Security glitch or expected behavior of map services?

150
2
Jump to solution
10-04-2019 08:06 AM
Ulises
by
Occasional Contributor II

When you configured a web map to consume a specific layer in a map service by adding the layer using "Add from web" the layer acts as a feature service instead of a map service when adding the web map to ArcGIS Desktop, not honoring the defined capabilities for the service.  By doing this the desktop user can select, query and export data, allowing the user to "hack" the data.  

If the map service is added to AG Desktop as a whole or if the web map opened in the desktop application was configured in the map as a whole (you could remove layers from after), the capabilities are honored and layers behave as expected of a map service, not allowing the users to do the tasks mentioned above.

The obvious workaround is to add the service in the web map and then remove any undesired layers from it (not adding from web), but still a user could consume a layer in its own web map by adding it directly and then "hacking" the data in AG Desktop.  The publisher can minimized the risk by changing the layer ID for each layer in the service when publishing it so anyone else that may find or know how to call the service from another web map have a hard time trying to figure out which layer is what and how to add it.  But still is a risk especially for services that need to be share publicly but keeping the data as secured as possible.

Is this expected behavior or a security glitch?

0 Kudos
1 Solution

Accepted Solutions
JonathanQuinn
Esri Frequent Contributor

If the service has the Query and Data operations available, then users can scrape the features from the service. In order to prevent that, only enable the Map capability, which means only images can be returned by the service:

Tune and configure services—Documentation | ArcGIS Enterprise 

Suppose you wanted to allow consumers of a mapping web service to draw the map but not to query the data sources of the map's layers. You would then need to disable the Data operation and ensure that the Map operation is allowed.

This means you can't add individual feature layers to a map, though.

View solution in original post

2 Replies
JonathanQuinn
Esri Frequent Contributor

If the service has the Query and Data operations available, then users can scrape the features from the service. In order to prevent that, only enable the Map capability, which means only images can be returned by the service:

Tune and configure services—Documentation | ArcGIS Enterprise 

Suppose you wanted to allow consumers of a mapping web service to draw the map but not to query the data sources of the map's layers. You would then need to disable the Data operation and ensure that the Map operation is allowed.

This means you can't add individual feature layers to a map, though.

View solution in original post

Ulises
by
Occasional Contributor II

Thanks Jonathan,

so it is expected behavior.  Individual layers called from a map service will act as with feature access capabilities.  

Will work on our service configuration to set desired allowed operations.

0 Kudos