ArcGIS Enterprise provides multiple ways for organizations to manage how their members access and interact with the portal and its content. One way organizations can manage their members' access is by assigning them specific privileges through default or custom roles. Privileges allow members to perform different tasks and workflows for an organization, such as allowing specific users to create and publish content while others can only view content.
At 10.7.1, organizations were able to create custom roles that included administrative privileges, such as the ability to manage the portal's look and feel or it's security configuration. Through these custom roles, organizations were able to delegate administrative tasks without having to assign the default administrator role to multiple members.
At 10.8, access to the Portal Administrator API is based on these same privileges. Members can only access the resources and operations associated with, or required by, their role's privileges. This restrictive access model allows organizations to continue to delegate administrative tasks without providing full administrative access.
Privilege-based access
Members will only be able to access certain endpoints in the Portal Administrator API based on the privileges assigned to their role. Resources and operations that are not accessible to members based on their assigned privileges will either be inaccessible through the UI or will return an error message when users with unauthorized privileges attempt to access them. The table below shows which administrative privileges are authorized to access the Portal Administrator REST API:
| Administrative privilege category | Privilege name |
|---|---|
Members | Add | Manage Licenses |
Groups | Link to Enterprise Groups |
Portal Settings | Security and infrastructure | Organization Website | Collaborations | Member Roles | Servers | Utility Services |
Note:
Members who are assigned one of the privileges listed above will have access to the Logs and Mode resources, though access to their associated child operations and resources will vary depending on the specific privilege assigned to the user.
Endpoint access
Caution:
This topic specifies the required privileges for ArcGIS Enterprise 11.2. To see which privileges apply to the specific ArcGIS Enterprise version you are using, see the ArcGIS Portal Admin API installed help.
This following section outlines the requirements to access each endpoint in the Portal Administrator API.
Note:
Users assigned the default administrator role will have access to every endpoint in the Portal Administrator API. Endpoints that are accessible only to those assigned the default administrator rile will be specified below.
Portal Administrator root
| Endpoint | Requirement |
|---|---|
| Portal Administrator root | Add | Manage Licenses | Link to Enterprise Groups | Security and Infrastructure | Organization Website | Collaborations | Member Roles | Servers | Utility Services |
| Create New Site | Default administrator role only |
| Upgrade | Default administrator role only |
| Export Site | Default administrator role only |
| Import Site | Default administrator role only |
| Join Site | Default administrator role only |
| Info | Add | Manage Licenses | Link to Enterprise Groups | Security and Infrastructure | Organization Website | Collaborations | Member Roles | Servers | Utility Services |
| Backup Restore Information | Add | Manage Licenses | Link to Enterprise Groups | Security and Infrastructure | Organization Website | Collaborations | Member Roles | Servers | Utility Services |
System
| Endpoint | Requirement |
|---|---|
| System | Security and Infrastructure | Organization Website |
| Web Adaptors | Security and Infrastructure |
| Web Adaptor | Security and Infrastructure |
| Unregister Web Adaptor | Security and Infrastructure |
| Web Adaptor Configuration | Security and Infrastructure |
| Update Web Adaptors Configuration | Security and Infrastructure |
| Directories | Security and Infrastructure |
| Directory | Security and Infrastructure |
| Edit Directory | Security and Infrastructure |
| Database | Security and Infrastructure |
| Update Database Account | Security and Infrastructure |
| Database Settings | Security and Infrastructure |
| Edit Database Settings | Security and Infrastructure |
| Indexer | Security and Infrastructure |
| Indexer Status | Security and Infrastructure |
| Reindex | Security and Infrastructure |
| System Properties | Security and Infrastructure | Organization Website |
| Update System Properties | Security and Infrastructure | Organization Website |
| Languages | Security and Infrastructure | Organization Website |
| Update Languages | Security and Infrastructure | Organization Website |
| Content | Security and Infrastructure | Organization Website |
| Content Configuration | Security and Infrastructure | Organization Website |
| Update Content Configuration | Security and Infrastructure | Organization Website |
| Email Settings | Security and Infrastructure |
| Update Email Settings | Security and Infrastructure |
| Test Email Settings | Security and Infrastructure |
| Delete Email Settings | Security and Infrastructure |
Security
| Endpoint | Requirement |
|---|---|
| Security | Security and Infrastructure | Link to Enterprise Groups |
| Users | Security and Infrastructure |
| Create User | Security and Infrastructure | Add Note:While the Create User operation is accessible to members assigned the Add privilege, they will not be able to navigate to it through the UI. Instead, they must enter the operation URL to access it. The URL will have the following format: |
