Provision enterprise accounts on ArcGIS Online for users who have not previously logged in.

[knoopum]

Until a user has logged into ArcGIS Online the first time with their umich credentials, the system does not know they exist. Hence, when attempting to add such a user from a Canvas roster to an ArcGIS Online group, it will fail, as the user does not exist in ArcGIS Online.

The ArcGIS API for Python can be used to programmatically create accounts for users who have not previously logged into ArcGIS Online. So for users that cannot be added to a group, because they do not yet exist, their account can be provisioned for them in ArcGIS Online, and then they can be added to the group.

I expect in most cases the users that need to be added to the ArcGIS Online group will exist. So it is probably less efficient to check for the existence of a user before trying to add them to the target group. It is likely more efficient to accumulate a list of users who you were unable to add, and then process that list: check for an existing account, if one does not exist, provision one for them, then add them to the group.

Below is an example function for provisioning a new Enterprise account in ArcGIS Online. (Where enterprise provider means it relies on an externally configured IdP, i.e., Weblogin, for authentication; as opposed to arcgis itself being the provider, which means the user's password is stored in ArcGIS Online).

def createEnterpriseUser(idp_username, firstname, lastname, org_key = 'umich'):
    
    # Derive username from idp_username by appending org key.
    username = idp_username + '_' + org_key
    
    print( 'Creating:', username)
    user = gis.users.create(
        username = username,
        password = 'None',  
        firstname = firstname,
        lastname = lastname,
        email = idp_username + '@umich.edu',
        role = 'org_publisher',
        provider = 'enterprise',
        idp_username = idp_username,
        level = '2',
        user_type = 'creator'
    )

The use of 'None' may seem a little disconcerting, however, a value has to be specified for this parameter. It will never ever be used, as the provider parameter is set to 'enterprise', which means the only way this user can login is via Weblogin. They cannot login through the default ArcGIS login dialog.

Let me know when it is time to implement this, as Esri may have addressed the bug described below by then.

There are additional settings that we apply to new accounts via a system-wide configuration on ArcGIS Online called "New Member Defaults" (i.e., allocate an initial amount of credits, associated various license with the user's account, enable access to Esri training resources for the user's account, etc.

Currently this Python API call is not fully honoring those system-wide defaults, so we need to manually configure some things. We have a script that runs every 5-minutes looking for newly created users, which handles this issue for now. This means adding a line to the function to reset the newly created users role to a specific, custom role, for which that script is looking.

We do not want to hardcode the setting of the additional configuration values in the code here, as we do update them from time to time. So simply flagging the user for further processing elsewhere by setting a known custom role works well.