arcuser

Don’t Let Your Operations be Disrupted

The phrase “keep the home fires burning” is an idiom that means “to maintain daily routines and provide the necessities of life in a home or community.”

But what does that phrase have to do with your ArcGIS Online and ArcGIS Enterprise operations?

To be usable, both need users and content. Someone must manage those users and be able to manage content and settings. That is the person who fills the administrator role.

In any organization, there will be churn. People will separate from the organization. They take vacation or annual leave. They may be out sick or dealing with a family situation for an extended period. There are endless reasons for a resource to be unavailable. Churn doesn’t necessarily have to mean disruption. With planning, service disruption caused by organizational changes may be avoided.

 

This chart shows the shared responsibility model.

ArcGIS Online, as software as a service (SaaS), follows a shared responsibility model. Some aspects of ArcGIS Online are provided and managed by Esri, and other aspects of ArcGIS Online are owned and managed by your organization. For instance, Esri provides the code and manages the team that keeps ArcGIS Online running. Your organization provides content; designs the look and feel of its ArcGIS Online organization; assigns software licenses; and manages members, including members who fill administrator roles.

In ArcGIS Enterprise implementations, your organization assumes most of the responsibility. In many modern environments, responsibilities related to the physical hosting environment are managed by a hosting provider (e.g., infrastructure as a service [IaaS]), but all other aspects of the deployment are managed by your organization.

Part of keeping both ArcGIS Online and ArcGIS Enterprise running involves creating, updating, and following contingency plans. In an emergency, how does an organization pivot? If a key resource is unavailable, who steps up to fill the gap?

Similarly, whether your organization utilizes ArcGIS Online, ArcGIS Enterprise, or both, it needs to be prepared to respond to contingencies. If your administrator becomes unavailable for whatever reason, who has been assigned the ability to assume that role?

Ultimately, your organization bears the responsibility of managing ArcGIS Enterprise or ArcGIS Online organization deployments. Esri respects the privacy and sensitivity level of users and content that ArcGIS Online organizations manage. Esri does not access or manage customer content or invite members to an ArcGIS Online organization without very strong justification. The process Esri has defined and documented is onerous and time-consuming. It must be. When Esri must administer a customer’s ArcGIS Online organization, considerable avoidable risk is introduced. This is a great responsibility that Esri does not take lightly.

Esri has no access to your ArcGIS Enterprise implementation. In this case, business continuity and incident response planning are your organization’s responsibility. It is crucial to the success of your organization’s ArcGIS Enterprise deployment. Not only should GIS administrator contingencies be considered, but availability challenges must be holistically anticipated across the entirety of the system.

Build a plan early, review it, and update it frequently. At a minimum, it should be updated after an impactful organization change. If the administrator is taking planned leave, you should promote a user to the administrator role. Better yet, name multiple administrators. Two or three administrators are usually enough. ArcGIS Online and ArcGIS Enterprise support custom roles that can provide fine-grained permissions if the scope of the administrator role is too broad for a short, planned leave. Design custom roles that fit your organization’s needs.

For many organizations, a convenient way to avoid substantial service disruptions is to use a single sign-on technology such as SAML. SAML allows for centralized user administration at the organization’s domain level. If an administrator becomes unavailable, their account may be accessed by simply requesting the domain user’s password be changed by the domain administrator. The administrator account may then be accessed and used to assign someone else to the administrator role.

For organizations that do not have SAML or have not configured it for use for ArcGIS Online, domain administrators can intercept password reset emails and forward them to the user who has been delegated to perform the administrator’s responsibilities. These options are preferable to asking Esri to perform administrative tasks on your organization’s behalf.

For ArcGIS Enterprise customers, ensure that hosts can be accessed via console in case an ArcGIS account change is required. Identify those users who can log directly onto those servers, those who have the necessary rights to run ArcGIS account recovery tools, and those who can quickly and effectively troubleshoot other outages. Leverage resources like Esri’s ArcGIS Enterprise Hardening Guide (links.esri.com/hardening), which offers not just advice for configuring security options and system settings, but also information on critical strategic maturity tasks such as building out contingency plans.

Do not wait to think about this critical aspect of managing your ArcGIS Online or ArcGIS Enterprise organization until the administrator is unavailable. When all else fails, you can contact Esri Support Services for guidance and options.