| Get Enterprise User | Security and Infrastructure | Add Note:While the Get Enterprise User operation is accessible to members assigned the Add privilege, they will not be able to navigate to it through the UI. Instead, they must enter the operation URL to access it. The URL will have the following format: |
| Update Enterprise User | Security and Infrastructure | Add Note:While the Update Enterprise User operation is accessible to members assigned the Add privilege, they will not be able to navigate to it through the UI. Instead, they must enter the operation URL to access it. The URL will have the following format: |
| Search Enterprise Users | Security and Infrastructure | Add Note:While the Search Enterprise Users operation is accessible to members assigned the Add privilege, they will not be able to navigate to it through the UI. Instead, they must enter the operation URL to access it. The URL will have the following format: |
| Refresh User Membership | Security and Infrastructure |
| Groups | Security and Infrastructure | Link to Enterprise Groups |
| Search Enterprise Groups | Security and Infrastructure | Link to Enterprise Groups |
| Refresh Group Membership | Security and Infrastructure | Link to Enterprise Groups |
| Get Users Within Enterprise Group | Security and Infrastructure | Link to Enterprise Groups |
| Get Enterprise Groups for User | Security and Infrastructure | Link to Enterprise Groups |
| Token Configuration | Security and Infrastructure |
| Update Token Configuration | Security and Infrastructure |
| OAuth | Security and Infrastructure |
| Change App ID | Security and Infrastructure |
| Get App Info | Security and Infrastructure |
| Update App Info | Security and Infrastructure |
| Security Configuration | Security and Infrastructure | Add Note:While the Security Config resource is accessible to members assigned the Add privilege, they will not be able to navigate to it through the UI. Instead, they must enter the resource URL to access it. The URL will have the following format: |
| Update Security Configuration | Security and Infrastructure |
| Update Identity Store | Security and Infrastructure |
| Test Identity Store | Security and Infrastructure |
| SSL Certificates | Security and Infrastructure |
| SSL Certificate | Security and Infrastructure |
| Generate CSR | Security and Infrastructure |
| Export Certificate | Security and Infrastructure |
| Delete Certificate | Security and Infrastructure |
| Import Signed Certificate | Security and Infrastructure |
| Update Web Server Certificate | Security and Infrastructure |
| Generate Certificate | Security and Infrastructure |
| Import Root or Intermediate Certificate | Security and Infrastructure |
| Import Existing Certificate | Security and Infrastructure |
Federation
| Endpoint | Requirement |
|---|---|
| Federation | Servers |
| Federation Servers | Servers |
| Server | Servers |
| Validate Server | Servers |
| Update Server | Servers |
| Unfederate Server | Servers |
| Federate Servers | Servers |
| Validate Servers | Servers |
Machines
| Endpoint | Requirement |
|---|---|
| Machines | Default administrator role only |
| Status | Default administrator role only |
| Unregister Machine | Default administrator role only |
| Machine | Security and Infrastructure Note:While the Machine resource is accessible for members assigned the Security and Infrastructure, they will not be able to navigate to it through the UI. Instead, they must enter the specific machine URL to access its child resources and operations. The URL will have the following format: |
| Machine Status | Security and Infrastructure |
| SSL Certificates | Security and Infrastructure |
| Update Web Server Certificate | Security and Infrastructure |
| Generate Certificate | Security and Infrastructure |
| Import Root Or Intermediate Certificate | Security and Infrastructure |
| Import Existing Server Certificate | Security and Infrastructure |
| SSL Certificate | Security and Infrastructure |
| Generate CSR | Security and Infrastructure |
| Export Certificate | Security and Infrastructure |
| Delete Certificate | Security and Infrastructure |
| Import Signed Certificate | Security and Infrastructure |
Logs
| Endpoint | Requirement |
|---|---|
| Logs | Add | Manage Licenses | Link to Enterprise Groups | Security and Infrastructure | Organization Website | Collaborations | Member Roles | Servers | Utility Services |
| Query Logs | Add | Manage Licenses | Link to Enterprise Groups | Security and Infrastructure | Organization Website | Collaborations | Member Roles | Servers | Utility Services |
| Clean Logs | Security and Infrastructure | Servers |
| Log Settings | Add | Manage Licenses | Link to Enterprise Groups | Security and Infrastructure | Organization Website | Collaborations | Member Roles | Servers | Utility Services |
| Edit Log Settings | Security and Infrastructure | Servers |
License
| Endpoint | Requirement |
|---|---|
| License | Manage Licenses | Add privilege |
| Get Future License | Manage Licenses |
| Validate License | Manage Licenses |
| Import License | Manage Licenses |
| Release License | Manage Licenses |
| Populate License | Manage Licenses |
| Update License Manager | Manage Licenses |
Mode
| Endpoint | Requirement |
|---|---|
| Mode | Add | Manage Licenses | Link to Enterprise Groups | Security and Infrastructure | Organization Website | Collaborations | Member Roles | Servers | Utility Services |
| Update Mode | Default administrator role only |