Owner remains able to edit non-editable referenced feature layer.

CU-KeithJones · ‎05-29-2025

We are operating in an Enterprise 11.2 environment with Server, Datastore, Portal, and an external geodatabase server.

We stumbled across something today we thought not possible: a user with publisher role can Share a referenced web layer to Portal with editing disabled on the feature layer, and after its creation, still edit the attribute table of the referenced feature layer in Portal using ArcGIS Pro.

We’ve tested this and can recreate (the issue?) Our understanding is that disabling editing on the feature layer should prevent anyone from editing at all, even the owner that published it.

Is this by design, a sign of a problem with our environment, or something in between? Should owners still be able to edit non-editable feature layers that they create from an external gdb?

DavidColey · ‎05-29-2025

you say:

"a user with publisher role can Share a referenced web layer to Portal with editing disabled on the feature layer, and after its creation, still edit the attribute table of the referenced feature layer in Portal using ArcGIS Pro."

Yes, the owner of the layer can always perform edits to the layer regardless of the capability settings. Please see more info at:

https://enterprise.arcgis.com/en/portal/latest/administer/windows/member-roles.htm

View solution in original post

DavidPike · ‎05-29-2025

Is the data source registered on the server data store and/or can the publisher add a workspace to the data store? What's the source data here, FGDB or from an SDE? It could have a few layers of complexity here.

A data owner will always be able to edit their own data Controlling access to hosted feature layer data—Portal for ArcGIS | Documentation for ArcGIS Enterpr... when it comes to Hosted Feature Layers (I understand you've used the term 'referenced' so I'm imagining this is a published service with a source registered to the ArcGIS Enterprise Data Store - so not uploaded as an HFL), but for other sources it may not be so simple (e.g. SDE connection file properties of the registered workspace).

Really I think there's more information needed to give a complete answer on what's potentially occurring.

CU-KeithJones · ‎05-29-2025

Data source is registered on server, connecting to an SDE. Unfamiliar with the adding of workspace concept.

While users log in with named accounts via SAML and create their own content, anything that represents a single source of truth is created under a shared, local account with the publisher role, accessible to a few.

It is content created with this account that we intend to be read-only to the organization—standard things like buildings, roads, and parking lots—and historically we facilitate that through sharing map image layers to the organization, restricting the editable feature layer created with this account to Owner and no groups.

With the knowledge that we can publish non-editable feature layers to the organization and still edit them with the shared account, we might replace the functionally limited map image layers with feature layers configured with editing disabled. The immediate benefit are pop-ups that are enabled by default and capable of displaying more than just title and fields.

DavidColey · ‎05-29-2025

you say:

"a user with publisher role can Share a referenced web layer to Portal with editing disabled on the feature layer, and after its creation, still edit the attribute table of the referenced feature layer in Portal using ArcGIS Pro."

Yes, the owner of the layer can always perform edits to the layer regardless of the capability settings. Please see more info at:

https://enterprise.arcgis.com/en/portal/latest/administer/windows/member-roles.htm