POST
|
Are you aware of any Health and Human Services organizations who have deployed Esri's Portal for ArcGIS solution to support the secure use of confidential information with special handling requirements (e.g. audit logging, full encryption, etc.)? Our organization has Personal Health Information (PHI) and Personally Identifying Information (PII) which we are looking at using in geospatial contexts. We would like to discuss lessons-learned, best practices, opportunities for improvement, etc. with anyone who has deployed Portal for ArcGIS in order to use PHI and PII confidential information.
... View more
03-11-2016
10:35 AM
|
0
|
0
|
3125
|
POST
|
Thanks for confirming the current capabilities Matthew Baber, good info. Do you know if security by item is on the AGO / Portal development roadmap at this point? We'd love to be able to set staff free and allow them to exercise their best professional judgement when using Portal. At the same time, we think that it's appropriate to try to help them avoid realizing some of their risks when sharing items categorized at a certain information security level (e.g. jail time, noteworthy fines, etc.). Kind of like providing a bridge over a river, including the guardrails. tim edit: next time i should proof-read before I click that big button...
... View more
02-04-2016
02:13 PM
|
0
|
1
|
668
|
POST
|
Our organization operates under a business rule that requires data / information security categorization and appropriate treatment of the information based on its assigned category. Has anyone found a way to categorize a Portal item (e.g. a hosted feature layer) and then be able to manage what Portal capabilities can and can't be used with that item based on its categorization (e.g. category 3 item cannot be shared to everyone)? A use case could be a scenario where business units add their confidential layer to a shared, collaboratively managed map. The Emergency Manager could have a panoptic view of the data (see all layers on the map), while the business units could only see their own confidential data and all other layers that can be shared across the business units. Maybe this is an upcoming capability in ArcGIS Online and/or Portal for ArcGIS? Maybe it exists now, and I just haven't found it? thx, tim
... View more
02-04-2016
09:40 AM
|
0
|
3
|
2462
|
POST
|
Have you found a business use case for What3Words in the Esri ecosystem? If yes, would you mind sharing a brief overview? I found this discussion on Geonet and had similar thoughts. I also found some re-tweets re-presented in Geonet, but nothing that sounded like a non-novelty use. thanks! tim
... View more
01-21-2016
01:24 PM
|
1
|
10
|
5172
|
POST
|
Yup, I noticed it yesterday on our Open Data site. After some quick checks to see if the data seemed to be working, I filed it under "Esri has a temporary problem that they'll get around to noticing and sorting out" so I wouldn't be tempted to burn time on it.
... View more
01-20-2016
10:33 AM
|
1
|
0
|
1075
|
POST
|
Thought I'd better wrap this one up with the final findings. Many of the ArcGIS Pro executables were not digitally signed at version 1.1.1, including ArcGISUpdate.exe. AppLocker in our environment is configured to not run untrusted executables from specifically blacklisted locations, e.g. from C:\USERS\TIM\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\. Esri tech support opened a medium severity bug for this on 12/4/2015. edit: example of blacklisted location.
... View more
12-30-2015
11:54 AM
|
1
|
0
|
821
|
POST
|
Thanks Jeremy! A quick update, and hopefully a resolution for our environment, anyway... During the course of working the support case, our team noticed that the ArcGISUpdate.exe file went from being unsigned to being signed. Our AppLocker policies allow the Esri-signed file to execute. So, the issue was resolved locally. Maybe there are other changes to consider for a more generic fix.
... View more
12-01-2015
09:00 AM
|
0
|
0
|
821
|
POST
|
Thanks Jeremy, good info. I never thought to myself, "Self... the Mac is Ed." Not sure why this info didn't float up high when asking Google questions about ArcGIS on OS X with Fusion and/or Bootcamp.
... View more
11-25-2015
02:52 PM
|
0
|
0
|
2149
|
POST
|
Oh, this makes me yearn for the days of learning, enlightenment, and user-driven models at university! Things can be a bit different in centrally managed, firmly secured environments. The IT hardware and software resources here are configured to adhere to laws, align with administrative policies, and enable staff to perform their duties, which creates a narrower solution field hemmed in by more constraints. Your point is well taken, and it presents an approach for which I advocate regularly.
... View more
11-24-2015
03:59 PM
|
0
|
1
|
821
|
POST
|
Our organization generally views program execution outside of the C:\Program Files or C:\Program Files (x86) directories as malware attempts and blocks execution using Microsoft's AppLocker. The ArcGIS Pro 1.1.1 software tries to check for update availability like this, even when the install directory was allowed to default to C:\Program Files\ArcGIS\Pro: C:\USERS\TIM\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\{86DF19EB-4AD6-4306-8C1B-6F39E10EC2D9}\ARCGISUPDATE.EXE So, via an Esri support case, I've requested consideration of this design as a bug. No final status on that yet. The question - Do other organizations view this behavior as a malware signature? Thoughts, comments, instructions are all welcome. My objective is to find a way to allow ArcGIS Pro to check for update availability when a user starts it, given our AppLocker configuration. thanks! tim
... View more
11-20-2015
10:44 AM
|
0
|
7
|
3938
|
POST
|
I'm working on your item #3 for my own needs. I thought I would configure the template app in AGO, then figure out how to snag the default.js file and grab the config settings from it (Google Chrome F12 tool). haven't figured it out yet, but I only spent about 20 minutes after reading the instructions before I ran out of time. Maybe more later.
