- URL:https://[root]/portals/[portalID]/roles/[roleID]/privileges
Example usage
The following is a sample request URL for an ArcGIS Online organization that is used to access the privileges resource:
https://org.arcgis.com/sharing/rest/portals/0123456789ABCDEF/roles/hzHOGSAky23XJu7Q/privileges?f=pjson
The following is a sample request URL for an ArcGIS Enterprise organization that is used to access the privileges resource:
https://machine.domain.com/webadaptor/sharing/rest/portals/0123456789ABCDEF/roles/hzHOGSAky23XJu7Q/privileges?f=pjson
Description
The privileges resource lists all privileges for a custom role.
For ArcGIS Enterprise organization members, the privileges they are assigned will determine whether they have access to the Portal Admin and Server Admin API directories. Beginning at 10.8.1 for the Server Admin API directory, and 10.8 for the Portal Admin API directory, organization members can only access the resources and operations associated with, or required by, their role's privileges. This restrictive access model allows organizations to continue to delegate administrative tasks without providing full administrative access.
For more information on the fine-grained access model, see the manage access documentation for the Portal Admin and Server Admin API.
Request parameters
Parameter | Details |
---|---|
f | The response format. The default response format is html. Values: html | json | pjson |
Response properties
Property | Details |
---|---|
id | The ID of the role. |
privileges | An array of strings with predefined permissions in each. Example
|
ArcGIS Online supported privileges
The following sections outline the supported privileges in ArcGIS Online that have predefined permissions.
General privileges
Members
Privilege | Description |
---|---|
portal:user:viewOrgUsers | Grants the ability to view members of the organization. |
Groups
Privilege | Description |
---|---|
portal:user:createGroup | Grants the ability for a member to create, edit, and delete their own groups. |
portal:user:joinGroup | Grants the ability to join groups in the organization. |
portal:user:joinNonOrgGroup | Grants the ability to join groups external to the organization. |
portal:user:viewOrgGroups | Grants the ability to view groups shared with the organization. |
portal:user:invitePartneredCollaborationMembers | Grants the ability to invite members from partnered collaboration organizations to groups. |
portal:user:addExternalMembersToGroup | Grants the ability to create groups that allow members from other organizations, as well as invite external members to groups. |
Content
Privilege | Description |
---|---|
portal:user:createItem | Grants the ability for a member to create, edit, and delete their own content. |
portal:publisher:publishFeatures | Grants the ability to publish hosted feature layers from shapefiles, CSV files, and so on. |
portal:publisher:publishTiles | Grants the ability to publish hosted tile layers from tile packages, features, and so on. |
portal:publisher:publishScenes | Grants the ability to publish hosted scene layers. |
portal:publisher:publishDynamicImagery | Grants the ability to publish hosted dynamic imagery layers from a single image or collection of images. |
portal:user:viewOrgItems | Grants the ability to view content shared with the organization. |
premium:publisher:createNotebooks | Grants the ability to create and edit interactive notebook documents. |
premium:publisher:scheduleNotebooks | Grants the ability to schedule notebooks. |
portal:user:viewTracks | Grants the ability to view members' location tracks via shared track views when location tracking is enabled. |
portal:user:reassignItems | Introduced at ArcGIS Enterprise 11.0—Grants a user the ability to reassign only their content to another member with the privilege to receive content. |
portal:user:receiveItems | Introduced at ArcGIS Enterprise 11.0—Grants a user the ability to receive content that is reassigned to them by another member with the privilege to reassign content. |
Sharing
Privilege | Description |
---|---|
portal:user:shareToGroup | Grants the ability to share content to groups. |
portal:user:shareToOrg | Grants the ability to share content to the organization. |
portal:user:shareToPublic | Grants the ability to share content to all users of the portal. |
portal:user:shareGroupToOrg | Grants the ability to make groups discoverable by the organization. |
portal:user:shareGroupToPublic | Grants the ability to make groups discoverable by all users of the portal. |
opendata:user:designateGroup | Grants the ability to designate groups in the organization as being available for use in Open Data. |
Premium content
Privilege | Description |
---|---|
premium:user:geocode | Grants the ability to perform large-volume geocoding tasks with the Esri World Geocoder, such as publishing a CSV file of addresses as a hosted feature layer. |
premium:user:networkanalysis | Grants the ability to perform network analysis tasks such as routing and drive-time areas. |
