May 2, 2016

Herding Cats: Managing ArcGIS Online in a Higher Education Context

Seth Peery, Kathy Williams :: Virginia Tech

ESRI Southeast User Conference 2016

2

Overview

• The who and why of

organization management

• ArcGIS Online as a shared,

finite resource

• Organization management

phases

• Training

• Automation

• Coordination

Rationale for AGOL

organization management

• SaaS products must be managed

with the same attention we give

on-premises systems

• AGOL depends on finite

resources

• AGOL orgs can become unwieldy

at scale

• Software controls are only one

component of resource

stewardship 3

Who we are

• Enterprise GIS, ITA

• Collaboration history

• Began with ITA

• “A licensing concern” a WebGIS Platform

• AGOL became a coequal component of the

VT Enterprise GIS

• AGOL is the first stop for faculty with data

publication use cases

• Why “herding cats”?

• AGOL org governance takes a village

(primary admins + IT staff + content owners)

• Top-down management does not play well

with “academic entrepreneurs” in a

university context 4

Shared Resources

• Named users

• Requires conscientious user lifecycle

management

• Licensing considerations

• Credits

• Prevent big mistakes (ITCE)

• Monitor insidious credit sinks

• ArcGIS Pro licenses

• Usability/organization of the site

5

Inadvertent total

credit exhaustion (ITCA) • Well-intentioned users burn

through all organization’s credits

via geocoding, analytics, premium

content etc.

• Failure mode is not graceful

• We cannot support systems as

part of our production

infrastructure that may go away at

any time

6

Phase 1: “Play nice with each other”

• Before credit budgets and custom roles

there were no software controls

preventing ITCA

• Communication and educating our user

community (training seminars)

• no software mechanism to “make” people

use the system in a certain way

• Delayed our full adoption of AGOL

(“you can use this, but not for anything

important”)

7

Phase 2: “We’re not going to let you

shoot yourself in the foot”

• Custom roles let us

assign a default role

to all new users that

did not include

credit-consuming

privileges

• “Hey, why can’t I do

$foo?”

• Required more

communication and

user retraining 8

Lots of empty check boxes…

Phase 3: “No really, go ahead and use it”

• Credit budgeting provided the software

solution* to ITCA the higher ed

community had been pestering ESRI

about for years

• Users only shoot themselves in the foot,

not everyone else

• Draconian custom roles can be relaxed

• Communication and coordination still

critical

* Still no way to assign credit budgets at user

onboarding 9

Insidious credit

consumption: Storage • ITCA makes the

headlines, but a nontrivial

amount of credits can be

consumed by content just

sitting there

• Content management is

related to user lifecycle

management in a higher

ed context (student

project data needs to go

somewhere else after

class/ graduation)

• Automated approaches

exist for finding content

via sharing REST API

10

Named Users and

what to do about them

• The bad old days

• Not enough named users

• Lack of 1:1 mapping between

individuals and named users

• Enter Enterprise Logins

• To auto enroll or not?

• User lifecycle management

11

Enterprise Logins

• The most important step in taking control of

named users

• You should implement

Enterprise Logins if your

infrastructure supports it

• … the sooner the better

• A best practice from ESRI, and in any case

promotes sanity of admins

• For users: one less credential

• Facilitates site license compliance

• We use Shibboleth for our idP, integrated with

our two-factor authentication (Duo)

• Note: it may never be possible (or desirable)

to get rid of ArcGIS logins (“enable ESRI

Access”)

12

To auto join or not?