... View more
10-14-2015
04:27 PM
|
0
|
0
|
273
|
POST
|
you flatter me . go on, do it some more! yea, verily, feel free to take. it's like an old leather couch on the side of the road, "free take"
... View more
10-02-2015
08:46 AM
|
1
|
0
|
169
|
POST
|
edit: hmm. maybe the geonet advanced editor isn't in production yet. it seems to have removed many words up front... edit 2: many words abandoned in favor of deploying another system to production. ---------------- excellent question... So far, what we've made up goes somewhat like this: Bases The IT-centric information delivery context continuum extends from long-term operational phase, fiercely controlled systems to ephemeral mechanisms. "Production" has to be relative to the requirements of the system within its information delivery context along that continuum. (this statement is totally up for negation, refinement, adjustment, etc. it stems from our recognition that biz & tech changes are spinning faster and faster) Esri provides AGO as a service to its paying customers. We pay money to receive the service under a defined service level agreement. That service level agreement defines and constrains what we can define as "production" when using that service. e.g. we cannot refuse or delay a change to specific AGO features that may create changes for our system. "Map" in the AGO environment means a set of resources and configuration settings delivered in JSON format and renderable as a visual re-presentation that we have come to perceive as a spatial and/or geospatial re-presentation of real or imaginary objects (careful, don't look too far down here... there's quantum foam somewhere below us ) "Production" means that the map owners have generally agreed not to change it without coordinating the change with stakeholders who have made their needs known When is an AGO map in production? when its referenced resources are in production (e.g. the basemap, the operational layers, the ancillary layers, etc.) if we control the resources, then we can enforce this definition as fiercely as we need to (e.g. a map that certain staff use to change the operational status of one or more offices) if we don't control the resources, then we have decided that the benefit of using them outweighs the cost and risk of having to react to sudden changes (e.g. a map that emergency managers use to form an operational picture in relation to emergent hazards such as wildfires. Our organization does not map wildfires, but we need them from an organization that does. we have no control over the changes that are made to the wildfire service other than maybe voicing a feeble "hey" when a change occurs that messes us up.) when it has an assigned go-to person - an author - someone to serve the needs of stakeholders with whom an agreement has been made to manage change requirements. when that author has met certain requirements that we have established (e.g. complete FGDC CSDGM metadata for all of the data sources that our organization owns, complete map item description elements we identified) when the map has been completed based on functional and non-functional requirements (e.g. the operational layers support editor tracking in an enterprise geodatabase; the map resources, configuration, and access exposure meet information security requirements) After all that digital wind, here's a simple example of a web map that we have said is in production: http://www.arcgis.com/sharing/rest/content/items/73ffa1b71a654ffe8e31a604cce98cc0?f=pjson BTW - this is a great discussion topic you've raised. tim
... View more
10-01-2015
10:23 AM
|
2
|
2
|
1341
|
POST
|
Mr. Crandall! We're defining on the fly as needs arise based on some simple principles: minimize moving parts and things to maintain - e.g. if we can get away with a "dev/test" environment instead of a "dev" and a "test" environment, then we do. enable self service for content contributors - this means that a contributor can have full ownership and control over their items in all environments. they also have full responsibility for meeting quality and availability requirements. establish the opportunity for content consumers to form specific expectations of the content based on which environment they are using - in AGO, this means that we leave notes in the item description regarding availability, support, etc. The different environments lend themselves to different service level agreements among different customer segments. Each may or may not need to be publicly available. So, "production" has the highest, firmest, bestest SLA for its intended consumers, while the "sandbox" environment's only guarantee is that it will be a mess when and if it's available. So far, we have implemented these approaches: Open Data site: create sandbox, development/test, and production OD sites. Link to the prod OD site from the other environments and explain up front that the consumer does not want to be there. Each site has its relative OD group and relative OD items. So, when we're updating an item in prod, we do it in dev/test first, then test it until success, then do it in prod, test until success, and call it done. two are exposed at the moment: prod: http://gdl.wadshs.opendata.arcgis.com/ dev/test: http://gdldev.wadshs.opendata.arcgis.com/ AGO data library: access is only internal to our subscription, and we've created dev/test and prod groups and items. content contributors - typically we recommend that they utilize a content folder structure that mimics the targets (e.g. OD or data library) and environment(s). So, folders for "OD dev/test" and "OD prod" items. Also, an approach that we've seen others using, but haven't used ourselves yet is to purchase multiple AGO subscriptions. Based on your description of taking ownership, you might consider a large AGO subscription (100?) for content contributors and a small (5?) subscription for a centrally managed "production" environment. happy Tuesday, tim
... View more
09-29-2015
09:57 AM
|
2
|
6
|
1341
|
POST
|
Hi Courtney, Good info, thank you. I've been using our Open Data group description to communicate information about group usage to content contributors. I'll think about how to provide useful information to Open Data consumers in the Group description and adjust from there. This made me think a bit more (uh oh)... I would find it quite useful if the Esri Open Data team could provide a reference Open Data site demonstrating all Open Data capabilities and configured per best practices according to the Open Data design, then link to it from the instructions. I could use that as an example when configuring our own sites. Happy Wednesday, tim
... View more
09-23-2015
09:11 AM
|
0
|
1
|
480
|
Title | Kudos | Posted |
---|---|---|
1 | 02-07-2024 09:16 AM | |
1 | 02-07-2024 08:11 AM | |
1 | 01-18-2024 10:46 AM | |
1 | 01-05-2021 08:06 AM | |
1 | 10-31-2023 08:03 AM |