Manage access to your organization
One of the key aspects of planning a deployment of ArcGIS Enterprise is deciding how to manage accounts that will access your organization and what privileges are granted to the accounts. Determining how accounts will be managed is a matter of choosing an identity store. Refer to the Architecture Center for more information about authentication models and identity store providers.
Note:
Each member in ArcGIS Enterprise and ArcGIS Online requires their own license. That said, both products support organization-specific logins with SAML and OpenID Connect so you can streamline authentication between systems. This means you can use the same username and password for both organizations - however, you can't log in to ArcGIS Enterprise and expect to see the same content you would see logging into your ArcGIS Online account. They are separate organizations, each with their own identity stores and set of associated content.
Understand identity stores
The identity store for your organization defines where the credentials of your member accounts are stored, how authentication occurs, and how group membership is managed. The ArcGIS Enterprise organization supports two types of identity stores: built-in and organization-specific identity stores.
Built-in identity store
ArcGIS Enterprise can be configured to allow members to create accounts and groups in your organization. When enabled, you can use the Create an account link on the Sign In page to add a built-in account and start contributing content to the organization or access resources created by other members. When you create accounts and groups this way, you are using the built-in identity store, which performs authentication and stores member account usernames, passwords, roles, and group membership.
You must use the built-in identity store to create the initial administrator account for your organization, but you can later switch to an organization-specific identity store. The built-in identity store is useful to get up and running, and also for development and testing. However, production environments typically use an organization-specific identity store.
Note:
If you need to revert from an organization-specific identity store to a built-in identity store, you can do so by deleting any information in the User store configuration and Group store configuration text boxes in the Update Identity Store page within the Administrator Directory. For more information, see the ArcGIS REST API documentation.
Organization-specific identity store
ArcGIS Enterprise is designed so you can use organization-specific accounts and groups to control access to your ArcGIS organization. For example, you can control access to the organization by using credentials from your Lightweight Directory Access Protocol (LDAP) server and identity providers that support Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign On. This process is described throughout the documentation as setting up organization-specific logins.
ArcGIS Enterprise is designed so you can use organization-specific accounts and groups to control access to your ArcGIS organization. For example, you can control access by using credentials from your Lightweight Directory Access Protocol (LDAP) server, Windows Active Directory server, and identity providers that support Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign On. This process is described throughout the documentation as setting up organization-specific logins.
The advantage of this approach is that you do not need to create additional accounts in the organization. Members use the login that is already set up in the organization-specific identity store. The management of account credentials, including policies for password complexity and expiration, is completely external to the organization. This enables a single sign-on experience so users do not need to reenter their credentials.
Similarly, you can also create groups that use the existing Windows Active Directory, LDAP, or SAML groups in your identity store. Also, organization-specific accounts can be added in bulk from the Active Directory, LDAP, or SAML groups in your organization. When members sign in to the organization, access to content, items, and data is controlled by the membership rules defined in the Active Directory, LDAP, or SAML group. The management of group membership is completely external to the organization.
For example, a recommended practice is to disable anonymous access to your organization, connect to the desired Active Directory, LDAP, or SAML groups in your organization, and add the organization-specific accounts based on those groups. In this way, you restrict access to the organization based on specific Active Directory, LDAP, or SAML groups in your organization.
Use an organization-specific identity store if your organization wants to set policies for password expiration and complexity, control access using existing LDAP or SAML groups, or use authentication over LDAP or public key infrastructure (PKI)-based client certificate authentication. Authentication can be handled at the web-tier level (using web-tier authentication), at the portal-tier level (using portal-tier authentication), or through an external identity provider (using SAML).
Use an organization-specific identity store if your organization wants to set policies for password expiration and complexity, control access using existing Active Directory, LDAP, or SAML groups, or use authentication over Integrated Windows Authentication (IWA) or public key infrastructure (PKI)-based client certificate authentication. Authentication can be handled at the web-tier level (using web-tier authentication), at the portal-tier level (using portal-tier authentication), or through an external identity provider (using SAML).