• Pros:

• No need to invite

users and wait for

them to accept –

they just login

• Less administrative

burden

• Cons:

• Named users could

be exhausted by

the curious

• Requires a different

approach to batch

onboarding

• Group assignment

vs user invitation

13

At VT, users are

required to request

access, then we

invite them,

individually or in

batches

…. This makes

more work for us

User lifecycle

• Onboarding

• Needs to cover both individual and batch (class) modes

• Invitation via CSV

• WAITING…. Accepts invite

• Assignment of Role, Budget, Group(s) via PortalPy

• Active status

• Replenish credit budget

• Assign ArcGIS Pro licenses

• Add privileges

• Deprovisioning

• Figuring out when accounts need to go

• Content migration

• Account deletion

14

Requesting access to AGOL

/ “ordering a service”

15

• Need a well-known point of entry for AGOL

if named users are not allowed to auto-join

• Custom form vs. integration with Service Catalog

Onboarding

Once user has requested access (or

instructor requested access for a class):

1. Create custom role as “label” for batches

(extends Default)

2. Send invitations via CSV (may be derived

from Banner enrollment data)

1. This is unfortunate because we routinely tell

students not to click on links in e-mails…

3. WAIT… because we can’t assign budgets

and groups to pending users *

4. Run portalPy script to assign budgets and

groups

16

* Sure would be nice if we could include

budget and group in addition to role name in

invitation CSV

Active Use

• While a named user is a member

of our portal we may need to

• Increase credit budget

• Add privileges

• Add ArcGIS Pro licenses

• Move content

• …

• Single POC for user requests via

Service Catalog

17

Deprovisioning

3 steps:

1. Knowing when a user should be

deprovisioned (site license only allows

current VT students to access)

2. What to do with the content if there is

any

1. Student keeps it?

2. Faculty member inherits it?

3. Delete it?

3. Have clear communication of timelines

and then delete account

18

Automation Use Cases

• Batch onboarding (see example)

• Finding large content items

• Finding named users to be

deprovisioned

• Enterprise credentials became inactive

• Users who don’t use the site/have no

content

• Migrating content to different owners

• Faculty

• Different org (e.g., dev acct)

• Wrapping command line portalPy tools

in GP services or web apps for non-

programmer admins 19

PortalPy / REST example: Group membership and credit

budget based on custom roles for user in roleMemberList:

budgetMappings.append({"username":user,"credits"

:quotaForAllUsers})

return budgetMappings

def assignCreditBudget(budgetMappings, token,

portal):

url = portalURL +

'/sharing/rest/portals/self/assignUserCredits'

parameters = urllib.urlencode({'token':

token, 'f': 'json', 'userAssignments':

budgetMappings})

request = urllib2.Request(url, parameters)

response = urllib2.urlopen(request)

20

for user in fullUserList:

if user['role'] == roleIDs[role]:

roleMemberStr += (user['username'] +',')

roleMemberList.append(user['username']

addResult =

portal.add_group_users(roleMemberList,

groupIdToAdd)

Communication • Just because we can automate does not mean we

can dictate

• In higher education context successful management

of AGOL is not imposed by org admins, it’s a

collaborative process with faculty stakeholders

• “Virginia Tech ArcGIS Online Implementation Plan”

documents standard operating procedures for

• User onboarding

• Credit budgeting

• Default role privileges

• Process for deprovisioning

• Process to request more credits/privileges

• Service Catalog – single point to “order” IT services

• Faculty training via seminars/webExes

• FAQs on website

• The message evolves with the ArcGIS Platform

21

Resources

22

Resource URL

ArcGIS Online

Coaching Points for

Higher Education

http://wiki.gis.com/wiki/index.php/ArcGIS_O

nline_Coaching_Points_for_Higher_Educati

on

AGO Admin Wiki https://github.com/Esri/ago-admin-wiki/wiki

Best Practices https://github.com/Esri/ago-admin-

wiki/wiki/Best-practices

ESRI HIGHERED-L HIGHERED-L@atlantis.esri.com

PortalPy https://github.com/Esri/portalpy

ArcGIS REST API http://resources.arcgis.com/en/help/arcgis-

rest-api

geoJOBE admin

tools

https://marketplace.arcgis.com/listing.html?i

d=c34019b0623041608df4d06970a7a96a

ESRI online training

for AGOL admins

http://training.esri.com/gateway/index.cfm?f

a=search.results&searchterm=agoladmin

Contact Information

Seth Peery Enterprise GIS

Virginia Tech

sspeery@vt.edu

http://gis.vt.edu

Kathy Williams IT Acquisitions

Virginia Tech

kathyw@vt.edu

23