Make ‘create group with update capabilities’ a non-admin privilege

01-08-2021 12:50 PM
Status: Open
New Contributor II

Currently, creating groups with update capabilities is an administrative privilege that can be assigned to a custom role. We’ve enabled our entire university community (6000+ users) to have this privilege in order to facilitate collaborative editing of StoryMaps, Web Apps, Web Maps, etc., which is a common need in class assignments and research projects (see collaboration models for ArcGIS Online). Assigning this privilege to a custom role which we automatically grant to new users relieves us of the administrative burden of creating groups for everyone that would like to collaborate on content. 

There is, however, an unfortunate side effect of this being an administrative privilege. When connecting to the GIS in ArcGIS Notebooks, every user now gets a warning stating they are signed in with an administrator role, and to proceed with caution:

Screen Shot 2021-01-08 at 3.42.11 PM.png

This is misleading and causes confusion, as our users do not have the administrator role assigned to them. Given that users without this ‘create group with update capabilities’ can be members of shared update groups, and edit content therein, I’m not sure what distinguishes this as an administrative privilege. 

I’m proposing that ‘create a group with update capabilities’ be made a non-administrative privilege in order to more easily facilitate collaboration amongst users.


@GeriMiller I did put in a case with tech support....and they confirmed that this is expected behavior. I can get you the emails and put you in touch with the tech I worked with if you'd like.



Please do share the case/put in touch.   


Another reason for supporting this idea... 

Esri recommends creating a customized Publisher role in order to grant the Create with Update Capabilities privilege to those who will be creating Hub initiatives, so they can create initiative core teams:


You can create initiatives (site only and content group) if you are assigned the default Publisher role. To create an initiative with engagement features, you must have a custom role based on the default Publisher role, plus the following administrative privileges:

  • The Create with update capabilities (Groups) privilege allows you to create a core team. The update capability means that anyone who's a member of the group (core team members) can update any item shared to the group.
  • The Assign Members (Groups) privilege allows you to add members directly to the core team without sending an invitation to their email. This privilege is recommended because it enables you to immediately share content with new core team or supporting team members. The next time that they sign in to ArcGIS Hub, they can read their notifications to know which team they've been added to and see any items that have been shared with the group.
  • The Make groups available to public (Sharing) privilege allows you to create events.

@GeriMiller confirmed with the ESRI analyst I worked with that this behavior does indeed occur. When you create a custom role identical to publisher and add only the 'create with shared update' privilege the user can then see every service in the organization. Interestingly, I'm working in ArcGIS Enterprise 10.8.1 and she said this behavior doesn't occur in ArcGIS Online, go figure. Since the posts for this idea are for ArcGIS Online I created a new idea for ArcGIS Enterprise to make this privilege a non-admin privilege as well.