Create groups

Groups are collections of items, often related to a specific region, subject, or project, that are created and managed by the group owner. If you have privileges to create groups, you decide who can find your groups, whether others can request to join, whether members can update items shared with the group, who can contribute content, and the type of items (for example, maps or layers) displayed by default in the group. You also have control over items shared with the group and can invite others to join, even if your group doesn't accept membership requests. Default administrators can restrict who can see the list of group members, and default administrators and users with the necessary privileges can restrict members from leaving the group by designating it as administrative.

Organization administrators also use groups to configure the organization. These site configuration groups contain the organization's featured content, basemaps, and templates.

Create a group

To create a group, complete the following steps:

  1. Verify that you are signed in and have privileges to create groups.
  2. Click Groups at the top of the site and click Create group on the My Groups tab.
  3. Upload a thumbnail image to represent the group.

    You can drag an image or browse to a file. For best results, add an image that is 400 by 400 pixels or larger with an aspect ratio of 1:1 in a web file format such as PNG, JPEG, or GIF. Pan and zoom to what you want to appear in your thumbnail. Depending on the size and resolution of your image file and how far you zoom in to customize the thumbnail, the image may be resampled and scaled when it's saved. If you add an image in GIF or JPEG format, it will be converted to PNG when it's saved.

  4. Provide a group name and tags. You can also add a short summary.
  5. For Who can view this group?, select one of the following:
    • Only group members—Only members of the group can find and view the group. Members must be invited to join the group.
    • All organization members—Only members of the organization or a partnered organization can find and view the group. Members can be invited to the group or apply to join.
    • Everyone (public)—Anyone with access to the portal, even if they are not a member of the portal organization, can search for and view the group and access any content that is shared with both the group and the public. This is the default.
    Tip:

    If your group will contain curated content to feature on your organization's Gallery page, select the option most appropriate for your intended audience. If you expect public visitors to view the gallery, select Everyone (public). Select People in the organization if you expect organization members to visit. Whether content items appear in the gallery also depends on how the items are shared.

  6. For How can people join this group?, select one of the following:
    • By invitation—Only members who are invited by the group owner or a group manager can join the group.
    • By request—Only members who request to join the group and are approved by the group owner or a group manager can join the group.
    • Being a member of a SAML group—Membership is controlled by an external group managed by a SAML 2.0 identity provider (IdP). Each user's membership in the group is defined in the SAML assertion response received from the IdP every time the user successfully signs in.

      This option is only available if the following conditions are met:

      To define the group, type the exact name (case insensitive) of the group in the text box.

      Note:

      The group name you enter must match the exact value of the external SAML group as it is returned in the attribute value of the SAML assertion. If you aren't sure of the correct value, contact the administrator who configured your organization's SAML system.

    • Being a member of an OpenID Connect group—Membership is controlled by an external group managed by an OpenID Connect identity provider. Each user's membership in the group is defined in the groups claim response received from the identity provider every time the user successfully signs in.

      This option is only available if the following conditions are met:

      To define the group, check the box next to Being a member of an OpenID Connect group and type the exact name (case insensitive) of the group in the Group name text box.

      Note:

      The group name you enter must match the exact value of the external OpenID Connect group. If you aren't sure of the correct name, contact the administrator who configured your organization's OpenID Connect system.

    • Being a member of an Active Directory group—Membership is controlled by an external group managed by a Windows Active Directory (AD) identity provider. Each user's membership in the group is defined in the groups claim response received from the identity provider every time the user successfully signs in.

      This option is only available if the following conditions are met:

      To define the group, check the box next to Being a member of an Active Directory group and type the exact name (case insensitive) of the group in the Group name text box.

      Note:

      The group name you enter must match the exact value of the external Active Directory group. If you aren't sure of the correct name, contact the administrator who configured your organization's Active Directory system.

    • Being a member of an LDAP group—Membership is controlled by an external group managed by a Lightweight Directory Access Protocol (LDAP) identity provider. Each user's membership in the group is defined in the groups claim response received from the identity provider every time the user successfully signs in.

      This option is only available if the following conditions are met:

      To define the group, check the box next to Being a member of an LDAP group and type the exact name (case insensitive) of the group in the Group name text box.

      Note:

      The group name you enter must match the exact value of the external LDAP group. If you aren't sure of the correct name, contact the administrator who configured your organization's LDAP system.

