PROBLEM
When ArcGIS Online Organization administrators are no longer active and are unreachable, privileges must be delegated to a new or existing user. For example, the user named as the current default administrator has separated from their organization but did not delegate administrator permissions to another user before their final day. As a result, current active users are left without the permissions needed to perform the tasks reserved for an administrator.
ArcGIS Online security responsibilities such as Identity and Access Management are shared by both Esri and the ArcGIS Online Organization owner. Esri provides the necessary tooling and infrastructure to support our customers, but user and role configuration is a customer responsibility. Esri is the data processor, not the data controller for customer owned accounts.
Rather than requesting Esri make changes to ArcGIS Online user accounts such as modifying roles, privileges, or other user attributes, customers must develop processes that ensure that these administration aspects are fully owned internally by members of their business organization.
To maintain the confidentiality, integrity, availability, and privacy of your organizational users and data, it is strongly encouraged that the default administrator invites new members preconfigured as default administrators or assign permissions to manage users to another user in the organization before they become inactive.
A member acting in the default administrator role is required to assign another user membership in an admin role.
The new default administrator can then disable or remove the old default administrators after the previous administrator has officially left the organization. Some organizations may choose to name two default administrator accounts in the organization in case one needs to be replaced due to unexpected circumstances. Various tools highlighted in the Manage Members documentation, such as changing user type and role, inviting a new member, or modifying email addresses, are great ways to update the default administrator. It is important to name at least one active administrator in the Administrative contacts list so that members can inquire about administrative needs and that users are prompted to validate their email addresses so that they receive any administrative notifications.
Leveraging a SAML IDP as the user store is highly recommended. SAML allows organization domain administrators to centrally manage domain accounts. When SAML is leveraged, the password for an existing but inactive or inaccessible default administrator can be changed at the domain/SAML IDP level. This means that even if the only default administrator leaves the organization abruptly, that account is immediately accessible by simply changing the domain account password.
In circumstances where the organization's default administrator is inaccessible and no other default administrators are known to exist, the following options should be considered:
If there aren't any other administrators in your organization and you can't access your previous administrator's user record, Esri Technical Support can upgrade an existing user to default administrator as a last resort. For fastest processing, open a case with Esri Technical Support.
To make the change and preserve the security and integrity of the data in your organization, Esri requires that requests be submitted as a letter from a C-level executive officer or equivalent (for example, your CEO, CIO, CFO, or business owner), including their handwritten signature.
Letter Requirements
After the letter is completed and signed, scan and email the letter to the Esri Technical Support representative handling your case.
How Your Request Will Be Processed
Once the letter has been received, Esri Technical Support will escalate the request and letter of authorization (LOA) for further review. Upon review and approval, Esri will make the requested change. Additionally, we will notify the requestor and the signing executive via email of this change.
Note: Once this process has been completed, it is recommended as a best practice to leverage a SAML IDP, or have more than one default administrator at any given time so that future disruptions are avoided.
Get help from ArcGIS experts
Download the Esri Support App