ArcGIS Governance in Education: User Management and Offboarding

INTRODUCTION

To access ArcGIS, one needs an account or login – an identity - which is tied to a Named User in ArcGIS Online. Via this Named User model, ArcGIS users (also called members of the ArcGIS Online organization) get access to a suite of ArcGIS web, mobile, and desktop applications.

As ArcGIS Online usage grows across educational institutions, an increasing number of Named User licenses is required. Since the number of Named Users is not unlimited, Education customers need to proactively manage their quota of named users. With the cyclical nature of incoming and graduating students, it is important to think about governance standards related to Named Users, including offboarding of graduating students.

This is part of a broader message of governance in Education - setting institution-wide standards and policies that apply to how Named Users, and their associated content, are managed. Such a governance plan for managing ArcGIS is a key component in planning for institutional growth in GIS.

The purpose of this blog is not to address everything that goes into a governance plan, rather, to focus specifically on Named Users, which ultimately encompasses considerations for content and groups.

It is part of 5 blog series:

• Blog 1: Content and Storage Management
• Blog 2: Credit Management
• Blog 3: User Management and offboarding
• Blog 4: Monitoring Usage and Health-checking your ArcGIS organization
• Blog 5: Proactive Content Management by Users

NAMED USERS IN ARCGIS ONLINE – UNDERSTANDING

Understanding of named user model

Named User licensing is based on a login or account associated with a user. Therefore, every member of the organization has their own login or identity. Various applications are accessed via this login. When a named user signs into an application, such as ArcGIS Pro, they are authenticated and authorized via ArcGIS Online and to access the application.

ArcGIS Online has a flexible system for adding members to an ArcGIS Online organization. Organizations add members by inviting them to join or adding them directly - check documentation here. Given the constant addition of new members (students, faculty, staff), a recommended best practice is to use SAML logins  (previously known as enterprise logins), which leverage the institution's authoritative systems for authentication and authorization. Such integration with the institutional identity store, versus manually adding users, will save valuable time and effort.

It is not possible to transfer named users between different ArcGIS Online organizations. It is possible to have named user accounts in multiple ArcGIS Online organizations. Named Users from one organization can be invited to Groups in a different Organization, which provides read only access.

Understanding patterns of named users in Education

For institutions with Education Institution Agreement, the license is meant to serve the entire campus community. Therefore, the potential user base includes your entire institution. In reality, not every student, faculty and staff use ArcGIS, rather, a fraction of the population does.

In some instances, members are part of a “GIS-centric” community, such as GIS instructors, students in GIS courses, staff in GIS roles, etc., who use a wide variety of ArcGIS products. Increasingly, a much larger, “non-GIS-centric” community is leveraging web-based, simple ArcGIS tools for their work or studies. This includes all other disciplines outside of GIS/Geography.

For the purpose of user management and ArcGIS administration, it is easier and simpler to treat the above groups equally, providing all of them with the same ArcGIS access and licensing.

The nature of Education organizations is such that there is a constant influx of incoming students who are enrolling in GIS courses or using the technology in various disciplines (as part of course work or research projects). Ultimately these students graduate, so there is a constant cycle of onboarding/offboarding.

Understanding how your institution handles other technologies

Consult your IT colleagues/centralized IT support to determine if there are existing institutional data governance practices that need to be applied to ArcGIS Online. If not, then your IT colleagues can also be a resource for helping develop data governance practices for ArcGIS Online, based on existing institutional data governance practices for similar systems (e.g., Sharepoint, Google Drive, DropBox, LMS such as Canvas, Blackboard, etc.).

Some modifications may be required but you can leverage your colleagues’ expertise to build a strong foundation.

USER MANAGEMENT – BEST PRACTICES

Our goal with the recommendations below is to help you understand when you need to act, and plan proactively. Being a good steward of resources and operating within the bounds of existing named user allocations is important for future management of ArcGIS resources.

The sections below outline options for managing named users, including communication for offboarding.  

