In AGOL content descriptions, don't expose usernames - use an alias, name or title

JeffShaw2

When AGOL for Organziations content is shared with Public, it's description inculdes:

Shared by: <a username>

Please allow dispalying an alias, title or full name rather than username.

Exposing usernames creates a security risk with cloud-based content that doesn't sit behind a firewall, since all it takes for someone to gain access to Organziational content is one compromised account, and exposing account usernames makes that much more likely.

Worse yet, when organizations use federated Enterprise logins, the same account credentials allow access to payroll, email, source code, and other cloud-based solutions. And unfortuantly, AGOL doesn't support multifactor authentication when enterprise logins are used.

To make implementation of this easy for existing and new accounts, create an ALIAS account property and have it default to username, but allow members (or at least an administrator) to change it.

Also, if people could have an offical title displayed rather than username (such as "X County Records Officer") it would help organizations avoid needing to create extra AGOL accounts with these names for purposes of conveying offical content. (and if wanting all members to only log in with enteprise logins, having tilte-based account names means they need to be created in the enterprise directory, which some organizations might not allow).

ThomasColson · ‎04-04-2018

Some Privacy Officers "could" interpret the presence of the full user name as PII...

jcokin1 · ‎09-20-2018

Thomas is correct. This is too much information and ESRI needs to correct this for the AGOL community. For those who do not know what PII see the link below.

Personally identifiable information - Wikipedia

As alias system is much needed and hopefully this is an issue that can get more traction.

JanWeststeyn · ‎09-21-2018

I agree. In our multi business line organisation, with multiple AGOL instances specific to each business line, being able to publicly share 'official' data from what looks like a single account can only really be achieved via aliasing.

curtvprice · ‎11-30-2018

Our SSO logins expose the user's email to AGOL as the username. An alias would get around this.

vnixon · ‎10-03-2023

I think this is a great idea to add a unique and changeable display username that can be displayed instead of the internal username. When we chose an account username we unfortunately chose an IT-descriptive name that means nothing to the public, not realizing that it would be so visible. It would take a lot of work to change it at this point.

In addition to the security aspect, our organization's original and authoritative data is sometimes getting overlooked amid the growing quantity of non-authoritative and derived data. Having an easily editable unique alias would make it a lot easier for our public data users to find the right data for their work.

Thanks for considering,

Veronica

BernSzukalski · ‎10-08-2023

A practice that I promote is to use a unique persona for publicly published content, at least for top-tier content that comes from the organization. Using an persona that represents the organization eliminates some of the challenges mentioned in the thread above, and is a pretty clean way to put an authoritative roof over you public content. Individual members of the org work on the content, then an admin pushes it out to a profile representing the organization. I personally would think this is much easier than expecting Esri to implement aliases - you already can!

Examples (just quick ones I searched for, there are many examples):

https://onlinelabs.maps.arcgis.com/home/user.html?user=City_of_Minneapolis

https://onlinelabs.maps.arcgis.com/home/user.html?user=UtahSITLA

See the "Create a profile for your organization" section in this blog article:

https://www.esri.com/arcgis-blog/products/arcgis-online/sharing-collaboration/create-a-great-profile...