https://community.esri.com/t5/arcgis-api-for-silverlight-questions/record-based-feature-class-security/m-p/435669#M11249 <HTML><HEAD></HEAD><BODY><SPAN>I want to design a project which will require that 100+ users have access to their own polygon records. This is not a collaborative effort, a user adds polygons, and only this user (and I as the admin) will be able to see their polygons. In theory, i should be able to create one feature class, the columns would then be "Polygon_Name, Polygon_ID, User_ID and Polygon_geometry". </SPAN><BR /><BR /><SPAN>I can create the feature &amp; geodata services to serve the feature class , i can secure the services with token-based authorization and i can query based on the USER_ID column so only the polygon records of the appropriate user returns. But the way i understand it (and please correct me if I'm wrong), at this point, the only thing preventing users from seeing another's records is the querytask which is done from within the client(and therefore has no security).</SPAN><BR /><BR /><SPAN>Other than creating a different feature class and feature service for each of the 100+ users (which is not feasible), is there any other way of doing this?</SPAN><BR /><BR /><SPAN>Can the querytask be intercepted, checked and then sent along?</SPAN><BR /><SPAN>Can I use the featurelayer &amp; editor purely for the user interface, but then have the polygon submitted to a WCF service which adds or edits an existing polygon in a feature class through web adf (or yet another featurelayer &amp; feature service which only the admin has access to?)</SPAN><BR /><BR /><SPAN>Any thoughts on this would be greatly appreciated</SPAN></BODY></HTML> Fri, 25 Jun 2010 19:03:32 GMT DaveRabrun 2010-06-25T19:03:32Z https://community.esri.com/t5/arcgis-api-for-silverlight-questions/record-based-feature-class-security/m-p/435669#M11249 <HTML><HEAD></HEAD><BODY><SPAN>I want to design a project which will require that 100+ users have access to their own polygon records. This is not a collaborative effort, a user adds polygons, and only this user (and I as the admin) will be able to see their polygons. In theory, i should be able to create one feature class, the columns would then be "Polygon_Name, Polygon_ID, User_ID and Polygon_geometry". </SPAN><BR /><BR /><SPAN>I can create the feature &amp; geodata services to serve the feature class , i can secure the services with token-based authorization and i can query based on the USER_ID column so only the polygon records of the appropriate user returns. But the way i understand it (and please correct me if I'm wrong), at this point, the only thing preventing users from seeing another's records is the querytask which is done from within the client(and therefore has no security).</SPAN><BR /><BR /><SPAN>Other than creating a different feature class and feature service for each of the 100+ users (which is not feasible), is there any other way of doing this?</SPAN><BR /><BR /><SPAN>Can the querytask be intercepted, checked and then sent along?</SPAN><BR /><SPAN>Can I use the featurelayer &amp; editor purely for the user interface, but then have the polygon submitted to a WCF service which adds or edits an existing polygon in a feature class through web adf (or yet another featurelayer &amp; feature service which only the admin has access to?)</SPAN><BR /><BR /><SPAN>Any thoughts on this would be greatly appreciated</SPAN></BODY></HTML> Fri, 25 Jun 2010 19:03:32 GMT https://community.esri.com/t5/arcgis-api-for-silverlight-questions/record-based-feature-class-security/m-p/435669#M11249 DaveRabrun 2010-06-25T19:03:32Z https://community.esri.com/t5/arcgis-api-for-silverlight-questions/record-based-feature-class-security/m-p/435670#M11250 <HTML><HEAD></HEAD><BODY><SPAN>You could use a proxy on the querytask/featurelayer and check the userid there. Basically before parsing the query on to the server, the proxy will modify the url to append the Where clause.</SPAN></BODY></HTML> Mon, 28 Jun 2010 23:51:26 GMT https://community.esri.com/t5/arcgis-api-for-silverlight-questions/record-based-feature-class-security/m-p/435670#M11250 dotMorten_esri 2010-06-28T23:51:26Z https://community.esri.com/t5/arcgis-api-for-silverlight-questions/record-based-feature-class-security/m-p/435671#M11251 <HTML><HEAD></HEAD><BODY><SPAN>Thank You,&nbsp; just like you said,&nbsp; I can pretty much intercept and apply business logic to all rest calls from proxy.ashx.</SPAN></BODY></HTML> Wed, 21 Jul 2010 03:45:22 GMT https://community.esri.com/t5/arcgis-api-for-silverlight-questions/record-based-feature-class-security/m-p/435671#M11251 DaveRabrun 2010-07-21T03:45:22Z https://community.esri.com/t5/arcgis-api-for-silverlight-questions/record-based-feature-class-security/m-p/435672#M11252 <HTML><HEAD></HEAD><BODY><SPAN>You can use use a proxy to run your query through and validate that the UserID hasn't been tampered with. There's a ProxyUrl property on the query task that you can use for this.</SPAN></BODY></HTML> Wed, 21 Jul 2010 18:51:37 GMT https://community.esri.com/t5/arcgis-api-for-silverlight-questions/record-based-feature-class-security/m-p/435672#M11252 dotMorten_esri 2010-07-21T18:51:37Z