May 2, 2016
Herding Cats: Managing ArcGIS Online in a Higher Education Context
Seth Peery, Kathy Williams :: Virginia Tech
ESRI Southeast User Conference 2016
2
Overview
• The who and why of
organization management
• ArcGIS Online as a shared,
finite resource
• Organization management
phases
• Training
• Automation
• Coordination
Rationale for AGOL
organization management
• SaaS products must be managed
with the same attention we give
on-premises systems
• AGOL depends on finite
resources
• AGOL orgs can become unwieldy
at scale
• Software controls are only one
component of resource
stewardship 3
Who we are
• Enterprise GIS, ITA
• Collaboration history
• Began with ITA
• “A licensing concern” a WebGIS Platform
• AGOL became a coequal component of the
VT Enterprise GIS
• AGOL is the first stop for faculty with data
publication use cases
• Why “herding cats”?
• AGOL org governance takes a village
(primary admins + IT staff + content owners)
• Top-down management does not play well
with “academic entrepreneurs” in a
university context 4
Shared Resources
• Named users
• Requires conscientious user lifecycle
management
• Licensing considerations
• Credits
• Prevent big mistakes (ITCE)
• Monitor insidious credit sinks
• ArcGIS Pro licenses
• Usability/organization of the site
5
Inadvertent total
credit exhaustion (ITCA) • Well-intentioned users burn
through all organization’s credits
via geocoding, analytics, premium
content etc.
• Failure mode is not graceful
• We cannot support systems as
part of our production
infrastructure that may go away at
any time
6
Phase 1: “Play nice with each other”
• Before credit budgets and custom roles
there were no software controls
preventing ITCA
• Communication and educating our user
community (training seminars)
• no software mechanism to “make” people
use the system in a certain way
• Delayed our full adoption of AGOL
(“you can use this, but not for anything
important”)
7
Phase 2: “We’re not going to let you
shoot yourself in the foot”
• Custom roles let us
assign a default role
to all new users that
did not include
credit-consuming
privileges
• “Hey, why can’t I do
$foo?”
• Required more
communication and
user retraining 8
Lots of empty check boxes…
Phase 3: “No really, go ahead and use it”
• Credit budgeting provided the software
solution* to ITCA the higher ed
community had been pestering ESRI
about for years
• Users only shoot themselves in the foot,
not everyone else
• Draconian custom roles can be relaxed
• Communication and coordination still
critical
* Still no way to assign credit budgets at user
onboarding 9
Insidious credit
consumption: Storage • ITCA makes the
headlines, but a nontrivial
amount of credits can be
consumed by content just
sitting there
• Content management is
related to user lifecycle
management in a higher
ed context (student
project data needs to go
somewhere else after
class/ graduation)
• Automated approaches
exist for finding content
via sharing REST API
10
Named Users and
what to do about them
• The bad old days
• Not enough named users
• Lack of 1:1 mapping between
individuals and named users
• Enter Enterprise Logins
• To auto enroll or not?
• User lifecycle management
11
Enterprise Logins
• The most important step in taking control of
named users
• You should implement
Enterprise Logins if your
infrastructure supports it
• … the sooner the better
• A best practice from ESRI, and in any case
promotes sanity of admins
• For users: one less credential
• Facilitates site license compliance
• We use Shibboleth for our idP, integrated with
our two-factor authentication (Duo)
• Note: it may never be possible (or desirable)
to get rid of ArcGIS logins (“enable ESRI
Access”)
12
To auto join or not?
