Working with groups

In this tutorial, you will learn to define policies for two different ArcGIS Portal groups. ArcGIS Portal groups allow you to organize users and assign permissions for a selected group of users only.

This tutorial was tested for ArcGIS Enterprise 11.5 in December, 2025.

Prerequisites

Check the preconditions for this tutorial:

security.manager NEXT is installed.
You can use five user accounts:
- An administrative user account to administer security.manager and Portal.
- 4 non-administrative user accounts to test the access:
  - Alex is in groupX
  - Bob is in groupY
  - Charlie is in both groupX and groupY
  - Dana is neither in groupX nor groupY
You can use the service SampleWorldCities for this tutorial. So, you can restrict access to the service.

This tutorial is based on the tutorials of Basic policy, where you allowed authenticated users access to cities with a minimal population of 1'000'000 of the Cities (0) layer for the service SampleWorldCities and restricted access to all fields except POP_CLASS and POP_RANK. The service is shared with the organization. You can do this tutorial separately but keep in mind that your policy file might look different.

Set group-based access

First, assign groupX instead of enhancedSecurity_authenticated to the policy of the tutorial Basic policy.

Get the group ID

To assign groupX to the policy, you need the ID of the ArcGIS Portal group.

Log in to ArcGIS Portal with the admin account.
Click on Groups and select groupX.
Copy the ID of the URL.

Replace the role

Log in to security.manager Manager UI with the admin login.
Go to the SampleWorldCities service and click menu, then select Edit permissions.

You should see the existing policy from the basic policy tutorial.

Expand for the policy of the Basic policy tutorials

{
    "restrictions": {
        "population":{
            "type": "feature",
            "query": "pop >= 1000000"
        },
        "USA":{
            "type": "spatial",
            "featuretypeurl": "https://services.conterra.de/server/rest/services/security_demos/World_Countries/FeatureServer/0",
            "featurequery": "NAME = 'United States'",
            "imageoperation": "arcgis-clipping"
        },
        "reduced_fields":{
            "type": "field",
            "hiddenfields": [
                "POP_CLASS",
                "POP_RANK"
            ]
        }
    },
    "policies": [{
        "layers": [
            "0"
        ],
        "roles": ["enhancedSecurity_authenticated"],
        "restrictions": ["population", "USA", "reduced_fields"]
    }]
}

In the policies array, you can see that a policy is assigned to the predefined role enhancedSecurity_authenticated.

Replace enhancedSecurity_authenticated with the ID of groupX.

Assuming the ID is 0123456789abcdef0123456789abcdef, your policy looks like:

{
    "restrictions": {
        "population":{
            "type": "feature",
            "query": "pop >= 1000000"
        },
        "USA":{
            "type": "spatial",
            "featuretypeurl": "https://services.conterra.de/server/rest/services/security_demos/World_Countries/FeatureServer/0",
            "featurequery": "NAME = 'United States'",
            "imageoperation": "arcgis-clipping"
        },
        "reduced_fields":{
            "type": "field",
            "hiddenfields": [
                "POP_CLASS",
                "POP_RANK"
            ]
        }
    },
    "policies": [{
        "layers": [
            "0"
        ],
        "roles": ["0123456789abcdef0123456789abcdef"],
        "restrictions": ["population", "USA", "reduced_fields"]
    }]
}

Click Save changes and restart to apply the modified policy.

Use properties for group names

Using the ID directly in the policy is hard to read because you do not know which group has the ID 0123456789abcdef0123456789abcdef. You can use a property for the ID instead. This will support you in case of updating IDs or policies later.

If you have different environments for testing, staging and production, group IDs may differ. Using properties will support you to share the policies across these environments.

Properties allow you to define variables that can be referenced throughout your policy, making it more readable and maintainable.

Add a property to the policy of the previous tutorial.

Open the permissions editor in the security.manager NEXT Manager UI.
Add a new line before "restrictions".

Press Ctrl+Space and select properties > new property.

Now you have created a properties object with a placeholder for a property.

