Skip to main content

Understand ArcGIS accounts

Accounts provide privileges to access resources, such as files or software capabilities. It is important to use accounts that provide all the necessary privileges without providing greater access than needed. There are two types of accounts used with ArcGIS Enterprise components:

  • Operating system accounts run the software services and related processes on the operating system of the machine where the component is installed.

    The most important consideration for an operating system account is that it has access to the machines, directories, and network locations the software needs to read and write files and execute programs. The following operating system accounts are required for ArcGIS Enterprise:

  • User accounts allow users to log in to the applications created by the component. The most important consideration for a user account is that the user has the appropriate privileges to perform the work they need to do in the application. The following user accounts are required for ArcGIS Enterprise:

Operating system accounts

For each component, the associated operating system account is the login that you used when you installed that component.

For each component, you specify the associated operating system account when you install the component. Although you have the option to use a local operating system account, it is recommended that you use a domain account or a group managed service account for production systems. This allows access to resources that should be stored on separate machines, such as backups. If you use a local operating system account, it cannot access network locations, and you cannot specify a shared network location for backup directories.

To avoid the need to manually update passwords for the ArcGIS Data Store account on each machine, you can use a managed service account.

Portal for ArcGIS account

At a minimum, the Portal For ArcGIS account must be granted the following privileges:

  • \arcgis\portal*—Read, write, and execute

  • \arcgisportal—Full control

Note:

It is recommended that you use an account that is not a member of the Administrators group and that has minimal privileges.

If you want to configure the Portal for ArcGIS account to run under a different account, you can do so after the installation has completed with the configureserviceaccount utility. This utility will also apply the appropriate permissions to directories used by the service.

To learn more, see Changing the Portal for ArcGIS account.

ArcGIS Server account

The ArcGIS Server account is used for the following purposes:

  • Start and stop processes that support ArcGIS Server and services.

  • Read the GIS data behind your services when the registered database uses operating system authentication.

  • Read and write files to the ArcGIS Server directories. For example, when you create a map cache, the ArcGIS Server account writes the cache tiles into your server cache directory.

  • Read and write files to the configuration store.

  • Read and write files to the ArcGIS Server installation location and system temp directory. For example, the account writes log files that you can use to troubleshoot the server.

  • Read and write log messages to the logs directory.

Note:

The ArcGIS Server account is not the same as the primary site administrator that you define when you create the ArcGIS Server site. For more information, see Secure your ArcGIS Server site.

The ArcGIS Server account is the one you used when you installed the software. The installation makes this account the owner of all files that it places on the system. In a site with multiple ArcGIS Server machines, the user ID (UID) for the ArcGIS Server account should be the same across all machines so that they can access data, the configuration store, and the server directories using the same NFS permissions.

For security reasons, the root account cannot be used as the ArcGIS Server account and cannot be used to install the software.

The ArcGIS Server account requires no special permissions on the operating system other than file access to the data, configuration store, and server directories. The ArcGIS Server account does not need to be an administrator on the machine.

For more information on the options for ArcGIS Server account and the appropriate permissions, see ArcGIS Server account

ArcGIS Data Store account

The ArcGIS Data Store account writes information to the data store backup directory, data store directory, and restore staging directory. It is also used to run the processes that ArcGIS Data Store requires.

The ArcGIS Data Store account requires full control on the ArcGIS Data Store directory, full control on the ArcGIS Data Store installation directory, read and write access to the shared network backup directory, and read and write access to the restore staging directory used by the relational store.

The ArcGIS Data Store account requires full control on the ArcGIS Data Store directory (the default location is C:\arcgisdatastore), full control on the ArcGIS Data Store installation directory (the default location is C:\program files\arcgis\DataStore), read and write access to the shared network backup directory, and read and write access to the restore staging directory used by the relational store.

If you need to change the ArcGIS Data Store account after you create it or upgrade it, use the configureserviceaccount utility.

User accounts

Two user accounts are required to deploy ArcGIS Enterprise. The initial administrator account is used for the initial configuration of your ArcGIS Enterprise organization. The primary site administrator account is required for some ArcGIS Server site configuration tasks, such as the initial configuration and federation with ArcGIS Enterprise.

Initial administrator account

When you configure an ArcGIS Enterprise organization, you specify the first name, last name, username, password, email address, security question and answer, and user type to create an administrator account. This account is called the initial administrator account.

Note:

You can select any user type that is included in your license file and is compatible with the initial administrator account. If needed, you can change the user type after signing in to the portal.

The initial administrator account is required to register your portal with ArcGIS Web Adaptor. It is also required to configure LDAP or PKI-based client certificate authentication for portal authentication.

The initial administrator account is required to register your portal with ArcGIS Web Adaptor. It is also required to configure Integrated Windows Authentication, LDAP, or PKI-based client certificate authentication for portal authentication.

The initial administrator account username and password are stored by Portal for ArcGIS. Later, you can specify other accounts as administrators. Once another administrator account is added, you can demote the initial administrator account to a role with fewer privileges, or delete it.

When you create the initial administrator account, the specified username and password can only contain the following ASCII characters:

  • Numbers 0 through 9

  • ASCII letters A through Z (uppercase and lowercase)

  • A dot (.)

If the limitations of the initial administrator account are too restrictive, you can delete it after the initial deployment of ArcGIS Enterprise. See Delete the initial administrator account for more information.

Primary site administrator account

After you install ArcGIS Server, you create the ArcGIS Server site. At this time you need to provide the name and password for a new account that you will initially use to log in to Manager and administer ArcGIS Server. This account is called the primary site administrator.

The primary site administrator name and password are used only with ArcGIS Server, and they are stored by ArcGIS Server. Later, you can create other administrative accounts and disable the primary site administrator if you choose.

To learn more about specifying the primary site administrator account, see Creating a new site.