Access Notice Logging and Expiration Configuration

1231
3
11-16-2020 11:19 AM
Status: Open
JohnMDye
Occasional Contributor III

ArcGIS Enterprise 10.8.1 introduced the Access Notice, which is a great and fantastic capability for ensuring user's are informed of really important items. While the feature is very useful, it would be more useful with a couple of additional configuration options for logging user acceptance and expiration.

Logging options:
For heavily regulated industries, this capability could be used to require acceptance or acknowledgement of risks, data sensitivity, limitations and all sorts of other things. Half of the point of doing that is to ensure the user is informed and understands the issue. The other half of it is giving the administrator an audit trail to demonstrate that the user accepted or acknowledged, and it is this second half that is missing. It would be nice when configuring the access notice, to be able to configure it to keep a log - perhaps in a hosted table service - to keep track and have an auditable trail indicating which users have accepted/acknowledged and when. It's the simplest feature service with editor tracking enabled. Obviously however, this wouldn't work for Portal's with anonymous access enabled and I think that's fine as someone without an account is unlikely to need to be audited in the first place. Its typically the authenticated users that you need to track in this way.

Expiration
Currently, the acceptance just writes to a cookie, which is configured to expire with the browser session. That means that if a user visits your Portal 5 times in the same day using 5 different browser sessions, they will have to acknowledge/accept 5 different times. That doesn't seem logical. We really only need them to acknowledge/accept once every n-days. So I'd offer that there needs to be a configuration option here to allow us to set the expiration to a value that meets our organizational requirements. 

 

These two combined together would make for much more useful Access Notice capability.

3 Comments
by Anonymous User

@JohnMDye 

I would agree with the logging but on the same grounds I would say the prompt should be visible everytime.

If you are in an industry that is regulated enough to need the traceability of the acceptance, you would want that acceptance to be assigned to every "session" that a user is using the enterprise environment.

If you were auditing and found an issue, going to a user and saying "n days ago you accepted this" would not always be the most stable grounds. If you can say "at the start of your session, you accepted this" it would be much more effective.

JohnMDye

@Anonymous User I don't have any issue with an "Expiration" configuration setting that an Admin could set to 'Session', indicating that the User Acceptance is presented again with every new session and logged each time. That said, whether or not you need this message to be presented with every session is entirely dependent on the message being presented.

Let's step outside of the box of highly regulated industries for a moment and think about those who are not - as we all must do when thinking about how Esri technology should be implemented given that it is used in every industry imaginable.

  • What if you just wanted to use the Access Notice capability as a way to present the Terms of Service and require acceptance? Do you really want to present the ToS with every session? Probably not, that would get annoying very quickly.
  • What if you just wanted to use the Access Notice capability to present a code of conduct? Or maybe a privacy notice? 
  • What if you just wanted users to acknowledge that there is a maintenance window coming on MM/DD/YYYY from HH:MM:SS to HH:MM:SS and the platform will be unavailable, or maybe in Read Only mode during that time? Could you use a banner as a more passive way to present this information Sure! But you what if you want logging behind the acceptance. That would be a new thing for a banner to do, but not a modal dialog.

Ultimately, I don't think we're on different wavelengths. I'm just asking for logging of acceptance and  configurable Expiration setting.

AndryJoos

This idea is absolutley adressing an important capability for ArcGIS Enterprise.

We need to be able to set access notices in a way that every user needs to "accept" or "ok" it _only_ once (and not once per login session/browser session). This should be possible on an access notice level where we would have one, two or more notices that need to be individually accepted:

Example could be a ToS every user needs to accept, followed by a maintenance notification every user needs to read.