Implement SAML logins

As mentioned earlier, a highly recommended best practice for educational institutions is to set up SAML logins, which leverage your institution’s identity provider, and eliminate manual management of users/account creation. SAML logins also prevent unauthorized access when a student graduates or faculty/staff leave the institution. In other words, SAML logins help regulate access in an authoritative way, once students graduate - SAML configuration will only grant eligible users access.

In conjunction with setting up SAML logins, a best practice is configuring New Member Defaults – enabling new users with everything they will need (licenses, Esri Access/training, etc.), which eliminates manual administration. When combined with SAML logins and its "Automatically" join option, the result is a fully automated process, often referred to as auto-provisioning, for providing access to ArcGIS to your entire campus community.

Identify whether users are active or not

While it is not easy to identify whether users are active or not, it is a good practice to do periodically. This is an out-of-band task, which falls beyond GUI tools process.

You will have to collaborate with the IT team who maintains the system of record/identity provider at your institution. This will be easier if you already have implemented SAML accounts, and potentially harder if you don't. If given a list of SAML accounts or arcgis-only accounts in ArcGIS Online, current status can be checked against the system of record to determine which students are, or are not, authorized. In the case of arcgis-only accounts, depending on how your institutional systems are set up, it may be possible that in addition to collaborating with your IT colleagues, you’d have to check students' status with the Registrar's Office, and faculty/staff status with HR Office.

Bottom line, most likely as an ArcGIS Online Administrator, you will have to share a list of ArcGIS Online accounts to your IT colleagues and get a list back of authorized/unauthorized users.

With this information, you can assess the true usage statistics of ArcGIS Online (as part of monitoring practice), as well as work toward deleting users who are no longer active.

Deleting users - example approaches to user management   

Careful thought and consideration should be put in place before deleting users. Deleting users is a complex task, which cannot be reversed. It should involve considerations such as: 1) when is the right time to delete users and 2) what to do with user’s content and groups.

• When is the right time to delete users?
  • There is no “one size fits all” answer. Organizational standards should be put in place. For example, identifying ineligible users who have not logged in for a period of time, such as 2 years, could be deleted. Depending on institutional policies or legal obligations for certain countries (such as GDPR), this time period, i.e. the decision of when to delete users, can differ between institutions.   

• What should an Administrator do with the user’s content and groups?
  • If you are deleting a single member who owns content and groups, you must first transfer their content and groups to a different member or delete their content and groups.
  • If you are bulk deleting members, you can either transfer or delete their content. You cannot transfer groups when bulk deleting members; their groups will be deleted.

There are two approaches which can be taken to delete members.

• Using the ArcGIS Online tools (GUI) – while this approach could work, it does not scale and typically results in haphazard enforcement of retention guidelines and policies. See Delete Members section of the documentation.
• Scripting – below is an example scriptable workflow. This could be put in place annually, before the start of the academic year.

1. Identify ineligible users who have not logged in recently
   • Using a cutoff of 2 years (or as defined by your institutional policy)
2. Delete any of their content that is not shared
   • No one has accessed it in the last 2 years; therefore it is deemed safe to delete
3. Check groups owned by user, and delete group if it has no content
4. If user owns no content nor groups, delete them
5. Un-share remaining users' shared content, capturing sharing settings in a tag
   • This provides a grace period (for example, 1 year); this content will get deleted in step #2 upon the next iteration of the process.

Here is an ArcGIS Online Notebook which can be used as an example: Demo User-Group-Content Lifecycle Management (credit: Peter Knoop, University of Michigan).

• After opening link, Sign in to your ArcGIS Online organization
• You must use an administrator account to run this notebook
• Use at your own risk, ensure that you are collaborating with IT stakeholders who are knowledgeable about policies and scripting procedures.

Use of Service Accounts

Instead of deleting content, to satisfy the requirement to delete a user, another option could be to transfer the content to another user.

Many institutions have taken an approach of using Service Accounts – an account which can be used to ‘house’ content from multiple users. Typically, this is content which is still being used. In other words, institutions may choose to employ a workaround of moving content to a single account, so that it can continue to be hosted (hence being able to delete the original user who created the content). ArcGIS Online is a SaaS system, and accounts need to be tied to individuals - except for Service accounts.

