Skip To Content

/[roleID]/privileges: Privileges

  • URL:https://[root]/portals/[portalID]/roles/[roleID]/privileges

Example usage

The following is a sample request URL for an ArcGIS Online organization that is used to access the privileges resource:

https://org.arcgis.com/sharing/rest/portals/0123456789ABCDEF/roles/hzHOGSAky23XJu7Q/privileges?f=pjson

The following is a sample request URL for an ArcGIS Enterprise organization that is used to access the privileges resource:

https://machine.domain.com/webadaptor/sharing/rest/portals/0123456789ABCDEF/roles/hzHOGSAky23XJu7Q/privileges?f=pjson

Description

The privileges resource lists all privileges for a custom role.

For ArcGIS Enterprise organization members, the privileges they are assigned will determine whether they have access to the Portal Admin and Server Admin API directories. Beginning at 10.8.1 for the Server Admin API directory, and 10.8 for the Portal Admin API directory, organization members can only access the resources and operations associated with, or required by, their role's privileges. This restrictive access model allows organizations to continue to delegate administrative tasks without providing full administrative access.

For more information on the fine-grained access model, see the manage access documentation for the Portal Admin and Server Admin API.

Request parameters

ParameterDetails
f

The response format. The default response format is html.

Values: html | json | pjson

Response properties

PropertyDetails
id

The ID of the role.

privileges

An array of strings with predefined permissions in each.

Example


[
  "features:user:edit",
  "features:user:fullEdit",
  "opendata:user:designateGroup",
  "portal:admin:viewUsers",
  "portal:user:createGroup"
]

ArcGIS Online supported privileges

The following sections outline the supported privileges in ArcGIS Online that have predefined permissions.

General privileges

Members

PrivilegeDescription
portal:user:viewOrgUsers

Grants the ability to view members of the organization.

Groups

PrivilegeDescription
portal:user:createGroup

Grants the ability for a member to create, edit, and delete their own groups.

portal:user:joinGroup

Grants the ability to join groups in the organization.

portal:user:joinNonOrgGroup

Grants the ability to join groups external to the organization.

portal:user:viewOrgGroups

Grants the ability to view groups shared with the organization.

portal:user:invitePartneredCollaborationMembers

Grants the ability to invite members from partnered collaboration organizations to groups.

portal:user:addExternalMembersToGroup

Grants the ability to create groups that allow members from other organizations, as well as invite external members to groups.

Content

PrivilegeDescription
portal:user:createItem

Grants the ability for a member to create, edit, and delete their own content.

portal:publisher:publishFeatures

Grants the ability to publish hosted feature layers from shapefiles, CSV files, and so on.

portal:publisher:publishTiles

Grants the ability to publish hosted tile layers from tile packages, features, and so on.

portal:publisher:publishScenes

Grants the ability to publish hosted scene layers.

portal:publisher:publishDynamicImagery

Grants the ability to publish hosted dynamic imagery layers from a single image or collection of images.

portal:user:viewOrgItems

Grants the ability to view content shared with the organization.

premium:publisher:createNotebooks

Grants the ability to create and edit interactive notebook documents.

premium:publisher:scheduleNotebooks

Grants the ability to schedule notebooks.

portal:user:viewTracks

Grants the ability to view members' location tracks via shared track views when location tracking is enabled.

portal:user:reassignItems

Introduced at ArcGIS Enterprise 11.0—Grants a user the ability to reassign only their content to another member with the privilege to receive content.

portal:user:receiveItems

Introduced at ArcGIS Enterprise 11.0—Grants a user the ability to receive content that is reassigned to them by another member with the privilege to reassign content.

Sharing

PrivilegeDescription
portal:user:shareToGroup

Grants the ability to share content to groups.

portal:user:shareToOrg

Grants the ability to share content to the organization.

portal:user:shareToPublic

Grants the ability to share content to all users of the portal.

portal:user:shareGroupToOrg

Grants the ability to make groups discoverable by the organization.

portal:user:shareGroupToPublic

Grants the ability to make groups discoverable by all users of the portal.

opendata:user:designateGroup

Grants the ability to designate groups in the organization as being available for use in Open Data.