Using an Active Directory identity store, ArcGIS Enterprise supports authentication from multiple domains with a single forest, but it does not provide cross-forest authentication. To support organization-specific users from multiple forests, a SAML identify provider is required.
Support multiple identity stores
Using SAML 2.0, you can allow access to your organization using multiple identity stores. Users can sign in with built-in accounts and accounts managed in multiple SAML-compliant identity providers configured to trust one another. This is a good way to manage users who may reside within or outside your organization. For details, see Configure a SAML-compliant identity provider.
Understand access privileges
Once you've decided how accounts will be managed in ArcGIS Enterprise, you need to decide what privileges you want users to have. Privileges are defined by whether the user accessing your organization is a member of the ArcGIS organization.
Users who access the organization without a member account can only search for and use public items. For example, if a public web map is embedded into a website, users looking at the map will be accessing an organization item, even though they do not have an account. It is up to you to enable this type of access. You can always disable access to persons who do not already belong to the organization. To learn how to do this, see Disable anonymous access.
Users can access the organization with elevated privileges if they are members of your ArcGIS organization. Organization members are listed on the Organization page. Members of an organization are organized by user types, which correspond to various roles with different privileges. To learn more, see User types, roles, and privileges.
When a new member is added, it is granted the user role by default. However, the administrator can change the role at any time.
Manage ArcGIS organizational accounts
An ArcGIS organizational account is a user account that has been added to the organization. These users are typically referred to as members of the organization.
As an administrator, it is important that you fully control not only the privileges granted to each member of your ArcGIS organization but also who is allowed to be a member of it.
The maximum number of organization members is defined by a license file. At any time, you can compare the total number of members assigned a user type and remaining available user type licenses from the Overview or Licenses tabs on the Organization page. On the Overview tab, you can view the total licenses assigned and available in the Members overview. On the Licenses tab, you can view assigned and available licenses per user type on the User types tab.
Manage accounts when using the built-in store
When using the built-in store, you can configure ArcGIS Enterprise to show a link that any user can use to join the organization. This makes it easy for people to join, but you can't restrict who joins; anyone with access to the sign in page can create an account. If you want more control, you can disable this self-serve experience and provision a predefined number of accounts in bulk. To learn more about creating member accounts in bulk, see Add members. You can also remove members or change their privileges at any time.
Manage accounts when using an organization-specific identity store
ArcGIS Enterprise will not allow you to delete, edit, or create accounts in your identity store, but you can register existing organization-specific accounts in your organization. For this reason, the sign-up page will not be available when you configure an organization-specific identity store.
As an administrator, you will typically select organization-specific logins that you want to add to the organization and add them in bulk. To learn more about creating ArcGIS organizational accounts in bulk, see Add members. You can also remove members or change their privileges at any time.
Alternatively, you can add any organization-specific account that connects to your organization or any of its items automatically. To learn more, see Automatic registration of organization-specific accounts.
It's important to understand that when an organization-specific identity store is configured, anonymous access to the ArcGIS organization is disabled; that is, any user accessing it must authenticate against your identity store first. Once authenticated, the privileges of the user will be determined by whether or not they have an ArcGIS organizational account.
Note:
By default, automatic account creation is disabled in the organization. To enable automatic account registration, see Configure automatic registration of organization accounts for more information.
Account lockout policy
Software systems often enforce an account lockout policy to protect against mass automated attempts to guess a user's password. If a user makes a certain number of failed login attempts within a particular time interval, they may be denied further attempts for a designated time period. These policies are balanced against the reality that sometimes users will forget their names and passwords and fail to sign in successfully.
The enforced lockout policy depends on which type of identity store you're using:
Built-in identity store
The built-in identity store locks out a user after five consecutive invalid attempts. The lockout lasts for 15 minutes. This policy applies to all accounts in the identity store, including the initial administrator account. You can configure the number of permitted failed sign-in attempts and the lockout duration to suit your organization's needs. For instructions, see Configure security settings.
Organization-specific identity store
When you use an organization-specific identity store, the account lockout policy is inherited from the store. You may be able to modify the account lockout policy for the store. Consult the documentation specific to the store type to learn how to change the account lockout policy.