• Pros:
• No need to invite
users and wait for
them to accept –
they just login
• Less administrative
burden
• Cons:
• Named users could
be exhausted by
the curious
• Requires a different
approach to batch
onboarding
• Group assignment
vs user invitation
13
At VT, users are
required to request
access, then we
invite them,
individually or in
batches
…. This makes
more work for us
User lifecycle
• Onboarding
• Needs to cover both individual and batch (class) modes
• Invitation via CSV
• WAITING…. Accepts invite
• Assignment of Role, Budget, Group(s) via PortalPy
• Active status
• Replenish credit budget
• Assign ArcGIS Pro licenses
• Add privileges
• Deprovisioning
• Figuring out when accounts need to go
• Content migration
• Account deletion
14
Requesting access to AGOL
/ “ordering a service”
15
• Need a well-known point of entry for AGOL
if named users are not allowed to auto-join
• Custom form vs. integration with Service Catalog
Onboarding
Once user has requested access (or
instructor requested access for a class):
1. Create custom role as “label” for batches
(extends Default)
2. Send invitations via CSV (may be derived
from Banner enrollment data)
1. This is unfortunate because we routinely tell
students not to click on links in e-mails…
3. WAIT… because we can’t assign budgets
and groups to pending users *
4. Run portalPy script to assign budgets and
groups
16
* Sure would be nice if we could include
budget and group in addition to role name in
invitation CSV
Active Use
• While a named user is a member
of our portal we may need to
• Increase credit budget
• Add privileges
• Add ArcGIS Pro licenses
• Move content
• …
• Single POC for user requests via
Service Catalog
17
Deprovisioning
3 steps:
1. Knowing when a user should be
deprovisioned (site license only allows
current VT students to access)
2. What to do with the content if there is
any
1. Student keeps it?
2. Faculty member inherits it?
3. Delete it?
3. Have clear communication of timelines
and then delete account
18
Automation Use Cases
• Batch onboarding (see example)
• Finding large content items
• Finding named users to be
deprovisioned
• Enterprise credentials became inactive
• Users who don’t use the site/have no
content
• Migrating content to different owners
• Faculty
• Different org (e.g., dev acct)
• Wrapping command line portalPy tools
in GP services or web apps for non-
programmer admins 19
PortalPy / REST example: Group membership and credit
budget based on custom roles for user in roleMemberList:
budgetMappings.append({"username":user,"credits"
:quotaForAllUsers})
return budgetMappings
def assignCreditBudget(budgetMappings, token,
portal):
url = portalURL +
'/sharing/rest/portals/self/assignUserCredits'
parameters = urllib.urlencode({'token':
token, 'f': 'json', 'userAssignments':
budgetMappings})
request = urllib2.Request(url, parameters)
response = urllib2.urlopen(request)
20
for user in fullUserList:
if user['role'] == roleIDs[role]:
roleMemberStr += (user['username'] +',')
roleMemberList.append(user['username']
addResult =
portal.add_group_users(roleMemberList,
groupIdToAdd)
Communication • Just because we can automate does not mean we
can dictate
• In higher education context successful management
of AGOL is not imposed by org admins, it’s a
collaborative process with faculty stakeholders
• “Virginia Tech ArcGIS Online Implementation Plan”
documents standard operating procedures for
• User onboarding
• Credit budgeting
• Default role privileges
• Process for deprovisioning
• Process to request more credits/privileges
• Service Catalog – single point to “order” IT services
• Faculty training via seminars/webExes
• FAQs on website
• The message evolves with the ArcGIS Platform
21
Resources
22
Resource URL
ArcGIS Online
Coaching Points for
Higher Education
http://wiki.gis.com/wiki/index.php/ArcGIS_O
nline_Coaching_Points_for_Higher_Educati
on
AGO Admin Wiki https://github.com/Esri/ago-admin-wiki/wiki
Best Practices https://github.com/Esri/ago-admin-
wiki/wiki/Best-practices
ESRI HIGHERED-L [email protected]
PortalPy https://github.com/Esri/portalpy
ArcGIS REST API http://resources.arcgis.com/en/help/arcgis-
rest-api
geoJOBE admin
tools
https://marketplace.arcgis.com/listing.html?i
d=c34019b0623041608df4d06970a7a96a
ESRI online training
for AGOL admins
http://training.esri.com/gateway/index.cfm?f
a=search.results&searchterm=agoladmin
Contact Information
Seth Peery Enterprise GIS
Virginia Tech
http://gis.vt.edu
Kathy Williams IT Acquisitions
Virginia Tech
23
Top Related