Enabling public viewers and private editors of feature service on ArcGIS Online For Organizations?

After 2015-Jul-14

The situation is much improved. The organisation admin can create a group with Members can update items permission. This removes the need for shared login credentials and/or giving all editors organisation-wide admin privileges*, while also making group permissions answer** viable for public maps.

The new recommended practice is:

  • Disable editing entirely on the hosted feature service
  • As organisation admin: create an Editors group and grant the new “Members can update” permission, populate as needed. (Must be a new group, created after July 2015).
  • In daily use the editors use “Add layer to map with editing enabled” from item details page to override the read-only flag.

For full details see See Enable colleagues to update your maps and apps in the ArcGIS Blog and Best practices for using layers in maps in online help.

...

I harbour some reservation as the underlying security model doesn't appear to have changed, the feature service itself does not have a concept of authorized user or group. I believe there is still room for problems, but at least the surface area is greatly reduced and the possibility of accidental and mere curiosity driven data damage is removed.

Also please note existing services using the old methods are still vulnerable. In my testing yesterday I easily discovered unwittingly exposed feature services simply by searching arcgis.com for "edit feature service layer".

Prior to 2015 July

We had an extended conversation with some Esri Canada folks about this in Feb 2015. There is no secure method to govern simultaneous edit and read-only privilege roles in ArcGIS Online (at present). The best one can do is obscure the location of the editable service, as per Brad and Bmearns answers here, and then enable Track Editor. This would be followed with periodic scheduled reviews of the records and removal of those not made by someone authorized to do so.

An additional (small, weak) protective measure can to be add a filter to the web map to only display records where Creator is not {one space} (is not blank doesn't work). This only affects that web map. People bypassing the web map and accessing the feature service directly see everything.

If a secured and editable feature service is needed, you need to run your own ArcGIS Server somewhere else with sharing and editing locked down as needed, and then a read-only service exposed to ArcGIS Online.

This does allow utilizing the massive uptime, content distribution network caching, cpu/memory scaling, and so on of the ArcGIS Online infrastructure for widespread public read only consumption with edit access on a more meagrely apportioned and less costly machine. You are not going to get both in one place, with ArcGIS Online.

update, 2015-May-27: added Filter by Creator tip


I have set up groups.
One group is an edit group. In that group the editable map (with feature service) is shared.
The group is private and I invite only the editors to it.
Another group is for non-editors and I invite other members to it.
In that group my map service (non-editable) webmap is shared.
It works a bit like assigning permissions and roles.


(edited 5/7/15)

Not ideal, but achieves collaborative editing and public viewing/not editing.

  1. make editors administrators under the organization
  2. make layer non-editable but share publicly
  3. administrators can "add as editable layer" for web admin and do disconnected/syncronized editing on Desktop

I was not able to recreate the correct permissions using roles, but this will work for us, since the number of editors is small and I trust them.

Feature service properties (editing disabled) Add with editing enabled menu

Something like what Brad suggested worked for me

  1. Sign into account with publisher permissions
  2. My Content > Add Item > From my computer > (check) Publish this file as a feature layer
  3. My Content > [Feature Layer] > Edit > (check) Enable editing and allow editors to ...
  4. My Content > [Feature Layer] > Share > Everyone
  5. My Content > [Feature Layer] > Add layer to [new] map
  6. On the map > share with everyone, disable editing on layer if it is enabled for some reason, save, publish through web application with share if desired
  7. Groups > Create group, add users to have edit permissions to group
  8. My Content > [Feature Layer] > Add layer to [new] map with editing enabled
  9. Share this map with the group just created for editors

Tags:

Security

Arcgis Online

Feature Service

Recent Posts