Premium content

PrivilegeDescription
premium:user:geocode

Grants the ability to perform large-volume geocoding tasks with the Esri World Geocoder, such as publishing a CSV file of addresses as a hosted feature layer.

premium:user:networkanalysis

Grants the ability to perform network analysis tasks such as routing and drive-time areas.

premium:user:spatialanalysis

Grants the ability to perform spatial analysis tasks.

premium:user:geoenrichment

Grants the ability to geoenrich features.

premium:user:demographics

Grants the ability to make use of premium demographic data.

premium:user:featurereport

Grants the ability to create feature reports in ArcGIS Survey123.

premium:publisher:createAdvancedNotebooks

Grants the ability to import and use ArcPy modules in notebooks.

premium:user:places

Grants the ability to perform local place, or point of interest search with the new places-service (beta). Available for developer subscriptions only.

Features

PrivilegeDescription
features:user:edit

Grants the ability to edit features in editable layers, according to the edit options enabled on the layer.

features:user:fullEdit

Grants the ability to add, delete, and update features in a hosted feature layer regardless of the editing options enabled on the layer.

Administrative privileges

Members

PrivilegeDescription
portal:admin:viewUsers

Grants the ability to view full member account information in the organization.

portal:admin:updateUsers

Grants the ability to update member account information and categorize members in the organization.

portal:admin:deleteUsers

Grants the ability to delete member accounts in the organization.

portal:admin:inviteUsers

Grants the ability to invite members to the organization.

portal:admin:disableUsers

Grants the ability to enable and disable member accounts in the organization.

portal:admin:changeUserRoles

Grants the ability to change the role a member is assigned in the organization; however, it does not grant the ability to promote a member to, or demote a member from, the Administrator role. That privilege is reserved for the Administrator role alone.

portal:admin:manageLicenses

Grants the ability to assign licenses to members of the organization.

portal:admin:updateMemberCategorySchema

Grants the ability to configure the organization member category schema.

Groups

PrivilegeDescription
portal:admin:viewGroups

Grants the ability to view all groups in the organization.

portal:admin:updateGroups

Grants the ability to update groups in the organization.

portal:admin:deleteGroups

Grants the ability to delete groups in the organization.

portal:admin:reassignGroups

Grants the ability to reassign groups to other members in the organization.

portal:admin:assignToGroups

Grants the ability to assign members to, and remove members from, groups in the organization.

portal:admin:manageEnterpriseGroups

Grants the ability to link group membership to an enterprise group.

portal:admin:createUpdateCapableGroup

Grants the ability to create and own groups with item update capabilities.

Content

PrivilegeDescription
portal:admin:viewItems

Grants the ability to view all content in the organization.

portal:admin:updateItems

Grants the ability to update and categorize content in the organization and edit hosted feature layers in your organization.

portal:admin:deleteItems

Grants the ability to delete content in the organization.

portal:admin:reassignItems

Grants the ability to reassign content to other members in the organization.

portal:admin:updateItemCategorySchema

Grants the ability to configure the organization content category schema.

portal:admin:shareToOrg

Grants the ability to share other members' content to the organization.

portal:admin:shareToPublic

Grants the ability to share other members' content to all users of the portal.

ArcGIS Marketplace subscriptions

PrivilegeDescription
marketplace:admin:manage

Grants the ability to create listings and list items and manage subscriptions in ArcGIS Marketplace.

marketplace:admin:purchase

Grants the ability to request purchase information about apps and data in ArcGIS Marketplace.

marketplace:admin:startTrial

Grants the ability to start trial subscriptions in ArcGIS Marketplace.

Organization settings

PrivilegeDescription
portal:admin:manageSecurity

Grants the ability to manage the organization's security and infrastructure settings.

portal:admin:manageWebsite

Grants the ability to manage the organization's website settings.

portal:admin:manageCollaborations

Grants the ability to manage the organization's collaborations.

portal:admin:manageCredits

Grants the ability to manage the organization's credit budgeting settings.

portal:admin:manageRoles

Grants the ability to manage the organization's member roles.

portal:admin:manageUtilityServices

Grants the ability to manage the organization's utility service settings.

Open data

PrivilegeDescription
opendata:user:openDataAdmin

Grants the ability to manage Open Data Sites for the organization.

ArcGIS Enterprise supported privileges

The following sections outline the supported privileges in ArcGIS Enterprise that have predefined permissions.

General privileges

Members

PrivilegeDescription
portal:user:viewOrgUsers

Grants the ability to view members of the organization.

Groups

PrivilegeDescription
portal:user:createGroup

Grants the ability for a member to create, edit, and delete their own groups.

portal:user:joinGroup

Grants the ability to request to join groups in the organization.

portal:user:viewOrgGroups

Grants the ability to discover groups that are configured to allow portal members to view them.

