/
Manage User Permissions with Custom Roles

Manage User Permissions with Custom Roles

If there are members of your ArcGIS Organization who will need access to Clean My Org ( CMO ), but you do not want them to be able to access everything within the product, you can manage their access and permissions by leveraging Custom Roles. These roles are for the management of users within CMO, and do not impact the abilities or permissions of those users within your ArcGIS Organizations.

Permission levels

Custom roles allow administrators to define specific permissions. The permissions levels are as follows -

Super Users

This role has the highest level of access and control within Clean My Org, and is therefore the appropriate role anyone administering the application and its access. Super Users are set in CMO’s configuration file nodeconfig.json. They have full access to Clean My Org, including

  • Managing Roles: Creating, editing, and assigning all custom roles and permissions within Clean My Org.

  • Configuration Access: Modifying application-level settings, such as enabling ArcGIS login authentication or managing user identities.

  • Full Permissions: Access to all scanning, reporting, and resolution tools across all content types (Items, Users, Groups, etc.) of the licensed ArcGIS organizations.

Scan and Resolution Permissions

Members of your ArcGIS Organization who will regularly engage with Clean My Org for auditing and managing content across the whole organization will most often fall into this category. CMO users at this level will be able to

  • Run Scans: Initiate and schedule scans for content, regardless of content owner

  • View Reports: Review the reports generated by any of the scans CMO has previously performed

  • Perform Resolutions: Utilize the built-in resolution tools to fix identified issues (e.g., deleting inactive users, unsharing content, updating metadata). This is the most sensitive permission, as it allows users to modify the ArcGIS organization's content.

Limited Scan Permissions

Some users may only need permission to use Clean My Org with a specific subset of content, such as content within certain groups, or only content they own. For those users, this permission level will be the most appropriate. Administrators can define which scans can be performed, on what content, and who can view the results.

Read-Only Users

Users who need to be able to review the results of scans in Clean My Org, but won’t be performing scans or determining resolutions, should be granted “Read-Only” access to CMO. Auditors or members of a security team may fall into this category. CMO users with this level of permission only have the ability to review reports of completed scans within CMO. They do not have the ability to apply fixes or resolutions.

How to Set Up Custom Roles in Clean My Org

Running with ArcGIS Login Credential

You can control access by requiring an ArcGIS login to access the Clean My Org client page:

  • Navigate to the nodeconfig.json from the Clean My Org root directory as followed:

Clean My Org root directory/config/nodeconfig.json

  • In nodeconfig.json, set the following settings to allow for ArcGIS access:

"useArcGISAuth": { "enabled": true, "assignRoles": false, "superUsers": [] }

  • This will require an ArcGIS login from one of your licensed connectors to access the application.

Configuring Custom Roles

In addition to controlling access by requiring an ArcGIS login to access the Clean My Org client, you can also create custom roles for ArcGIS users that can control which identities can access permissions for restoring and backing up data.

  • Navigate to the nodeconfig.json from the Clean My Org root directory as followed:

Clean My Org root directory/config/nodeconfig.json

  • In nodeconfig.json, use the following settings to allow for customized roles:

"useArcGISAuth”: { "enabled": true, "assignRoles": true, "superUsers": ["adminuser1, "your_admins_comm]}

  • The superUsers that are defined in the nodeconfig file will have access to all identities and permissions, and will have access to set up the custom roles in Clean My Org. To begin configuring your custom roles, follow these steps:

  1. In the Clean My Org landing page, click on the gear icon at the top right and navigate to the Manage Role tab. (Note: You must be a superuser to be able to create and modify roles, so ensure that the step from the opening of Running with ArcGIS Login with Custom Roles is completed.)

image-20250929-180500.png
Clean My Org Home Page with Gear Icon Highlighted

 

image-20250929-180703.png
Manage Roles in Settings Page

  1. From the manage roles page, you can click the plus button to Add new Role, or to the Edit Role in the Manage Role column of an existing role.

image-20250929-185859.png
Manage Roles: Add New or Edit Existing Role

  1. When clicking the Add new Role button or Edit Role button, you will have access and select one (or more) of following features:

    • From the Scan tab, you can select one or more available connectors for a user to scan content from. Allow Users to Scan can be toggled on/off to enable users with this role to access Clean My Org’s scanning feature. This gives a user access to On Demand Scans and Scheduled Scans.

      image-20250929-210108.png
      Scan Tab: Control Application Scanning Ability

    • On the Resolution tab, you can select one or more available connectors for a user to view and handle resolved scan results that are found in the Scan History. Allow Users to View and Resolve Scanned Issues can be toggled on/off to enable users with this role to access the resolution features in Scan History.

      image-20250929-210437.png
      Resolution Tab: Control Access to Resolved Scan Issues
      image-20250929-221223.png
      Scan History Accessibility

    • On the Manage Identities tab, you can select which identities/connectors these role members can manage, including assigning credentials and changing locations. Allow Users to Manage Identities can be toggled on/off to enable users with this role to access Clean My Org Managed Identities page.

      image-20250929-210807.png
      Manage Identities Tab: Control User Access to Selected Connectors
      image-20250929-222401.png

    • And finally on the Assign Users tab, you can select which ArcGIS users from all of your connectors will be assigned to those roles and what features (in examples above) the user will have access to. If your organization has a large number of users, user details (Full Name, Username, and/or Org Url) can be added into the search box and the user search will query for that individual. (Note: An ArcGIS admin can only belong to one role.)

      image-20250929-211309.png
      Assign Role Tabs: Select Users for New/Modified Role

  2. Once settings are configured in Edit Roles, ensure that the top input box is populated denoting the title of the role and click the Save Role button below the page.

    image-20250929-215856.png
    Finalizing Edit Role Configure with Role Name and Save

When using the custom role feature, a user attempting to login to Clean My Org while not being assigned role access will be returned to the initial authentication page. If this occurs, please be sure to contact your administrator for access.

Conclusion

In short, the custom roles feature in Clean My Org allows an administrator to delegate specific application functions—like running scans, viewing reports, and making changes (resolutions)—to other trusted users (within their ArcGIS organization) a secure and controlled manner.