premium:user:spatialanalysis | Grants the ability to perform spatial analysis tasks. |
premium:user:geoenrichment | Grants the ability to geoenrich features. |
premium:user:demographics | Grants the ability to make use of premium demographic data. |
premium:user:featurereport | Grants the ability to create feature reports in ArcGIS Survey123. |
premium:publisher:createAdvancedNotebooks | Grants the ability to import and use ArcPy modules in notebooks. |
premium:user:places | Grants the ability to perform local place, or point of interest search with the new places-service (beta). Available for developer subscriptions only. |
Features
Privilege | Description |
---|---|
features:user:edit | Grants the ability to edit features in editable layers, according to the edit options enabled on the layer. |
features:user:fullEdit | Grants the ability to add, delete, and update features in a hosted feature layer regardless of the editing options enabled on the layer. |
Administrative privileges
Members
Privilege | Description |
---|---|
portal:admin:viewUsers | Grants the ability to view full member account information in the organization. |
portal:admin:updateUsers | Grants the ability to update member account information and categorize members in the organization. |
portal:admin:deleteUsers | Grants the ability to delete member accounts in the organization. |
portal:admin:inviteUsers | Grants the ability to invite members to the organization. |
portal:admin:disableUsers | Grants the ability to enable and disable member accounts in the organization. |
portal:admin:changeUserRoles | Grants the ability to change the role a member is assigned in the organization; however, it does not grant the ability to promote a member to, or demote a member from, the Administrator role. That privilege is reserved for the Administrator role alone. |
portal:admin:manageLicenses | Grants the ability to assign licenses to members of the organization. |
portal:admin:updateMemberCategorySchema | Grants the ability to configure the organization member category schema. |
Groups
Privilege | Description |
---|---|
portal:admin:viewGroups | Grants the ability to view all groups in the organization. |
portal:admin:updateGroups | Grants the ability to update groups in the organization. |
portal:admin:deleteGroups | Grants the ability to delete groups in the organization. |
portal:admin:reassignGroups | Grants the ability to reassign groups to other members in the organization. |
portal:admin:assignToGroups | Grants the ability to assign members to, and remove members from, groups in the organization. |
portal:admin:manageEnterpriseGroups | Grants the ability to link group membership to an enterprise group. |
portal:admin:createUpdateCapableGroup | Grants the ability to create and own groups with item update capabilities. |
Content
Privilege | Description |
---|---|
portal:admin:viewItems | Grants the ability to view all content in the organization. |
portal:admin:updateItems | Grants the ability to update and categorize content in the organization and edit hosted feature layers in your organization. |
portal:admin:deleteItems | Grants the ability to delete content in the organization. |
portal:admin:reassignItems | Grants the ability to reassign content to other members in the organization. |
portal:admin:updateItemCategorySchema | Grants the ability to configure the organization content category schema. |
portal:admin:shareToOrg | Grants the ability to share other members' content to the organization. |
portal:admin:shareToPublic | Grants the ability to share other members' content to all users of the portal. |
ArcGIS Marketplace subscriptions
Privilege | Description |
---|---|
marketplace:admin:manage | Grants the ability to create listings and list items and manage subscriptions in ArcGIS Marketplace. |
marketplace:admin:purchase | Grants the ability to request purchase information about apps and data in ArcGIS Marketplace. |
marketplace:admin:startTrial | Grants the ability to start trial subscriptions in ArcGIS Marketplace. |
Organization settings
Privilege | Description |
---|---|
portal:admin:manageSecurity | Grants the ability to manage the organization's security and infrastructure settings. |
portal:admin:manageWebsite | Grants the ability to manage the organization's website settings. |
portal:admin:manageCollaborations | Grants the ability to manage the organization's collaborations. |
portal:admin:manageCredits | Grants the ability to manage the organization's credit budgeting settings. |
portal:admin:manageRoles | Grants the ability to manage the organization's member roles. |
portal:admin:manageUtilityServices | Grants the ability to manage the organization's utility service settings. |
Open data
Privilege | Description |
---|---|
opendata:user:openDataAdmin | Grants the ability to manage Open Data Sites for the organization. |
ArcGIS Enterprise supported privileges
The following sections outline the supported privileges in ArcGIS Enterprise that have predefined permissions.
