I was testing the use of the API Key functionality for conducting python automation via the arcgis python api and I expected API Key privileges to apply. However, testing indicated API key privileges were following the user role that owns the key, not the privileges set in the key itself. I'm wondering if there is a bug in the Arcgis API or if I am missing something?
Testing steps:
- Using ArcGIS Online, I created an API key to test allowing access to organization resources via an automation script. I gave the key one privilege: Admin>Content>View all. This also automatically selects the additional privileges: General>Members>View; General>Content>View content shared with organization; Admin>Members>View all. A referrer url was not designated.
- The test used arcgis python api version 2.3.0.3. After using gis = arcgis.gis.GIS(api_key="*KEY*”) to authenticate, I was able to retrieve content as expected. However, I was also able to add records (using layer.edit_features(adds=itemList)) which I did not expect. I tried this with an editable feature layer I own and a non-editable layer another account owned. My account role includes General>Features>Edit with full control, so I assumed the API Key was using my user role privileges.
- To test this, I logged on as a test user with a similar role and created an API Key with the same privileges as described above. The editing capability was available and I was able to add records to the two layers as previously described. I then changed the test user role to only allow General>Content>Create/Update/Delete. The API Key authenticated. As expected, I could not query items from the other accounts. I updated the test role to include Administrative>Content>View All. The data could now be queried as expected. However, the edit test again allowed me to add data to both feature layers. When logged on as the test user directly to AGOL, I was able to manually edit the data for the editable layer, but not for the non-editable layer.
I examined Privileges | Documentation | Esri Developer to learn about the scope. It appears that the AGOL Portal Service privileges have personal scope “that require additional permissions from your account to perform operations.” However, in this case it seems the privileges for the API Key are being overridden by the user role permissions not enabled by them. When using the arcgis python api, it is not adhering to the privileges of the API Key, nor is it adhering to the privileges of the user role.
This test would suggest if I set up an API Key as an administrator, any workflow using that key via the python api can conduct any action on my site regardless of the privileges in the key. Obviously that is not great.
