Option to Restrict the 'Reassign Ownership' privilege based on Administrative Groups, or similar

794
4
08-20-2021 09:44 AM
Status: Open
AaronKoelker
Occasional Contributor III

This could be an incredibly situational/niche need, but it's something we've run into pretty frequently over the past several years, and perhaps there are other similar organizations that could benefit from a solution.

Our organization and staff are scattered across a large geographic area and grouped into several divisions/offices. Our GIS is somewhat decentralized, and so each of these divisions/offices has a 'GIS Coordinator' responsible for their program or division. These coordinators have been provided a custom user role in ArcGIS Online that falls somewhere between a default Publisher role and a default Admin role, giving them elevated privileges such as the ability to view all content, create groups with the 'Shared Update' capability, access advanced features like ArcGIS Notebooks, etc. Things needed to support their  specific programs without having to constantly reach out to admins.

One capability that keeps coming up for discussion is the ability to reassign ownership of content. Staff leave, positions change, and we often need to redistribute a bunch of existing content to one or more new owners. This is a task best suited for the GIS Coordinator for the program area, since they know the staff, the work, and the content best. But as it is now, this capability in ArcGIS Online is all or nothing -- any user who has it is able to reassign the ownership of anything in the organization -- and so we have concerns enabling this permission for coordinators, as they could potentially reassign important content outside of their program area. The current process is for the GIS Coordinators to reach out to an admin and hash out what content needs to go where, which "works" but isn't very efficient or ideal.

We've thought about leveraging Administrative Groups for this, which seem to have been added for organizations like ours, however we don't see a way to limit the ability to reassign ownership based on these groups. I'm not sure if it is technically feasible to update the Administrative Groups to allow for this kind of functionality, since they seem mostly based on the regular Groups with the added ability to prevent people from leaving---but ideally, if possible, it would be nice to have an additional 'Reassign Ownership' privilege added to the custom role options that is limited by Administrative Groups. Or some other similar solution like sub-organizations for users, but that sounds like it would much more difficult to implement.

 

 

 

4 Comments
PeterKnoop

As organizations grow in size, it feels like trying to solve issues like this with privileges might not scale all that well. I expect many large orgs have to follow data security or privacy rules that limit how many folks should legitimately have access to everything in the system. And, those few folks likely don't have the time to handle lots of ownership change requests. Roles like GIS Coordinators might require limited scope based on those data security rules -- access to their division's content being appropriate, but not to other divisions' content -- however, with no scoping of access for ArcGIS Online content you may not be permitted to even have such roles.

Perhaps another way to address this is to put the power of transferring ownership in the combined hands of the owner of the content and the person who is receiving it. The content owner could select one or more items and specify a receiving user. That would trigger notification to the receiving user, and they could review the list of content and choose to accept or reject the items.

Such a workflow eliminates the need to involve an Administrator, who in a large organization these days, likely knows nothing about the individual users or their content. The two-step process also prevents one user from spamming another with content, intentionally or unintentionally. And, this approach could provide an audit trail for the transfer.

@AaronKoelker would a workflow like that address be compatible with your needs?

(In practice, because we are a large organization and have strict data privacy requirements that severely limit the number of admins, we opted to implement such a workflow using survey forms and scripts. An admin still has to get involved to run the actual ownership transfer, but only after both the original and new owners of the content have already given their approval. Ideally we would like to take the admin out of the equation entirely, as this sort of workload does not scale.)

AaronKoelker

@PeterKnoop 

I think that solution would definitely be a welcome improvement. We do often have cases though where someone leaves the org and their coworkers either forget or didn't realize their AGO account held some important content until after they are gone. This solution wouldn't help in those instances, unfortunately. I also worry that some users might not understand how certain items are connected and reliant upon one another when transferring them (especially Survey123 projects), whereas our coordinators generally would be. Ideally they would work together though and that wouldn't be a problem.

PeterKnoop

@AaronKoelker Good point about a coordinator-type-person perhaps being the only one that has a full understanding of the situation; an admin likely has no idea what individuals are up to, and users may not fully understand what is dependent on what.

GregYoung2

@AaronKoelker thank you for this post.  This is sorely needed in my organization as well.  Having privileged users who could manage content in specific administrative groups would ease the burden on the administrators (ie me) and also provide a better experience for our users.