{
    "properties": { (1)
        "key": "value" (2)
    },
    "restrictions": {
        "population":{
            "type": "feature",
            "query": "pop >= 1000000"
        },
        "USA":{
            "type": "spatial",
            "featuretypeurl": "https://services.conterra.de/server/rest/services/security_demos/World_Countries/FeatureServer/0",
            "featurequery": "NAME = 'United States'",
            "imageoperation": "arcgis-clipping"
        },
        "reduced_fields":{
            "type": "field",
            "hiddenfields": [
                "POP_CLASS",
                "POP_RANK"
            ]
        }
    },
    "policies": [{
        "layers": [
            "0"
        ],
        "roles": ["0123456789abcdef0123456789abcdef"],
        "restrictions": ["population", "USA", "reduced_fields"]
    }]
}

1	The properties object where you can define all properties.
2	A placeholder for a property. The `key` is the readable name that has to be unique, the `value` can be the group ID.

Replace key with groupX and value with the group ID to configure the property.

Replace the ID in the roles array with ${groupX}.
${groupX} is used to reference the property.

The policy should now look like this:

{
    "properties": {
        "groupX": "0123456789abcdef0123456789abcdef"
    },
    "restrictions": {
        "population":{
            "type": "feature",
            "query": "pop >= 1000000"
        },
        "USA":{
            "type": "spatial",
            "featuretypeurl": "https://services.conterra.de/server/rest/services/security_demos/World_Countries/FeatureServer/0",
            "featurequery": "NAME = 'United States'",
            "imageoperation": "arcgis-clipping"
        },
        "reduced_fields":{
            "type": "field",
            "hiddenfields": [
                "POP_CLASS",
                "POP_RANK"
            ]
        }
    },
    "policies": [{
        "layers": [
            "0"
        ],
        "roles": ["${groupX}"],
        "restrictions": ["population", "USA", "reduced_fields"]
    }]
}

Click Save changes and restart.

If you or your colleague will open the permissions later, you can easily understand that the policy is assigned to the group groupX.

Add a permission for a second group

Now create a policy for groupY allowing access to

the Cities (0) layer for all cities starting with S.
the Continent (1) layer.

Add property groupY

First add a property for groupY.

Copy the id of groupY in the ArcGIS Portal.
Open the permissions editor in the security.manager NEXT Manager UI.
Add a comma and a new line after the property groupX in the properties object.

Create a property groupY with the ID as value.

Now your policy starts with a properties object with 2 elements.

{
    "properties": {
        "groupX": "0123456789abcdef0123456789abcdef",
        "groupY": "abcdef0123456789abcdef0123456789"
    },
    "restrictions": {
        "population":{
          ...

Define a restriction

Add a feature restriction to filter all cities starting with S.

Before the population restriction, add a new line.
Enter "cities_starting_with_s": and select Feature restriction to get the template.

To reopen the selection if needed, press Ctrl+Space.
Replace the query value with "CITY_NAME LIKE 'S%'".

Now your policy contains a second feature restriction. The file should start with:

{
    "properties": {
        "groupX": "0123456789abcdef0123456789abcdef",
        "groupY": "abcdef0123456789abcdef0123456789"
    },
    "restrictions": {
        "cities_starting_with_s":{
            "type": "feature",
            "query": "CITY_NAME LIKE 'S%'"
        },
        "population": {
            "type": "feature",
            "query": "pop >= 1000000"
        },
          ...

Add a policy for Cities

Create a policy to allow groupY access to the Cities (0) layer restricted to city names starting with S.

While editing a policy, press Ctrl+Space to display available examples, descriptions, and code snippets.

Go to the policies array and add a comma and a new line after the existing policy object.
Press Ctrl+Space and select {"layers":[],"roles":[]} to get a template.
For layers, add a 0 inside the quotes.
For roles, add a reference to the groupY property.
Add a comma and a new line after the roles array.
Add a restrictions array.
Add "cities_starting_with_s" to the array.