    • By adding themselves—Any organization member can join the group without being invited or approved. Members who click Join this group on the group page are instantly granted membership in the group.
    Note:

    The options you see depend on the option you select under Who can view this group?.

  7. For Who can contribute content?, select one of the following:
    • All group members—All group members can contribute content to the group.
    • Group owner and managers—Only you (the group owner) and group managers can contribute content to the group. If you choose this option, members can view and access your items, but they can't share their own items with the group. This type of group is a good way to share your authoritative maps and data to a targeted audience. You control what items appear in the group and who can view them.
  8. For Who can see the full list of members on the group's Members tab?, choose one of the following:
    Note:

    This setting is only available to default administrators.

    • Anyone who can view the group—Anyone who can view the group can see the list of group members.
    • Group owners and managers—Only the group owner and managers, and those with administrative privileges to view all members and groups, can see the full list of group members. Other members of the group will only see the group owner and group managers listed on the Members tab. Choose this option for public groups, such as community and crowdsourced groups, for which you want to protect the privacy of group members.
      Note:

      The item owner will still be displayed on the item page of individual items in the group. This option only applies to the Members tab of the group page. Organization members will be able to see the group as a filtering option when inviting members to a group or when managing members from the organization page Members tab.

  9. Enable any of the following group designations:
    • Shared update—Allow items that are shared to the group to be editable by all group members. Enabling shared update restricts group membership to your organization and organizations you are in a partnered collaboration with.

      Some actions on the item can only be performed by the item owner (or administrator). For example, only the owner (or administrator) can perform the following actions (not all actions apply to all item types): delete, share, move, change owner, change delete protection, register an app, delete fields, add fields, edit fields and overwrite data in hosted feature layers, and manage tiles in hosted tile layers. However, members of this shared update group have other types of administrator privileges depending on the item type and the app used to access the item.

      Note:
      This setting is only available if you have the privilege to create groups with update capabilities. Updates to an item include changes to the item details and updates to the content. This setting is only available when creating new groups and when membership in the group is only open to those who are invited or request and are approved to join.
    • Administrative—Only group managers and owners can remove members. This option is only available for members of the default administrative role or a custom role with the appropriate privileges.
      Note:
      This setting is only available when creating new groups. It is not available for SAML-based groups or groups that allow users to join the group without being invited or approved.
  10. Click Save.

    Your new group is created with the basic information and properties you specified. It is recommended that you add a brief summary about the group (if you have not already done so), as well as an in-depth description.

    Your group is ready to be used. As the group owner, you can share items with the group using the Add items to group button on the group page. You can edit group properties on the Overview tab and group settings on the Settings tabs. Use the Invite members button on the Overview tab or the Members tab to search for and invite members to the group.

Link Active Directory, LDAP, or SAML groups from an IdP

Note:

This option is only available if you are an administrator of the organization or have the privilege to link built-in groups to Windows Active Directory, LDAP, or SAMLgroups.

If you have an AD-, LDAP-, or SAML-based IdP that manages Active Directory, LDAP, or SAML groups for your organization, you can link these groups to new groups you create in your ArcGIS Enterprise portal. When selecting who can join your new group in the above workflow, note these additional steps:

AD- or LDAP-based IdPs

If your portal is configured with an organization-specific identity store, and metadata has been provided about the Active Directory, LDAP, or SAML groups in the identity store, you can set membership in a new portal group to members of an existing Active Directory, LDAP, or SAML group. To define an Active Directory, LDAP, or SAML group, type all or part of the group name in the text box and click Search for Group. Select the desired group from the list of results and click Select Group.

Note:

Any of the organization-specific accounts in this Active Directory, LDAP, or SAML group that are already portal members are added to the portal group as soon as it is created. If your organization-specific accounts and groups are from a Windows Active Directory server, this includes accounts from nested Active Directory groups.

The AD group Domain Users should not be used as an Active Directory group. This is because it is considered the primary group for most AD users and is not listed in the memberOf attribute for most users.

SAML-based IdPs

To link SAML groups from a SAML-based IdP to new groups created in your portal, check the Enable SAML based group membership box when setting your IdP in the portal's settings. To ensure that a group is successfully linked to an external SAML group, the creator of the group must enter the exact value of the external SAML group as it is returned in the attribute value of the SAML assertion. View the SAML assertion response from your SAML IdP to determine the value used to reference the group. The Search for Group option is not available when Enable SAML based group membership is selected.

