Adding a data store item to your portal makes it easier to share GIS data across your organization. As with all data in your organization, though, you also need to keep the data secure. One way to do that is to make the data available to only those who need it. Consider each person's role in the organization, what data each person needs to access, and how the data will be used. Once you've determined that, configure the following:
- Access to and privileges on the source data
- The ability to create data store items
- Access to data store items
- Access to the web layers published from the data store
Access to source data
How you control access to the source data location depends on the type of data store.
Group images in separate folders based on who needs access to the images.
For each shared folder, grant read privileges to the network login used to run the ArcGIS Image Server sites with which you will register the file share. Also grant read privileges on each file share to the logins of those who will publish the images from ArcGIS Pro. If anyone else needs to add imagery data to the folder, grant that person's login write access to the file share.
Create a database user who has only read access to the subset of feature classes and tables that you will publish in bulk from the data store item. Specific privileges vary by database, but the user needs the ability to connect to the database and select only the tables and feature classes to be published.
Users who will access the source data in the database from ArcGIS Pro or ArcMap to publish editable feature layers require privileges on the data that allows them to edit.
Create separate buckets or Blob storage containers and place different images in each cloud storage location based on who needs access to each set of images.
Register each cloud storage location as a separate data store item that you can then share with only those portal members who need access to that set of images.
Privileges to create data store items and publish layers
The portal administrator controls role membership for portal users. The default Publisher and Administrator roles automatically have the privileges required to create data store items, publish ArcGIS Server web layers, and bulk publish feature layers from database data store items in the portal. To have more control over who can create data store items, who can share the data stores with others, and what can be published from the data stores, portal administrators should use custom roles.
The following privileges under General Privileges > Content are required for a custom role whose members can create database data store items that will be used only for bulk publishing:
- Create, update, and delete
- Publish server-based layers
- Register data stores
- Create feature layers in bulk from a data store
The following privileges are required for a custom role whose members can create database data store items that will be used only for publishing from ArcGIS Pro or ArcMap:
- Create, update, and delete—Allows members to create and manage the data store item in the portal.
- Register data stores—Allows members to register the database with federated servers.
- Share with groups—This general Sharing privilege allows the data store creator to share the data store item with others so that they can publish to federated servers. Note that the users will need access to the exact database connection file (connecting to the same database as the same user) in ArcGIS Pro or ArcMap for this to be useful.
- Publish server-based layers—In most cases, it is the owner of the database data store item who will publish from the database in ArcGIS Pro or ArcMap, because doing so requires access to the same database credentials that were used when creating the data store item.
For folder and cloud data store items, you can have separate custom groups for those who create the data store items and those who publish from them. For roles whose members need to create data store items but do not need to publish, grant the following general Content and Sharing privileges:
- Create, update, and delete—Allows members to create and manage data store items.
- Register data stores—Allows members to register the folder or cloud location with federated servers.
- One or more of the following: Share with groups, Share with portal, Share with public—Which privileges you grant depends on who you want to allow access to the data store item: specific portal groups, all members of the portal, or anyone with access to the portal.
For roles whose members will create imagery layers from the data stores or publish to them from ArcGIS Pro, grant the following general Content privileges:
- Create, update, and delete—Allows members to create imagery layers in the portal.
- Publish server-based layers—Allows members to create or publish imagery layers (image services).
Access to data store items
Once you add the data store to the portal, share the data store item to make it available to the portal members who need to publish data from it. For database data store items, share the item with groups whose members will be publishing from ArcGIS Pro or using service definition files in ArcGIS Server Manager. When members of the group publish to one of the federated servers with which you registered the data store, ArcGIS Pro and the federated server recognize that the group members have access to the data store and will allow them to publish without having to register a data store separately.
You could share the data store item with the portal but, in most cases, you should restrict access to specific groups.
- Create a group in the portal.
- Add or invite portal members to the group who have privileges to publish ArcGIS Server web layers.
- Share the data store item with the group.
Only group members can access the data store and, therefore, only those members can publish the data it contains.
Access to web layers
Portal administrators and those who publish web layers determine who has access to the layers they publish from the data store by sharing the layers with groups, the portal, or everyone who has access to the portal.
If you use custom roles, publishers who will share the layers they create must belong to a role that has at least the general Sharing privilege to Share with groups. If you want to allow group members to share the layers with all portal members or anyone who has access to the portal, assign Share with portal or Share with public privileges.