Your policies object contains two policies, one to allow access for groupX and one to allow access for groupY. The file should end with:

    ...
    "policies": [
        {
            "layers": [
                "0"
            ],
            "roles": ["${groupX}"],
            "restrictions": ["population", "USA", "reduced_fields"]
        },
        {
            "layers": [
                "0"
            ],
            "roles": ["${groupY}"],
            "restrictions": ["cities_starting_with_s"]
        }
    ]
}

Add a policy for Continent

Finally, add a policy to allow groupY access to the Continent (1) layer.

Go to the policies array and add a comma and a new line after the existing policy objects.
Press Ctrl+Space and select {"layers":[],"roles":[]} to get a template.
For layers, add a 1 inside the quotes.

For roles, add a reference to the groupY property.

The file should now look like:

{
    "properties": {
        "groupX": "0123456789abcdef0123456789abcdef",
        "groupY": "abcdef0123456789abcdef0123456789"
    },
    "restrictions": {
        "cities_starting_with_s":{
            "type": "feature",
            "query": "CITY_NAME LIKE 'S%'"
        },
        "population":{
            "type": "feature",
            "query": "pop >= 1000000"
        },
        "USA":{
            "type": "spatial",
            "featuretypeurl": "https://services.conterra.de/server/rest/services/security_demos/World_Countries/FeatureServer/0",
            "featurequery": "NAME = 'United States'",
            "imageoperation": "arcgis-clipping"
        },
        "reduced_fields":{
            "type": "field",
            "hiddenfields": [
                "POP_CLASS",
                "POP_RANK"
            ]
        }
    },
    "policies": [
        {
            "layers": [
                "0"
            ],
            "roles": ["${groupX}"],
            "restrictions": ["population", "USA", "reduced_fields"]
        },
        {
            "layers": [
                "0"
            ],
            "roles": ["${groupY}"],
            "restrictions": ["cities_starting_with_s"]
        },
        {
            "layers": [
                "1"
            ],
            "roles": ["${groupY}"]
        }
    ]
}

Click Save changes and restart to apply the updated policy.

You restricted the access to the groups:

groupX has access to
- the Cities (0) layer restricted to
  - cities with a population of at least 1 million
  - features inside the US
  - all fields except POP_CLASS and POP_RANK
groupY has access to
- the Cities (0) layer restricted to
  - city names starting with S
- the Continent (1) layer

Verify configuration

To verify the previous configuration, access the SampleWorldCities service with all four users and repeat these steps with each of them.

Open a private browser.
Go to the ArcGIS REST Services Directory and log in.
Navigate to the service metadata of the SampleWorldCities service.
Click on ArcGIS Online Web Viewer in the View In: section of the service metadata.
Compare the behavior with the expected behavior.
- User Alex is in groupX
- User Bob is in groupY
- User Charlie is in both groupX and groupY
- User Dana is neither in groupX nor groupY

User Alex

The user Alex is in group groupX and can access only

the Cities (0) layer restricted to
- cities with population >= 1 million and
- cities within the United States
- Fields POP_RANK and POP_CLASS are hidden

User Bob

The user Bob is in group groupY and can access only

the Cities (0) layer restricted to
- cities whose names start with S.
the Continent (1) layer without restrictions.
All fields are visible and no field restrictions are applied.

User Charlie

The user Charlie is in group groupX and groupY. security.manager applies a union of all applicable policies. Therefore, he can access

the Cities (0) and Continent (1) layers (union of layer access).
the Cities (0) layer is restricted to features that meet all the following restrictions:
- Cities with population >= 1 million and cities starting with "S" (intersection of restrictions)
- Only within the United States (spatial restriction still applies)
- Fields POP_RANK and POP_CLASS remain hidden (field restriction still applies)
the Continent (1) layer is not restricted.

The result is that the user sees a very limited set of cities on layer 0 — only large US cities starting with "S". This demonstrates that the combination of multiple restrictions results in the most restrictive access.

User Dana

The user Dana is in none of the groups. Therefore, she cannot access the content and just see

the service metadata without layers and
no features in the map.

Summary

In this tutorial, you learned how to define policies for different user groups and what effect it has on a user with multiple groups. For further details on policies, refer to Policies in the reference.

In the tutorials Fallback policy you will learn to configure restrictions for users whose role does not match any other restriction.