In the Portal self-page (Ex: https://test-org.esri.com/portal-WA/sharing/portals/self) there is an exposure vulnerability where the username of the owner of the group under the featured Groups is displayed.
Last Published: February 23, 2016Portal for ArcGIS
Bug ID Number
January 7, 2016
February 15, 2023
Portal for ArcGIS
Will Not Be Addressed
The development team has considered the issue or request and concluded it will not be addressed. The issue's Additional Information section may contain further explanation.
Portal is a social collaboration site and thus there is a lot of inter-user interaction. In order for a user to know who they are interacting with or what they are using, it is necessary to know who the person is or who owns the item. Portal is designed also for anonymous user usage, in fact that is quite common as organizations may not want to purchase tens of thousands of named users.
It is also necessary for anonymous users to know whether they trust something or someone. As a result, the behavior described is designed into the software and is fundamental to its usage. It is possible to know who owns any group you have access to, not just featured items. In fact, if we changed it on the self-call, it is be possible to determine the owner of the group through another API. It is included in the self-call for performance/efficiency reasons and does not reduce the security.
Possible workaround is to remove all groups from the Featured Groups section in the Portal Groups section.
As documented, create a new account. Promote it to administrator. Disable initial administrator account.