In ArcGIS Online For Organizations, how does one publish a hosted feature service that is shared with Everyone for viewing, while restricting editing to specific users or groups, and different kinds of editing for different groups?
In the help at the end of Editor permissions for feature services under Configuring multiple tiers of access it says
If you need to support multiple tiers of users, each requiring different operations, the recommended approach is to create one service for each level of user. For example, you could create a Professors service that might have all operations allowed. Along with that, you could create a less-privileged Students service with only Create, Query, and Upload operations allowed.
Which is great, that's what I need to do. However what is left out is how to reconcile the multiple Feature Services so that when the Professors create new features the Students see the new records, and vice versa.
The web browser management Create Service wizard allows you to use one feature service as a source for a new one, but only the data model is used (symbol definitions, field names & types, etc.) while the actual features are left behind, the new service is blank. This is the intended behaviour.
Answer
After 2015-Jul-14
The situation is much improved. The organisation admin can create a group with Members can update items permission. This removes the need for shared login credentials and/or giving all editors organisation-wide admin privileges*, while also making group permissions answer** viable for public maps.
The new recommended practice is:
- Disable editing entirely on the hosted feature service
- As organisation admin: create an Editors group and grant the new “Members can update” permission, populate as needed. (Must be a new group, created after July 2015).
- In daily use the editors use “Add layer to map with editing enabled” from item details page to override the read-only flag.
For full details see See Enable colleagues to update your maps and apps in the ArcGIS Blog and Best practices for using layers in maps in online help.
...
I harbour some reservation as the underlying security model† doesn't appear to have changed, the feature service itself does not have a concept of authorized user or group. I believe there is still room for problems, but at least the surface area is greatly reduced and the possibility of accidental and mere curiosity driven data damage is removed.
Also please note existing services using the old methods are still vulnerable. In my testing yesterday I easily discovered unwittingly exposed feature services simply by searching arcgis.com for "edit feature service layer".
Prior to 2015 July
We had an extended conversation with some Esri Canada folks about this in Feb 2015. There is no secure method to govern simultaneous edit and read-only privilege roles in ArcGIS Online (at present). The best one can do is obscure the location of the editable service, as per Brad and Bmearns answers here, and then enable Track Editor. This would be followed with periodic scheduled reviews of the records and removal of those not made by someone authorized to do so.
An additional (small, weak) protective measure can to be add a filter to the web map to only display records where Creator is not {one space} (is not blank doesn't work). This only affects that web map. People bypassing the web map and accessing the feature service directly see everything.
If a secured and editable feature service is needed, you need to run your own ArcGIS Server somewhere else with sharing and editing locked down as needed, and then a read-only service exposed to ArcGIS Online.
This does allow utilizing the massive uptime, content distribution network caching, cpu/memory scaling, and so on of the ArcGIS Online infrastructure for widespread public read only consumption with edit access on a more meagrely apportioned and less costly machine. You are not going to get both in one place, with ArcGIS Online.
update, 2015-May-27: added Filter by Creator tip
No comments:
Post a Comment