Improve security by allowing “authoritative” accounts to own but not edit or delete items

05-11-2021 09:56 AM
Status: Open
Occasional Contributor II

In our organization, authoritative publicly shared content gets transferred to a specific account. We would like that account to be able to own content, but not edit or delete it. If the account was ever compromised, not being able to edit or delete content would help protect the hundreds of items that the account owns.

People who create and maintain the public items can do so because they are members of groups that can update all items, so we don’t need the actual owner of the items to be able to update them.

There are some update tasks that only an item’s owner or admin can do, such as overwrite layers, and create views. So we already need to leave ownership with the item’s creator in some cases, or have admins do those tasks, so adding this an option wouldn’t make this workflow any better or worse.

As an admin, it would appear that you can set things up this way by disabling the “Allow member to create, edit, and delete their own content” privilege. But if you do that, the account can no long own items either.

To make this work, even though the account should never be able to edit or delete, we would need it to be able to be a member of “update” groups so that it can share its items with the update groups, some of which it owns.