General privileges
Members
Privilege | Description |
---|---|
portal:user:viewOrgUsers | Grants the ability to view members of the organization. |
Groups
Privilege | Description |
---|---|
portal:user:createGroup | Grants the ability for a member to create, edit, and delete their own groups. |
portal:user:joinGroup | Grants the ability to request to join groups in the organization. |
portal:user:viewOrgGroups | Grants the ability to discover groups that are configured to allow portal members to view them. |
Content
Privilege | Description |
---|---|
portal:user:createItem | Grants the ability for a member to create, edit, and delete their own content. |
portal:publisher:publishFeatures | Grants the ability to publish hosted feature layers from shapefiles, CSV files, and apps like ArcGIS Pro. This privilege is required when using apps that create hosted feature layers, such as ArcGIS Survey 123 and ArcGIS Workforce. |
portal:publisher:publishTiles | Grants the ability to publish hosted tile layers to the portal from tile packages or apps like ArcGIS Pro. |
portal:publisher:publishScenes | Grants the ability to publish hosted scene layers from within the portal and from apps like ArcGIS Pro. |
portal:publisher:publishDynamicImagery | Grants the ability to publish hosted dynamic imagery layers from a single image or collection of images. Nota:This privilege requires that your deployment be configured for raster analysis. |
portal:publisher:publishServerServices | Grants the ability to publish ArcGIS Server web layers to ArcGIS Server sites that are federated with the portal. These services often reference registered data from geodatabases or file-based data sources. This privilege is also required for members who will bulk publish layers from a data store item. |
portal:publisher:publishKnowledgeGraph | Grants the ability to publish hosted knowledge graphs in ArcGIS Pro. This privilege is only visible if an ArcGIS Knowledge Server is configured for your organization. |
portal:user:viewOrgItems | Grants the ability to view content shared with the organization. |
portal:publisher:registerDataStores | Grants the ability to add data store items to the portal. |
portal:publisher:bulkPublishFromDataStores | Grants the owner of a database data store item the ability to publish feature and map layers from all feature classes and tables that can be accessed in the database. |
portal:user:viewTracks | Grants the ability to view members' location tracks via shared track views when location tracking is enabled. |
premium:publisher:createNotebooks | Grants the ability to open and run notebooks, including shared notebooks and notebooks created from a notebook file that has been imported to the portal, and create and edit notebooks using the ArcGIS Notebooks Standard runtime. This privilege is only visible if Notebook Server is configured for your organization. Nota:This privilege is required for users who will be running web tools published from a notebook. |
premium:publisher:scheduleNotebooks | Grants the ability to schedule future runs of ArcGIS Notebooks. This privilege is only visible if Notebook Server is configured for your organization. |
portal:user:reassignItems | Introduced at ArcGIS Enterprise 11.0—Grants a user the ability to reassign only their content to another member with the privilege to receive content. |
portal:user:receiveItems | Introduced at ArcGIS Enterprise 11.0—Grants a user the ability to receive content that is reassigned to them by another member with the privilege to reassign content. |
Sharing
Privilege | Description |
---|---|
portal:user:shareToGroup | Grants an organization member the ability to share their owned content with any groups to which they belong. |
portal:user:shareToOrg | Grants organization members the ability to share any items they own with their organization. |
portal:user:shareToPublic | Grants organization members the ability to share any items they own with everyone, including the public. |
portal:user:shareGroupToOrg | Grants the ability for any group a member makes to be discoverable. It is recommended that this privilege be assigned to members who also have the portal:user:createGroup privilege as well. |
portal:user:shareGroupToPublic | Grants the ability to make any group owned by an organization member visible to everyone in the organization, including the public and allowing for anonymous portal users to view the group. It is recommended that this privilege be assigned to members who also have the portal:user:createGroup privilege as well. |
Content and Analysis
Privilege | Description |
---|---|
premium:user:geocode | Grants the ability to use ArcGIS World Geocoding Service convert addresses or places to map points and store the results. |
premium:user:networkanalysis | Grants the ability to perform network analysis tasks such as routing and drive-time areas. |
premium:user:spatialanalysis | Grants the ability to perform spatial analysis tasks, such as creating buffers. |
premium:user:geoenrichment | Grants the ability to use the GeoEnrichment service to access demographic information. |
premium:publisher:geoanalytics | Grants the ability to perform GeoAnalytics tasks. |
premium:publisher:rasteranalysis | Grants the ability to use raster analysis tools. This privilege requires that your deployment be configured for raster analysis. |
premium:publisher:createAdvancedNotebooks | Grants the ability to author notebooks using advanced runtimes. This privilege is only available if Notebook Server is configured for your organization. |
Grants the ability to run web tools published from notebooks. This privilege is only available if Notebook Server is configured for your organization. |
Features
Privilege | Description |
---|---|
features:user:edit | Grants the ability to edit features based on a layer's permissions and update schema on a knowledge graph layer. |
features:user:fullEdit | Grants the ability to add, delete, and update features and attributes in a hosted feature layer regardless of the editing options enabled on the layer. |
Version management
Privilege | Description |
---|---|
features:user:manageVersions | Grants the ability to view, alter, and delete all branch versions accessed through an ArcGIS Server web feature layer, as well as the ability to manage version locks. Nota:If this privilege is assigned in the front-end of ArcGIS Enterprise portal, the following privileges are assigned by default. Users assigned the features:user:manageVersions privilege and those from the list below are considered to be version administrators.