As general practice, Service Accounts can be used if the individuals managing it (typically ArcGIS Administrators) have their own named user accounts (i.e. the Service account is not their only account).

Alumni

According to the Esri Institution Agreement, an "Authorized User" means registered students, educators, and staff members of the Institution. For certain institutions, ‘registered students’ could also encompass alumni.

As an organization, Esri is always supportive of the Education community, and allows for general interpretation of the above description. Therefore, it is up to the institution to decide if alumni could be considered an ‘authorized user”.

The intent of the Institution Agreement is to provide access to students, and we recommend that institutions do not provide access to alumni but will let the institution decide the meaning of the definition above - depending on institutional practices. 

Offboarding users

There are several approaches to offboarding alumni and departing/retiring staff and faculty - depending on institutional preference:

• Delete content and user on the same timetable that determines when users lose access to similar institutional systems.
• Un-share content on the same timetable that determines when users lose access to similar institutional systems. Keep content for some predefined time period, for example one year, so there is time to restore content upon request (if needed), or transfer to another user, then delete it after that time period expires. Delete user after content is deleted.
• Keep content as-is for some time period, then un-share any shared content and wait an additional time period (restoring on request), then finally deleting content, and deleting user.

Communication example/pattern when offboarding users

Communicating clear guidelines and appropriate messaging with graduating students or departing staff/faculty is key. This communication must proactively remind users – before they leave – about their options for transferring content, and what happens to their content after they leave. It is important that you take the approach of empowering users to take care of themselves as much as possible.

Below are general best practices:

• Proactively inform users of their responsibilities
  • Post guidelines and policies publicly
  • Send periodic reminder emails
  • Use the ArcGIS Online internal messaging mechanisms during critical time periods (e.g., prior to graduation) - include an Information banner message and Access notice.

• Empower users to take care of themselves
  • Advise users to dispose of their groups and content before they leave (i.e. change ownership to another eligible user in the organization, or transfer to a different organization). This means that all users should have a custom role with privileges that enable changing ownership of their content and groups (enabled via New member defaults).
  • A user can request Esri's assistance in transferring their training history (i.e., Esri Academy) to an account in a different organization – check Managing Enterprisewide Access to Esri E-Learning.
  • Enable Recycle Bin for your organization to provide some protection against mistaken deletion, as users clean their content.

• Scripting can help automate communications
  • As described above under the "Identify whether users are active or not" section, it is possible to collaborate with your IT colleagues to identify a subset of users, groups, and/or content that meet a set of criteria for which you want to target a specific message.
  • It is possible to collaborate with IT colleagues to script sending of emails, as an option. This again will be specific to your institution bulk email procedures and solutions.

The attached "Sample Message for Users Leaving the University" template could be leveraged for communication and changed to your institutional preferences. Note that the links in the email referring to FAQ (Google Doc) are internal to University of Michigan, and will not work outside of the University of Michigan. Therefore, please leverage as a template and adjust to your institutional preferences and resources. (Credit: Peter Knoop, University of Michigan).

Additional examples are:

• Northeastern University User Agreement and ArcGIS Longevity and Data Retention policies outline what happens with user's content and how to preserve and access it after graduation and departure.
• Clemson  University policies and options for for archiving, moving, transferring or deleting content for  graduating students or departing staff/faculty are shared here. 

CONCLUSION – NEXT STEPS AND WHERE TO GO FOR HELP

Invariably, there is complexity associated with the various options above. What is important is that good stewardship of resources is maintained. The most important takeaway from this blog is to enable SAML logins for your ArcGIS Online organization and to implement policies that apply to your institution in terms of managing/deleting members and what to do with associated content. In addition, proper offboarding messaging must be in place.

Some of the solutions above will continue to evolve, and we’d like you to be part of this journey – a contributor with ideas, processes and workflows.

Please share any comments and feedback here. If you have a workflow in place that has worked well, we’d like to hear about it.

For any additional questions, please contact your Account Manager or highered@esri.com.