The supported (case-insensitive) names for the attribute defining a user's group membership are as follows:

Note:

The attribute names that look like URLs are, in fact, URNs.

  • Group
  • Groups
  • Role
  • Roles
  • MemberOf
  • member-of
  • https://wso2.com/claims/role
  • http://schemas.xmlsoap.org/claims/Group
  • http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
  • urn:oid:1.3.6.1.4.1.5923.1.5.1.1
  • urn:oid:2.16.840.1.113719.1.1.4.1.25

For example, suppose a user signing in is a member of the SAML groups FullTimeEmployees and GIS Faculty. In the SAML assertion received from the IdP, as shown below, the name of the attribute that contains group information is MemberOf. In this example, to create a group linked to the SAML group GIS Faculty, the group creator would need to enter GIS Faculty as the group name.

<saml2p:Response>
  ...
  ...
  <saml2:Assertion>
      ...
      ...	  
      <saml2:AttributeStatement>
        ...
        ...	  
        <saml2:Attribute Name="MemberOf">
  	      <saml2:AttributeValue>FullTimeEmployees</saml2:AttributeValue>
	      <saml2:AttributeValue>GIS Faculty</saml2:AttributeValue>
        </saml2:Attribute>	  
    </saml2:AttributeStatement>
  </saml2:Assertion>
</saml2p:Response>

The following is another example using ID values to identify the groups:

<saml2p:Response>
  ...
  ...
  <saml2:Assertion>
      ...
      ...	  
      <saml2:AttributeStatement>
        ...
        ...	  
        <saml2:Attribute Name="urn:oid:2.16.840.1.113719.1.1.4.1.25" FriendlyName="groups">
  	      <saml2:AttributeValue>GIDff63a68d51325b53153eeedd78cc498b</saml2:AttributeValue>
	      <saml2:AttributeValue>GIDba5debd8d2f9bb7baf015af7b2c25440</saml2:AttributeValue>
        </saml2:Attribute>	  
    </saml2:AttributeStatement>
  </saml2:Assertion>
</saml2p:Response>

Note:

For SAML groups obtained via the IdP's SAML assertion response, each user's group membership is only updated each time the user signs in to the portal.

Edit group properties and settings

After creating a group, you or others you designate, including administrators with group privileges, can edit its properties and settings. For example, you can modify the group title or description, as well as change settings such as who can contribute content. For more information on working with groups you own, including managing group content and members, see Own groups.

  1. Verify that you are signed in as an owner, group manager, or administrator with group privileges.
  2. Click Groups at the top of the site, and use the tabs, filters, sort options, and search as needed to find the group you want to edit.
  3. Click the name of the group to open its group page and do any of the following:
    • On the Overview tab, click Edit next to the property you want to edit (for example, the description or tags), make your changes, and click Save to save your changes. You can edit the group name, summary, description, thumbnail, and tags.
    • On the Settings tab, modify the group settings (for example, how group content is sorted, who can view the group, who can join the group, or who can contribute content). You can also specify the type of items (for example, maps or layers) you want to display by default on the group's Content and Overview tabs.
    Note:

    Your ability to edit some settings depends on your privileges and group role. With existing groups, you cannot change the Shared update designation and the Administrative designation that restricts members from leaving the group. These settings are only available for new groups. If you want to change any of these settings, you must delete the group and create a new one with the option you want.

Shared update groups

Organization administrators can create groups that allow members to update items that are shared with the group. These shared update groups are useful in collaborative situations in which multiple people need to update the same item—for example, shift workers in operations centers who need to update the maps underlying their apps and dashboards.

When members share an item with a shared update group, they remain the owner of the item. Other group members can update the item. Updates to an item include changes to the item details and updates to the content. For example, they can add layers to a map and save the map with the updated content.

To make your group a shared update group, enable the Shared update group designation when creating the group.

Caution:

At this time, shared update groups are intended for updating item details and the contents of maps, apps, and scenes. Some updates are reserved for the item owner or administrator (such as moving, sharing, or deleting an item, changing ownership, and updating the item by overwriting or appending to its layers). However, members of this group also have elevated privileges, such as the ability to edit the contents of hosted feature layers, alter editor tracking settings, enable or disable attachments, and alter the layer's schema. Therefore, proceed with caution when adding members to this type of group. Currently, most ArcGIS apps do not support updating items shared with a shared update group. To determine whether this capability is supported in a specific ArcGIS app, refer to its product documentation.