Administrative Groups are new to ArcGIS Online with the June 2019 Update and they seem pretty useful. Eventually, they will make their way to ArcGIS Enterprise and they will be useful there as well. There is one feature they have however, that limits their usefulness within ArcGIS Enterprise:
"Administrative groups offer an additional level of control for organizations because they prevent members from leaving the group unless they’re removed by a group owner or manager."
- https://www.esri.com/arcgis-blog/products/arcgis-online/administration/getting-to-know-administrativ...
Dang. Group Owners and Group Managers can remove someone from an Administrative Group? So close, but this is not the type of group I'm looking for.
I need an Administrative Group that is linked to Active Directory, wherein:
- Membership is controlled by Active Directory
- Group Owners and Group Managers are unable to remove someone from the group
- Accounts are automatically created for new users added to a group if one does not exist for them already
What possible use could this have? How about self-managing groups based on Organizational structures?!
Most Enterprises use Active Directory (AD). There is a method to the madness of AD. In most cases, the methodology is pretty simple. AD Users are organized into Units, Groups, Departments or something along those lines. With the above in place, an Administrator could:
- Create a new group in their Portal, let's call it the "Board of Directors" group.
- Set a person, let's say the "Chairman of the Board" whoever that person is, as the Group Owner
- Link the "Board of Directors" group to their AD group
When this happens, Portal would read the AD group and create accounts for any users in the AD group that did not already exist in the Portal, and add them to the "Board of Directors" group - which would be an "Administrative Group" that they could not leave without leaving the linked AD Group, which in most cases would probably mean the departing user is no longer on the Board of Directors.
When the user departs the linked AD group, they go back into the general pool of users or, if they are moved to a different AD linked Administrative Group, poof they get sucked into that Group.
I call it, "Organizational Groups" because its based on Organizational Structure. Let's see this in ArcGIS 10.10 /11 whatever comes after 10.9