Skip To Content

ArcGIS Online Implementation Guidance

The following section identifies best practices to consider for ArcGIS Online. These best practices involve authentication, authorization, encryption, and application specific security settings that can improve the overall security posture of an organization's implementation of ArcGIS Online.

Application security settings

ArcGIS Online enables customers to increase the security posture of their organization by applying security settings as appropriate. When possible, it is encouraged customers follow the best practices below.

  • Allow only standard SQL queries.
    • Enforce parametrized queries by default to reduce the likelihood of SQL injection vulnerabilities
    • Aids in aligning with OWASP security industry best practices
  • Do not allow anonymous access to your organization unless required
  • Do not allow members to share content outside the organization unless required
  • For more information, see Configure security settings in the ArcGIS Online Help.


Authentication involves verifying the credentials in a connecting attempt to confirm the identity of the client.


Authorization is the process by which client permissions are verified prior to accessing a resource. This occurs after successful authentication.

ArcGIS Online empowers customers to specify more granular security permissions using custom roles. Custom roles add greater control and flexibility in assigning privileges to members of your organization.

  • Use a least-privilege model for managing roles within ArcGIS Online.
    • Four default roles exist—Administrator, publisher, user, and custom role
    • ArcGIS Online also allows the administrator to configure custom roles that can further refine privileges based on the specific workflows in an organization.
  • For more information, see Configure roles in the ArcGIS Online Help.


Encryption is the process of transforming data so that it is unreadable by those without a decryption key. ArcGIS Online empowers customers to protect data-in-transit by:

  • Requiring HTTPS to access their ArcGIS Online Organization
    • Protecting data-in-transit by forcing connections to use TLS 1.0 and above

Logging and Auditing

Logging involves recording events of interest from a system. Auditing is the practice of inspecting those logs to ensure system is functioning desirably or to answer a specific question about a particular transaction that occurred.

  • Use 'View Status' in your ArcGIS organization for a view of credit usage, content information, and details across all members and groups
  • Use "Download Activity Log" to query historical events occurred in an ArcGIS Online organization
  • Use the Operations Dashboard for ArcGIS to:
    • Monitor activities and events
    • Track your field workforce
    • Assess status and performance of daily operations
  • ArcGIS Online performs logging and auditing at the system level to align with FedRAMP Tailored Low requirements

Related content

For popular documents and presentations to learn about security, privacy and compliance for the ArcGIS Platform, please see Documents.