|
Webhooks
Privilege | Description |
---|---|
portal:publisher:createFeatureWebhook | Grants the ability to create, edit, and delete their own feature layer webhooks. |
Administrative privileges
Members
Privilege | Description |
---|---|
portal:admin:viewUsers | Grants the ability to view full member account information in the organization. |
portal:admin:updateUsers | Grants the ability to update member account information, reset passwords, and assign or unassign member categories. Nota:Only members assigned the default administrator role can edit another member's password who has also been assigned the default administrator role. A member with a custom role that includes portal:admin:updateUsers will not be able to update the password of a default administrator. |
portal:admin:deleteUsers | Grants the ability to delete member accounts in the organization. |
portal:admin:inviteUsers | Grants the ability to add members to the organization. |
portal:admin:disableUsers | Grants the ability to enable and disable member accounts in the organization. |
portal:admin:changeUserRoles | Grants the ability to change the role a member is assigned in the organization; however, it does not grant the ability to promote a member to, or demote a member from, the default administrator role. That privilege is reserved for only members assigned the default administrator role. |
portal:admin:manageLicenses | Grants the ability to manage licenses for organization members. |
portal:admin:updateMemberCategorySchema | Grants the ability to configure the organization member category schema. |
Groups
Privilege | Description |
---|---|
portal:admin:viewGroups | Grants the ability to view all groups in the organization. |
portal:admin:updateGroups | Grants the ability to update member-owned groups in the organization. |
portal:admin:deleteGroups | Grants the ability to delete member-owned groups in the organization. |
portal:admin:reassignGroups | Grants the ability to reassign groups to other members in the organization. |
portal:admin:assignToGroups | Grants the ability to assign members to, and remove members from, groups in the organization. |
portal:admin:manageEnterpriseGroups | Grants the ability to link group membership to organization-specific groups. |
portal:admin:createUpdateCapableGroup | Grants the ability to create and own groups that allow group members to update al items in the group (shared update groups). |
Content
Privilege | Description |
---|---|
portal:admin:viewItems | Grants the ability to view all member content in the organization. |
portal:admin:updateItems | Grants the ability to update and categorize member content in the organization. |
portal:admin:deleteItems | Grants the ability to delete member owned content. |
portal:admin:reassignItems | Grants the ability to reassign content to other members in the organization. |
portal:admin:updateItemCategorySchema | Grants the ability to configure the organization content category schema. |
portal:publisher:publishServerGPServices | Grants the ability to publish web tools created in ArcGIS Pro to a federated server or publish web tools from a notebook. |
portal:admin:shareToOrg | Grants the ability to share content owned by other members of your organization with the organization. |
portal:admin:shareToPublic | Grants the ability to share other members' content to all users of the portal. |
Webhooks
Privilege | Description |
---|---|
portal:admin:createGPWebhook | Grants the ability to create, edit, and delete geoprocessing webhooks. |
Organization settings
Privilege | Description |
---|---|
portal:admin:manageSecurity | Grants the ability to manage the portal's security settings. |
portal:admin:manageWebsite | Grants the ability to manage the organization's website settings. |
portal:admin:manageCollaborations | Grants the ability to manage the organization's collaborations. |
portal:admin:manageRoles | Grants the ability to manage the organization's member roles. |
portal:admin:manageServers | Grants the ability to manage the portal's server settings. |
portal:admin:manageUtilityServices | Grants the ability to manage the organization's utility service settings. |
portal:admin:manageWebhooks | Grants the ability to create, edit, and delete organizational webhooks and manage all webhooks within the portal. |
JSON Response syntax
{
"id": "<role id>",
"privileges": [
"<privilege1>",
"<privilege2>",
"<privilege3>",
"<privilege4>",
"<privilege5>"
]
}
JSON Response example
{
"id": "hzHOGSAky23XJu7Q",
"privileges": [
"features:user:edit",
"features:user:fullEdit",
"opendata:user:designateGroup",
"portal:admin:viewUsers",
"portal:user:createGroup"
]
}