Visibility of sensitive layer to only members of a group.

VaL · ‎05-14-2021

Hi all

I have a feature layer in my portal. I am owner and the layer is sensitive, so only a few people should see it.

I have a group for that called gr1.

Testing with 2 users u1 and u2.

if user is not part of the gr1 they shouldn't see the layer.

if user is part of the gr1 they can see the layer.

Results:

U1 - admin on portal, not part of gr1 = can not see layer.

U1 - admin on portal, part of gr1 = can see layer.

So u1 seems to have expected behaviour.

U2 - admin on portal, not part of gr1 = can see layer. (1)

U2 - user on portal, not part of gr1 = can not see layer.

U2 - admin on portal, part of gr1 = Not tested due to 1 above.

The only difference is u2 has two accounts on portal - one admin (L2) and one user (L1) with 2 different emails.

Question:

Why the different behaviour?

If a user is admin but not part of a gr1 they should not see the layer. Is that correct?

So how come u2 saw the data as admin, but not part of gr1?

How can a layer be set up on portal to be visible to specific users only?

Portal 10.6.1. Using SAML auth.

Todd_Metzler · ‎05-14-2021

NOTICE: (I learned this the hard way!). In ArcGIS Enterprise federated/hosting configuration with server REST services directory enabled, a Portal role member having at least one (1) administrative permission can access and see all content via REST without regard to group membership or content permission settings.

We've brought this to Esri's attention and asked for an custom role definition enhancement to address this.

For now, we do not assign anyone any administrative permissions unless they have a need to know everything about our Portal's content.

Todd