ArcGIS Enterprise should fully support centralised management of users, roles, and user types through the enterprise Identity Provider, eliminating the need for alternate ways of configuration.
There is an ArcGIS user property "Groups" that can be mapped to a "IdP-defined claim attribute" to auto assign users to specific groups in ArcGIS Enterprise based on their IdP Groups.
Configure a SAML-compliant identity provider with a portal—Portal for ArcGIS | Documentation for Arc...
Currently, only group membership can be controlled via IdP claims in ArcGIS Enterprise.
I propose that the same mechanism be extended to support 'role' and 'user type' as user properties mappable from IdP claims.
This way, Roles and User types can be managed globally by the IdP admin and synced without any delay.
Alternatively I suggest enhancing group behaviour such that membership in a specific group also implies a default role and user type assignment.
Example:
- Users that are part of the IdP Group "GeodataViewers" will be part of the group with the same name in ArcGIS Enterprise. All Users that are part of this group will inherit the role and user type Viewer.
- Users that are part of the IdP Group "GeodataEditors" will be part of the group with the same name in ArcGIS Enterprise. All Users that are part of this group will inherit the role Publisher and user type Creator.
- Users that are part of the IdP Group "ArcGISProStandardAnalysts" will be part of the group with the same name in ArcGIS Enterprise. All Users that are part of this group will inherit the role Publisher and user type ProfessionalPlus.
- Users that are part of the IdP Group "GISIntern" will be part of the group with the same name in ArcGIS Enterprise. All Users that are part of this group will inherit the role Viewer and user type ProfessionalPlus. (For students doing an internship)
The assignment of Roles and User Types is not a task that any GIS Admin wants to handle or is able to handle. If you have more than a couple of users this will get out of hand quickly. Also, many larger organisations have compliance rules that require automated user management through a centralised system (the IdP).
If the GIS Department has new colleagues, they will just order a predefined set of permissions that will be valid for all connected systems, including ArcGIS Enterprise. Colleagues transferring from another department may gain new permissions (they join the GIS Departement permissions group) or new interns will get restricted access (they are managed in a Interns group by the admins to limit access).
Benefits of this proposal:
Automated, policy-based assignment of privileges.
Compliance with enterprise identity governance policies.
Elimination of manual administrative overhead for GIS admins.
[For simplicity lets assume the organisation always has more than enough licenses, so there will be no issues during auto-assignment. (Fallback Viewer User Type is always possible to implement if there are no other User Type available)]
Based on this question: Re: Assign user type and role based on group membe... - Esri Community