Content

PrivilegeDescription
portal:user:createItem

Grants the ability for a member to create, edit, and delete their own content.

portal:publisher:publishFeatures

Grants the ability to publish hosted feature layers from shapefiles, CSV files, and apps like ArcGIS Pro. This privilege is required when using apps that create hosted feature layers, such as ArcGIS Survey 123 and ArcGIS Workforce.

portal:publisher:publishTiles

Grants the ability to publish hosted tile layers to the portal from tile packages or apps like ArcGIS Pro.

portal:publisher:publishScenes

Grants the ability to publish hosted scene layers from within the portal and from apps like ArcGIS Pro.

portal:publisher:publishDynamicImagery

Grants the ability to publish hosted dynamic imagery layers from a single image or collection of images.

Nota:

This privilege requires that your deployment be configured for raster analysis.

portal:publisher:publishServerServices

Grants the ability to publish ArcGIS Server web layers to ArcGIS Server sites that are federated with the portal. These services often reference registered data from geodatabases or file-based data sources. This privilege is also required for members who will bulk publish layers from a data store item.

portal:publisher:publishKnowledgeGraph

Grants the ability to publish hosted knowledge graphs in ArcGIS Pro. This privilege is only visible if an ArcGIS Knowledge Server is configured for your organization.

portal:user:viewOrgItems

Grants the ability to view content shared with the organization.

portal:publisher:registerDataStores

Grants the ability to add data store items to the portal.

portal:publisher:bulkPublishFromDataStores

Grants the owner of a database data store item the ability to publish feature and map layers from all feature classes and tables that can be accessed in the database.

portal:user:viewTracks

Grants the ability to view members' location tracks via shared track views when location tracking is enabled.

premium:publisher:createNotebooks

Grants the ability to open and run notebooks, including shared notebooks and notebooks created from a notebook file that has been imported to the portal, and create and edit notebooks using the ArcGIS Notebooks Standard runtime. This privilege is only visible if Notebook Server is configured for your organization.

Nota:

This privilege is required for users who will be running web tools published from a notebook.

premium:publisher:scheduleNotebooks

Grants the ability to schedule future runs of ArcGIS Notebooks. This privilege is only visible if Notebook Server is configured for your organization.

portal:user:reassignItems

Introduced at ArcGIS Enterprise 11.0—Grants a user the ability to reassign only their content to another member with the privilege to receive content.

portal:user:receiveItems

Introduced at ArcGIS Enterprise 11.0—Grants a user the ability to receive content that is reassigned to them by another member with the privilege to reassign content.

Sharing

PrivilegeDescription
portal:user:shareToGroup

Grants an organization member the ability to share their owned content with any groups to which they belong.

portal:user:shareToOrg

Grants organization members the ability to share any items they own with their organization.

portal:user:shareToPublic

Grants organization members the ability to share any items they own with everyone, including the public.

portal:user:shareGroupToOrg

Grants the ability for any group a member makes to be discoverable. It is recommended that this privilege be assigned to members who also have the portal:user:createGroup privilege as well.

portal:user:shareGroupToPublic

Grants the ability to make any group owned by an organization member visible to everyone in the organization, including the public and allowing for anonymous portal users to view the group. It is recommended that this privilege be assigned to members who also have the portal:user:createGroup privilege as well.

Content and Analysis

PrivilegeDescription
premium:user:geocode

Grants the ability to use ArcGIS World Geocoding Service convert addresses or places to map points and store the results.

premium:user:networkanalysis

Grants the ability to perform network analysis tasks such as routing and drive-time areas.

premium:user:spatialanalysis

Grants the ability to perform spatial analysis tasks, such as creating buffers.

premium:user:geoenrichment

Grants the ability to use the GeoEnrichment service to access demographic information.

premium:publisher:geoanalytics

Grants the ability to perform GeoAnalytics tasks.

premium:publisher:rasteranalysis

Grants the ability to use raster analysis tools. This privilege requires that your deployment be configured for raster analysis.

premium:publisher:createAdvancedNotebooks

Grants the ability to author notebooks using advanced runtimes. This privilege is only available if Notebook Server is configured for your organization.

Grants the ability to run web tools published from notebooks. This privilege is only available if Notebook Server is configured for your organization.

Features

PrivilegeDescription
features:user:edit

Grants the ability to edit features based on a layer's permissions and update schema on a knowledge graph layer.

features:user:fullEdit

Grants the ability to add, delete, and update features and attributes in a hosted feature layer regardless of the editing options enabled on the layer.

