One of the key aspects of planning a deployment of ArcGIS Enterprise is deciding how to manage accounts that will access your portal and what privileges are granted to the accounts. Determining how accounts will be managed is a matter of choosing an identity store.
Understanding identity stores
The identity store for your portal defines where the credentials of your portal accounts are stored, how authentication occurs, and how group membership is managed. The ArcGIS Enterprise portal supports two types of identity stores: built-in and organization-specific.
Built-in identity store
The ArcGIS Enterprise portal can be configured to allow members to easily create accounts and groups in your portal. When enabled, you can use the Create an account link on the portal website Sign In page to add a built-in account to your portal and start contributing content to the organization or access resources created by other members. You can also click the Groups tab on the portal website home page and create a group to manage items. When you create accounts and groups in your portal this way, you are leveraging the built-in identity store, which performs authentication and stores portal account user names, passwords, roles, and group membership.
You must use the built-in identity store to create the initial administrator account for your portal, but you can later switch to an organization-specific identity store. The built-in identity store is useful to get your portal up and running, and also for development and testing. However, production environments typically leverage an organization-specific identity store.
Organization-specific identity store
The ArcGIS Enterprise portal is designed so you can use organization-specific accounts and groups to control access to your ArcGIS organization. For example, you can control access to the portal by using credentials from your Lightweight Directory Access Protocol (LDAP) server, Active Directory server, and identity providers that support Security Assertion Markup Language (SAML) 2.0 Web Single Sign On. This process is described throughout the documentation as setting up organization-specific logins.
The advantage of this approach is that you do not need to create additional accounts within the portal. Members use the login that is already set up within the organization-specific identity store. The management of account credentials is completely external to the portal. This enables a single sign-on experience so users will not need to reenter their credentials.
Similarly, you can also create groups in the portal that leverage the existing enterprise groups in your identity store. Also, organization-specific accounts can be added in bulk from the enterprise groups in your organization. When members log in to the portal, access to content, items, and data are controlled by the membership rules defined in the enterprise group. The management of group membership is completely external to the portal.
For example, a recommended practice is to disable anonymous access to your portal, connect your portal to the desired enterprise groups in your organization, and add the organization-specific accounts based on those groups. In this manner, you restrict access to the portal based on specific enterprise groups within your organization.
Use an organization-specific identity store if your organization wants to set policies for password expiration and complexity, control access using existing enterprise groups, or leverage authentication over Integrated Windows Authentication (IWA) or Public Key Infrastructure (PKI). Authentication can be handled at the web-tier (using web-tier authentication), at the portal-tier (using portal-tier authentication), or through an external identity provider (using SAML).
Using an Active Directory identity store, ArcGIS Enterprise supports authentication from multiple domains with a single forest, but does not provide cross-forest authentication. To support organization-specific users from multiple forests, a SAML identify provider would be required.
Supporting multiple identity stores
Using SAML 2.0, you can allow access to your portal using multiple identity stores. Users can sign in with built-in accounts and accounts managed in multiple SAML-compliant identity providers configured to trust one another. This is a good way to manage users that may reside within or outside your organization. For full details, see Configuring a SAML-compliant identity provider with your portal.
Understanding access privileges
Once you've decided how accounts will be managed in ArcGIS Enterprise, you need to decide what privileges you want users that access your ArcGIS organization to have. Privileges are defined by whether or not the user accessing your portal is part of the ArcGIS organization.
Users that access the portal without an ArcGIS organizational account can only search for and use public items. For example, if a public web map is embedded into a website, users looking at the map will be accessing an item of your portal, even though they do not have an account. It is up to you to enable this type of access. You can always disable access to persons that do not already belong to the ArcGIS organization. To learn how to do this, see Disabling anonymous access.
Users can access your portal with elevated privileges if they are members of your ArcGIS organization. Members of your ArcGIS organization are listed on the Organization page of the portal website. Members of an organization are organized by user types which correspond to various roles with different privileges. To learn more see User types, roles, and privileges.
When a new ArcGIS organizational account is added to your portal, it will be granted the user role by default. However, the portal administrator can change the role at any time.
Managing ArcGIS organizational accounts
An ArcGIS organizational account is a user account that has been added to the organization panel of your portal website. Throughout the documentation and user experience in the portal website, these users are typically referred to as members of the organization.
As an administrator, it is important that you fully control not only the privileges granted to each member of your ArcGIS organization but also who is allowed to be a member of it.
The maximum number of ArcGIS organizational accounts in your portal is defined by the license file you used to license the portal. At any point in time, you can compare the total number of members assigned a user type and remaining available user type licenses from the Overview or Licenses tabs on the Organization page in the portal website. Under Overview you can view the total licenses assigned and available in the Members overview. On the Licenses tab, you can view assigned and available licenses per user type under the User types tab.
Managing accounts when using the built-in store
When using the built-in store, you can configure the portal website to show a link that any user can use to join the ArcGIS organization. This makes it easy for people to join your organization, but you can't really restrict who joins; anyone with access to your portal can create an account. If you want more control, you can disable this self-serve experience and provision in bulk your portal with a predefined number of accounts. To learn more about creating ArcGIS organizational accounts in bulk, see Adding members to your portal. You can also remove members from your portal website or change their privileges at any time.
Managing accounts when using an organization-specific identity store
The ArcGIS Enterprise portal will not allow you to delete, edit, or create new accounts in your identity store, but you can register existing organization-specific accounts in your organization. For this reason, the sign-up page in the portal website will not be available when you configure your portal with an organization-specific identity store.
As an administrator, you will typically select organization-specific logins you want to add into the organization and add them in bulk. To learn more about creating ArcGIS organizational accounts in bulk, see Adding members to your portal. You can also remove members from your portal website or change their privileges at any time.
Alternatively, you can add any organization-specific account that connects to your portal or any of its items automatically. To learn more, see Automatic registration of organization-specific accounts.
It's important to understand that when the portal is configured with an organization-specific identity store, anonymous access to the ArcGIS organization is disabled; that is, any user accessing your portal must authenticate against your identity store first. Once authenticated, the privileges of the user will be determined by whether or not they have an ArcGIS organizational account.
At Portal for ArcGIS 10.2, organization-specific accounts were automatically registered as members of the organization. This means that your organization may have unintentionally exceeded the maximum number of members. When you upgrade Portal for ArcGIS 10.2 to a later version, the legacy behavior persists; accounts are still automatically registered by default. Conversely, new installations of Portal for ArcGIS do not allow automatic account creation. If you upgraded your portal from 10.2 to a later version, you may want to consider turning this behavior off to have more control over which users are added as members in your organization. For full instructions, see Automatic registration of organization-specific accounts.
Account lockout policy
Software systems often enforce an account lockout policy to protect against mass automated attempts to guess a user's password. If a user makes a certain number of failed login attempts within a particular time interval, they may be denied further attempts for a designated time period. These policies are balanced against the reality that sometimes users will forget their names and passwords and fail to log in successfully.
The lockout policy enforced by Portal for ArcGIS depends on which type of identity store you're using:
Built-in identity store
The built-in identity store locks out a user after five consecutive invalid attempts. The lockout lasts for 15 minutes. This policy applies to all accounts in the identity store, including the initial administrator account. This policy cannot be modified or replaced.
Organization-specific identity store
When you're using an organization-specific identity store, the account lockout policy is inherited from the store. You may be able to modify the account lockout policy for the store. Consult the documentation specific to the store type to learn how to change the account lockout policy.