enterprise portal there are built-in roles such as Administrator, Publisher, User, or Viewer. These roles are assigned pre-defined sets of privileges. All named users of the ArcGIS Enterprise portal are assigned a role and inherit privileges from the role they are members of. It is also possible for administrators to define their own roles, referred to as “custom user roles”. These roles are assigned specific privileges by an administrator tailored to an organization’s needs.
There are two types of privileges, General and Administrative. Administrative privileges are powerful and provide the ability to perform system-wide operations (for example, changing security settings) or allow the normal permission model to be bypassed (for example, the ability to delete any item in the portal).
In the July 2020 release of ArcGIS Online, improvements have been made in the ArcGIS REST API to better differentiate between privileges allowed to built-in roles, as compared to custom roles. Additional role checks have been implemented to better differentiate between minimum administrative operations required for managing the ArcGIS Online content that a member owns, versus the privileges reserved for content owners or organization administrators. For instance, the owner of an item may choose to delegate tasks that require minimal privileges like 'viewing all members' to a group of users, but disallow operations reserved for super-users, such as replica management and schema updates.
In older versions of ArcGIS Enterprise, the emphasis was on ensuring that users assigned custom roles could perform their necessary workflows. For instance, a user that is a member of a role that has been assigned a privilege reserved for administrators (for example, delete any item) might find that they can log in to and perform actions using the administrative API for ArcGIS Server. It may not be immediately obvious why this level of access is necessary, but some tasks available in the ArcGIS Enterprise Portal (such as deleting an item) necessitate cascading operations that occur “behind the scenes” to ensure a task is completed successfully. These actions must occur under the context of the authorized user.
Over the past few releases, Esri has focused on hardening ArcGIS Enterprise, making administrative privileges more restrictive. At 10.7.1, the sharing API within the Enterprise portal was hardened. At 10.8, the portal’s administrative API was hardened. At 10.8.1, ArcGIS Server’s administrative API was hardened. Hardening efforts will continue post-10.8.1.
Regardless of the platform, it is always recommended that administrative privileges be granted sparingly and only when strictly necessary, even when using custom roles. Custom roles with administrative privileges should only be given to individuals who would be otherwise trusted to be a full administrator. Custom roles with administrative privileges may not have as much power as a 'full' administrator, but until all operations have been fully hardened, members of custom roles that have been assigned privileges reserved for administrators may be able to perform more actions in ArcGIS Enterprise than are strictly necessary. Esri strongly recommends that organizations upgrade to the latest version of ArcGIS Enterprise to take advantage of the latest enhancements in this and other areas.