Version management

PrivilegeDescription
features:user:manageVersions

Grants the ability to view, alter, and delete all branch versions accessed through an ArcGIS Server web feature layer, as well as the ability to manage version locks.

Nota:

If this privilege is assigned in the front-end of ArcGIS Enterprise portal, the following privileges are assigned by default. Users assigned the features:user:manageVersions privilege and those from the list below are considered to be version administrators.

  • features:user:edit
  • features:user:fullEdit

Webhooks

PrivilegeDescription
portal:publisher:createFeatureWebhook

Grants the ability to create, edit, and delete their own feature layer webhooks.

Administrative privileges

Members

PrivilegeDescription
portal:admin:viewUsers

Grants the ability to view full member account information in the organization.

portal:admin:updateUsers

Grants the ability to update member account information, reset passwords, and assign or unassign member categories.

Nota:

Only members assigned the default administrator role can edit another member's password who has also been assigned the default administrator role. A member with a custom role that includes portal:admin:updateUsers will not be able to update the password of a default administrator.

portal:admin:deleteUsers

Grants the ability to delete member accounts in the organization.

portal:admin:inviteUsers

Grants the ability to add members to the organization.

portal:admin:disableUsers

Grants the ability to enable and disable member accounts in the organization.

portal:admin:changeUserRoles

Grants the ability to change the role a member is assigned in the organization; however, it does not grant the ability to promote a member to, or demote a member from, the default administrator role. That privilege is reserved for only members assigned the default administrator role.

portal:admin:manageLicenses

Grants the ability to manage licenses for organization members.

portal:admin:updateMemberCategorySchema

Grants the ability to configure the organization member category schema.

Groups

PrivilegeDescription
portal:admin:viewGroups

Grants the ability to view all groups in the organization.

portal:admin:updateGroups

Grants the ability to update member-owned groups in the organization.

portal:admin:deleteGroups

Grants the ability to delete member-owned groups in the organization.

portal:admin:reassignGroups

Grants the ability to reassign groups to other members in the organization.

portal:admin:assignToGroups

Grants the ability to assign members to, and remove members from, groups in the organization.

portal:admin:manageEnterpriseGroups

Grants the ability to link group membership to organization-specific groups.

portal:admin:createUpdateCapableGroup

Grants the ability to create and own groups that allow group members to update al items in the group (shared update groups).

Content

PrivilegeDescription
portal:admin:viewItems

Grants the ability to view all member content in the organization.

portal:admin:updateItems

Grants the ability to update and categorize member content in the organization.

portal:admin:deleteItems

Grants the ability to delete member owned content.

portal:admin:reassignItems

Grants the ability to reassign content to other members in the organization.

portal:admin:updateItemCategorySchema

Grants the ability to configure the organization content category schema.

portal:publisher:publishServerGPServices

Grants the ability to publish web tools created in ArcGIS Pro to a federated server or publish web tools from a notebook.

portal:admin:shareToOrg

Grants the ability to share content owned by other members of your organization with the organization.

portal:admin:shareToPublic

Grants the ability to share other members' content to all users of the portal.

Webhooks

PrivilegeDescription
portal:admin:createGPWebhook

Grants the ability to create, edit, and delete geoprocessing webhooks.

Organization settings

PrivilegeDescription
portal:admin:manageSecurity

Grants the ability to manage the portal's security settings.

portal:admin:manageWebsite

Grants the ability to manage the organization's website settings.

portal:admin:manageCollaborations

Grants the ability to manage the organization's collaborations.

portal:admin:manageRoles

Grants the ability to manage the organization's member roles.

portal:admin:manageServers

Grants the ability to manage the portal's server settings.

portal:admin:manageUtilityServices

Grants the ability to manage the organization's utility service settings.

portal:admin:manageWebhooks

Grants the ability to create, edit, and delete organizational webhooks and manage all webhooks within the portal.

JSON Response syntax


{
  "id": "<role id>",
  "privileges": [
    "<privilege1>",
    "<privilege2>",
    "<privilege3>",
    "<privilege4>",
    "<privilege5>"
  ]
}

JSON Response example


{
  "id": "hzHOGSAky23XJu7Q",
  "privileges": [
    "features:user:edit",
    "features:user:fullEdit",
    "opendata:user:designateGroup",
    "portal:admin:viewUsers",
    "portal:user:createGroup"
  ]
}