topic Re: Restricting Editing in a Portal Web Application in Web AppBuilder Custom Widgets Questions

Restricting Editing in a Portal Web Application

NikolasSchmidt — Fri, 26 Jan 2018 14:04:05 GMT

My organization would like to have Applications that are available to view by all Users within our Portal, but have editing privileges for the Layer(s) available only to named Group(s) and/or named User(s). My plan to go about doing this is to create a custom Widget to incorporate into all such Applications through which the publisher can specify either named Group(s) and/or User(s), as well as the Layer(s) that can be edited through the Application.

I'm not very far along on this project, but I'd like to get some information before beginning:

Is this an effective solution to solving the problem?
Are there other existing solutions to this problem that would be easier to incorporate?
Would is be easier to create a wrapper widget that simply verifies that the current user is approved, then enables the out-of-the-box editor widget?
Any other advice or thoughts?

Thank you!

Re: Restricting Editing in a Portal Web Application

JordanBaumgardner — Fri, 26 Jan 2018 15:32:47 GMT

If you have access to the ArcGis Servers a Server Object Interceptor (SOI) might work for you. We implemented a Feature Level security for a client. When the request for an edit/update/delete came in, we grabbed it, looked up the user to see if they had access to that feature, if so, we let the call go through, if not, we send back an error.

It's an entirely different toolset than your using on the client side.

A simpler option is to have two sets of Services, one for viewing and one for editing. Then lock the editable services down to just the groups you wish to have edit privileges.

Another option is to set up a proxy - send your calls through the proxy, check security and pass or reject. Again, probably a different toolset than you might be used to. This solution also has the Client-Side only issues listed below.

Your current option is not a bad one either. But with a client-side only solution is that you still will have a back door. The widget might be disabled, but the rest endpoint would still be active and open.

Re: Restricting Editing in a Portal Web Application

XanderBakker — Fri, 26 Jan 2018 16:21:18 GMT

I think this is typically why Create hosted feature layer views—Portal for ArcGIS | ArcGIS Enterprise were implemented. Allowing to create views on a single hosted feature layer and assign different permissions on the views will should allow you to do this.