Summary
Public-facing web applications require the underlying web maps and hosted feature layers to also be public-facing. This opens up editable layers to undesired access outside of the scope provided by the web application. This is problematic with editable apps such as GeoForms or Crowdsource Reporter, which may ask for sensitive information, or for any customer that wishes to protect their data. It is not advantageous for users to query, extract or modify information stored in the layers outside of the scope provided by the web application, for example, using a web map or the REST endpoint.
This workflow can work with any ArcGIS Online or Portal Web Application (not native applications) to ensure a publicly-shared layer is only accessible through the app, but not through maps or the REST endpoint.
Procedure
Note:
This procedure can be used to limit access for map services as well as hosted feature services.
The Limit Usage capabilities of ArcGIS Server web services allows ArcGIS Online hosted feature layers to be only accessible through the public facing Web Application even though the layer is also shared publicly.
- Publish a hosted feature layer to ArcGIS Online. This is referred to as the 'original' hosted feature layer.
- Make sure the layer is not available to the public.
- In the item details page of the original hosted feature layer, copy the URL at the bottom right of the Overview tab.
- Go to Content > My Content, click New Item, and select URL. This is referred to as the 'second' hosted feature layer.
- Paste the original hosted feature layer REST URL. which should be recognized as an ArcGIS Server web service, enable the Store credentials with service item. Do not prompt for authentication option, then click Next.
- Enter your credentials and click Next.
- Fill in and appropriate title and useful tags.
- Create a web map with the second hosted feature layer. If the web map is to be updated, ensure that the web map URL is added to the allowed referrer list in Step 6.
- Make sure to configure the pop-up to not show fields containing sensitive information (or simply disable pop-ups). This is to make sure users are unable to see other users' sensitive information in the map viewer of the web app created in the next step.
- Create a web app from the map.
- Set up the application as needed.
- Within the item details page of the web app, copy the URL at the bottom right of the Overview tab.
- In the item details page of the second hosted feature layer, go to the Settings tab.
- At the bottom of the page, enter your credentials if absent.
- Click the Limit Usage button.
- Optionally, check Enable rate limiting, and set up the limits—a maximum number of requests allowed for a specific period of time or the referrer URLs and IP addresses that can access the service.
- Paste the web application URL.
- Click Add and then OK.
- Click the Save button at the bottom of the page.
- A green notification should appear at the top right of the page if the update was successful.
- The second hosted feature layer is now only accessible through the web app. Even if logged in with appropriate credentials, it is not possible to access the REST endpoint or view the layer in a web map.
- Go back to the web app item details page and share with everyone.
- Agree to update the sharing options for the second hosted feature layer and the web map.
- The second hosted feature layer is only accessible through the web app. Thus, it can only be modified through the means enabled by the web application.
- The original hosted feature layer is not shared and thus only accessible to the publisher/analyst. That person can work with the data as usual.
While this workflow is specific to ArcGIS Online hosted services, it works the same with Portal for ArcGIS. It also works using services published to ArcGIS Server; simply copy the service's REST URL from ArcGIS Server Manager in Step 2. Also note that multiple URLs for different web maps or web apps can be added in Step 6.