Organizational Groups

192
2
11-12-2020 12:29 PM
Status: Open
Regular Contributor

Administrative Groups are new to ArcGIS Online with the June 2019 Update and they seem pretty useful. Eventually, they will make their way to ArcGIS Enterprise and they will be useful there as well. There is one feature they have however, that limits their usefulness within ArcGIS Enterprise:

"Administrative groups offer an additional level of control for organizations because they prevent members from leaving the group unless they’re removed by a group owner or manager."
https://www.esri.com/arcgis-blog/products/arcgis-online/administration/getting-to-know-administrativ...

Dang. Group Owners and Group Managers can remove someone from an Administrative Group? So close, but this is not the type of group I'm looking for. 

I need an Administrative Group that is linked to Active Directory, wherein:

  • Membership is controlled by Active Directory
  • Group Owners and Group Managers are unable to remove someone from the group
  • Accounts are automatically created for new users added to a group if one does not exist for them already

 

What possible use could this have? How about self-managing groups based on Organizational structures?!

Most Enterprises use Active Directory (AD). There is a method to the madness of AD. In most cases, the methodology is pretty simple. AD Users are organized into Units, Groups, Departments or something along those lines. With the above in place, an Administrator could:

  1. Create a new group in their Portal, let's call it the "Board of Directors" group.
  2. Set a person, let's say the "Chairman of the Board" whoever that person is, as the Group Owner
  3. Link the "Board of Directors" group to their AD group

When this happens, Portal would read the AD group and create accounts for any users in the AD group that did not already exist in the Portal, and add them to the "Board of Directors" group - which would be an "Administrative Group" that they could not leave without leaving the linked AD Group, which in most cases would probably mean the departing user is no longer on the Board of Directors.

When the user departs the linked AD group, they go back into the general pool of users or, if they are moved to a different AD linked Administrative Group, poof they get sucked into that Group.

I call it, "Organizational Groups" because its based on Organizational Structure. Let's see this in ArcGIS 10.10 /11 whatever comes after 10.9

2 Comments

Hi John,

Are you talking about Portal for ArcGIS groups that are based on your Windows accounts? Just wanted to make sure you're talking about something other than enterprise groups: 

https://enterprise.arcgis.com/en/portal/latest/administer/windows/create-groups.htm#ESRI_SECTION1_5E...

-Calvin

Hi @CalvinLietz , thanks for the response. I suppose ultimately I am actually talking about an improvement to Enteprrise Groups. There is one main thing preventing me from leveraging them in the way I want (or perhaps I just don't know how?)

As far as I know, currently you can link an Portal Group to an AD Group, but you have to create that Portal Group manually and specify the group it should link to. This is a good feature for long-running projects or projects with large numbers of users, but it doesn't serve the need of grouping colleagues together well because no one is going to manually create that many groups and link them to the appropriate AD groups.

I want the Portal, when a user account is added to automatically figure out which organizational unit belongs to based on the AD Metadata I provide it, and automatically put that user into a Portal group with that Organizational Unit ID/Name or whatever AD Meta I provide it.

If a group does not already exist, then the Portal should create that group. Existing users should also be joined to their respective Organizational Groups as determined by AD.

This would allow end users to more easily share content with their sibling teams and customers. Rather than having to create a special group for their customers and actively manage it, they could just share it with the organizational groups they know those individuals belong to.