How To: Limit access to secured hosted services in ArcGIS Online for public-facing web applications
Public-facing web applications require the underlying web maps and hosted feature layers to also be public-facing. This is problematic with editable apps such as Geoforms or Crowdsource Reporter, which may ask for sensitive information, or for any customer that wishes to protect their data. It is not advantageous for users to query, extract or modify information stored in the layers outside of the scope provided by the web application, for example, using a web map or the REST endpoint.
This workflow should work with any ArcGIS Online or Portal Web Application (not native applications) to ensure a publicly-shared layer is only accessible through the app, but not through maps or the REST endpoint.
The Limit Usage capabilities of ArcGIS Server web services allows ArcGIS Online hosted feature layers to be only accessible through the public facing Web Application even though the layer is also shared publicly.
Publish a hosted feature to ArcGIS Online. This is referred to as the 'original' hosted feature.
Make sure the layer is not available to the public.
In the item's detail page of the original hosted feature, copy the URL at the bottom right of the Overview tab.
Go to My Content and select Add Item from the Web. This is referred to as the 'second' hosted feature.
Paste the original hosted feature REST URL.
Enter your credentials and select the Store credentials with service item. Do not prompt for authentication option.
Fill in and appropriate title and useful tags.
Create a web map with the second hosted feature.
Make sure to configure the pop-up to not show fields containing sensitive information (or simply disable pop-ups). This is to make sure users are unable to see other users' sensitive information in the map viewer of the web app created in the next step.
Create a web app from the map.
Set up the application as needed.
Within the item's detail page of the web app, copy the URL at the bottom right of the Overview tab.
In the item's detail page of the second hosted feature, go to the Settings tab.
At the bottom of the page, enter your credentials if absent.
Click the Limit Usage button.
Optionally, check Enable rate limiting, and set up the limits—a maximum number of requests allowed for a specific period of time or the referrer URLs and IP addresses that can access the service.
Paste the web application URL.
Click Add and then OK.
Click the Save button at the bottom of the page.
A green notification should appear at the top right of the page if the update was successful.
The second hosted feature is now only accessible through the web app. Even if logged in with appropriate credentials, it is not possible to access the REST endpoint or view the layer in a web map.
Go back to the web app item's details page and share with everyone.
Agree to update the sharing options for the second hosted feature and the web map.
The second hosted feature is only accessible through the web app, Thus, it can only be modified through the means enabled by the web application.
The original hosted feature is not shared and thus only accessible to the publisher/analyst. That person can work with the data as usual.
While this workflow is specific to ArcGIS Online hosted services, it works the same with Portal for ArcGIS. It also works using services published to ArcGIS Server; simply copy the service's REST URL of the from ArcGIS Server Manager in step 2. Also note that multiple URLs for different web maps or web apps can be added in step 6.