Continue in the app
Be The First To Get Support Updates
Want to know about the latest technical content and software updates?

How To: Limit access to secured hosted services or map services in ArcGIS Online for public-facing web applications


Public-facing web applications require the underlying web maps and hosted feature layers to also be public-facing. This opens up editable layers to undesired access outside of the scope provided by the web application. This is problematic with editable apps such as Geoforms or Crowdsource Reporter, which may ask for sensitive information, or for any customer that wishes to protect their data. It is not advantageous for users to query, extract or modify information stored in the layers outside of the scope provided by the web application, for example, using a web map or the REST endpoint.

This workflow should work with any ArcGIS Online or Portal Web Application (not native applications) to ensure a publicly-shared layer is only accessible through the app, but not through maps or the REST endpoint.


This procedure can be used to limit access for map services as well as hosted feature services.

The Limit Usage capabilities of ArcGIS Server web services allows ArcGIS Online hosted feature layers to be only accessible through the public facing Web Application even though the layer is also shared publicly.

  1. Publish a hosted feature to ArcGIS Online. This is referred to as the 'original' hosted feature.
    • Make sure the layer is not available to the public.
  2. In the item's detail page of the original hosted feature, copy the URL at the bottom right of the Overview tab.
  3. Go to My Content and select Add Item from the Web. This is referred to as the 'second' hosted feature.
    1. Paste the original hosted feature REST URL.
    2. Enter your credentials and select the Store credentials with service item. Do not prompt for authentication option.
    3. Fill in and appropriate title and useful tags.
  4. Create a web map with the second hosted feature.
    • Make sure to configure the pop-up to not show fields containing sensitive information (or simply disable pop-ups). This is to make sure users are unable to see other users' sensitive information in the map viewer of the web app created in the next step.
  5. Create a web app from the map.
    1. Set up the application as needed.
    2. Within the item's detail page of the web app, copy the URL at the bottom right of the Overview tab.
  6. In the item's detail page of the second hosted feature, go to the Settings tab.
    1. At the bottom of the page, enter your credentials if absent.
    2. Click the Limit Usage button.
    3. Optionally, check Enable rate limiting, and set up the limits—a maximum number of requests allowed for a specific period of time or the referrer URLs and IP addresses that can access the service.
    4. Paste the web application URL.
    5. Click Add and then OK.
    6. Click the Save button at the bottom of the page.
      • A green notification should appear at the top right of the page if the update was successful.
      • The second hosted feature is now only accessible through the web app. Even if logged in with appropriate credentials, it is not possible to access the REST endpoint or view the layer in a web map.
  7. Go back to the web app item's details page and share with everyone.
    • Agree to update the sharing options for the second hosted feature and the web map.
  8. The second hosted feature is only accessible through the web app, Thus, it can only be modified through the means enabled by the web application.
  9. The original hosted feature is not shared and thus only accessible to the publisher/analyst. That person can work with the data as usual.

While this workflow is specific to ArcGIS Online hosted services, it works the same with Portal for ArcGIS. It also works using services published to ArcGIS Server; simply copy the service's REST URL of the from ArcGIS Server Manager in step 2. Also note that multiple URLs for different web maps or web apps can be added in step 6.

Related Information

Last Published: 9/27/2021

Article ID: 000017029

Software: Portal for ArcGIS 10.9, 10.8.1, 10.8, 10.7.1, 10.7, 10.6.1, 10.6, 10.5.1, 10.5, 10.4.1, 10.4, 10.3.1, 10.3, 10.2.2, 10.2.1, 10.2