When you configured a web map to consume a specific layer in a map service by adding the layer using "Add from web" the layer acts as a feature service instead of a map service when adding the web map to ArcGIS Desktop, not honoring the defined capabilities for the service. By doing this the desktop user can select, query and export data, allowing the user to "hack" the data.
If the map service is added to AG Desktop as a whole or if the web map opened in the desktop application was configured in the map as a whole (you could remove layers from after), the capabilities are honored and layers behave as expected of a map service, not allowing the users to do the tasks mentioned above.
The obvious workaround is to add the service in the web map and then remove any undesired layers from it (not adding from web), but still a user could consume a layer in its own web map by adding it directly and then "hacking" the data in AG Desktop. The publisher can minimized the risk by changing the layer ID for each layer in the service when publishing it so anyone else that may find or know how to call the service from another web map have a hard time trying to figure out which layer is what and how to add it. But still is a risk especially for services that need to be share publicly but keeping the data as secured as possible.
Is this expected behavior or a security glitch?
Ulises Feliciano Troche
