ArcGIS determines security of web services from the Portal Map Image Layer aka Map Service
ArcGIS determines security of web services from the Portal Map Image Layer aka Map Service.
When you publish a layer referencing the RDBMS (and registered as a datastore with ArcGIS Enterprise Server) from ArcGIS Pro, you have the option to enable a Map Image and Feature layer.
This in turn creates two rest end points:
- One /MapServer/# url
- One /FeatureServer/# url
If the ArcGIS Enterprise Server is Federated to an ArcGIS Enterprise Portal, the publishing process also creates a portal item for each url:
- a Map Image Layer (MIL) item corresponding to the MapService
- a Feature Layer (FL) item corresponding to the FeatureService
In the Portal, the MIL and FL items can have different owners.
By default, the owner of both items is the publisher user that originally published the web services.
If for some reason the ownership changes, it is vital to know that ArcGIS truly bases the security of the web service based on the owner of the MIL/Map Service only.
This is the reason that if you were to overwrite the service from pro, only the MIL item shows up as an available item to overwrite.
As a result, the FL item can be owned by another portal user, but in fact, the access to the data for that FL truly lies with the MIL owner.
This became evident to me when trying this workflow:
User 1 published a MapService/MIL and FeatureService/FL to portal A, thus the MIL and FL are initially owned by user 1.
FL changed ownership to user 2.
MIL still owned by user 1.
There is a need to use FeatureService/FL from portal A onto portal B, so we login to portal B, and add the feature service URL link reference from portal A.
Side-note:
Some use cases we have used this url link is:
1
When we need to reference a prod url in lower environments (i.e.: stage,dev) as source data to read from
2
To have as a source/feed in ArcGIS Velocity in ArcGIS Online.
content> add item:
add the Feature Service url
Since User 2 owns the FL in Portal A, embed those credentials
In ArcGIS Enterprise Portal, you get this error:
In ArcGIS Online, you get this error:
the page redirects to org.maps.arcgis.com/home/item.html?id=undefined
The item you requested cannot be found. The item may have been deleted or you may have entered an incorrect URL
These errors are fixed once the Map Image Layer owner is the same as the credentials you are embedding when adding the FeatureService url link.
In this case:
We are attempting to add Feature Service url (owned by user 2) using user 2 credentials.
But since the MIL is still owned by user 1, it fails.
Embedding user 1 credentials with the Feature Service url will fix it.
Takeaway:
- The respective feature layer can be a different owner, and it would still work.
- ArcGIS bases the security off the map service url from the Map Image Layer only.
- You can also choose to not embed credentials when adding the url link, but then you'd be prompted for credentials each time the layer loads onto an app the first time.
The closest Esri doc that I see that mentions this security ownership is in the architecture center:
"In the above service types, only in the map image layer scenario can data truly be restricted to user access."