Make ‘create group with update capabilities’ a non-admin privilege

721
7
01-08-2021 12:50 PM
Status: Open
Caitlin_Dickinson
New Contributor II

Currently, creating groups with update capabilities is an administrative privilege that can be assigned to a custom role. We’ve enabled our entire university community (6000+ users) to have this privilege in order to facilitate collaborative editing of StoryMaps, Web Apps, Web Maps, etc., which is a common need in class assignments and research projects (see collaboration models for ArcGIS Online). Assigning this privilege to a custom role which we automatically grant to new users relieves us of the administrative burden of creating groups for everyone that would like to collaborate on content. 

There is, however, an unfortunate side effect of this being an administrative privilege. When connecting to the GIS in ArcGIS Notebooks, every user now gets a warning stating they are signed in with an administrator role, and to proceed with caution:

Screen Shot 2021-01-08 at 3.42.11 PM.png

This is misleading and causes confusion, as our users do not have the administrator role assigned to them. Given that users without this ‘create group with update capabilities’ can be members of shared update groups, and edit content therein, I’m not sure what distinguishes this as an administrative privilege. 

I’m proposing that ‘create a group with update capabilities’ be made a non-administrative privilege in order to more easily facilitate collaboration amongst users.

7 Comments
RobertBorchert

I am confused. You wrote that you enabled 6000+ people to have administrator privilege's so they can create groups, but then you wrote the warning is misleading because they do not have administrator role. 

Aren't you worried about that manty people being able to make changes to your GIS

Caitlin_Dickinson

Hi @RobertBorchert,

There is a difference between a role and a privilege -- our users do not have the default administrative role assigned to them (giving them full administrative control from the entire suite of administrative privileges), simply this one privilege, which allows users to create their own Shared Update groups. Our users do not have any control over anyone else's content or the organization as a whole. 

RobertBorchert

They can  be Creator - Publishers and create Groups

JeffTimm

By giving any administrative privilege you also give them all rights to any service on a federated arcgis server.  They can delete or edit any service.  This is also an unfortunate side effect.   I agree this makes things very difficult.  It also is misleading.  The fine grained permissions listed on portal do not correlate with the outdated security on the servers.  I agree ESRI needs to get this fixed.

Caitlin_Dickinson

@RobertBorchert Yes, you can create regular groups with the publisher role, but not shared update groups.  One way in which shared update groups function differently than regular groups is that members of the group may edit the same map or app, without having to save their own copy.

'Create group with update capabilities' is the privilege that allows a user to create shared update groups, and this is what i'm asking to be made a non-admin privilege. 

JeffShaw2

As the admin for our organization I support this idea. Another problem with adding it or any other "admin" privilege to a custom role is that the role cannot then be selected when a new account is created, and it cannot be used as a default role.

AmyWork3

I support:  that ‘create a group with update capabilities’ be made a non-administrative privilege in order to more easily facilitate collaboration amongst users.

Our University struggles with the same thing. We would like this function to be part of the new member defaults, however because it is listed as a admin privilege, we cannot automatically assign this to users to enable them to "create group with update capabilities." 

Our current work around is to have all members assigned a default role and then we transition them to a role that is not assigned as a new member default. 

We haven't encountered the Notebook issue, but users are still ramping up on using those. Given the warning you are getting @Caitlin_Dickinson, that would confuse our users as well. , that would confuse our users as well.