In AGOL content descriptions, don't expose usernames - use an alias, name or title

01-15-2016 09:35 AM
Occasional Contributor II

When AGOL for Organziations content is shared with Public, it's description inculdes: 

Shared by: <a username>
Please allow dispalying an alias, title or full name rather than username.
Exposing usernames creates a security risk with cloud-based content that doesn't sit behind a firewall, since all it takes for someone to gain access to Organziational content is one compromised account, and exposing account usernames makes that much more likely.

Worse yet, when organizations use federated Enterprise logins, the same account credentials allow access to payroll, email, source code, and other cloud-based solutions. And unfortuantly, AGOL doesn't support multifactor authentication when enterprise logins are used.

To make implementation of this easy for existing and new accounts, create an ALIAS account property and have it default to username, but allow members (or at least an administrator) to change it.

Also, if people could have an offical title displayed rather than username (such as "X County Records Officer") it would help organizations avoid needing to create extra AGOL accounts with these names for purposes of conveying offical content. (and if wanting all members to only log in with enteprise logins, having tilte-based account names means they need to be created in the enterprise directory, which some organizations  might not allow).


Some Privacy Officers "could" interpret the presence of the full user name as PII...


Thomas is correct. This is too much information and ESRI needs to correct this for the AGOL community. For those who do not know what PII see the link below.

Personally identifiable information - Wikipedia 

As alias system is much needed and hopefully this is an issue that can get more traction. 


I agree. In our multi business line organisation, with multiple AGOL instances specific to each business line, being able to publicly share 'official' data from what looks like a single account can only really be achieved via aliasing.


Our SSO logins expose the user's email to AGOL as the username. An alias would get around this.