We need to build an application that is meant to display locations of people on a map real time. The condition is that user logged in to the UI (browser or mobile app) will be able to see locations of only those people who belong to his or her group or groups on his map. However, the geoevent server is going to be receiving location information of people from all the groups from a Kafka server with attribute information with each record indicating the group the person (the record) belongs to. Please note, there can be potentially hundreds or thousands of groups & the number of groups will increase with time. So, creating filters for each group and having different outputs at the server side is not a viable option.
Since, the UI is supposed to receive only a subset of the records (locations of people who belong to the logged in user’s group) from geoevent server, we have thought of accomplishing it using definitionExpression (https://developers.arcgis.com/javascript/latest/api-reference/esri-layers-StreamLayer.html#definitio...) from the client UI.
Can anyone confirm if this is the right/best approach?
My main question is, how would we do the authorization in this case. Essentially, in the UI code we would be doing this
const streamLayer = new StreamLayer({
url: svcUrl,
definitionExpression: "group_id = 1"
});
Now, we want to ensure that a person who belongs to group_id = 1 cannot open the stream, may be through his custom code, and do this (definitionExpression: "group_id = 2") since he does not belong to group 2.
What is the way to put this check at the geoevent server end, which is pushing the subset of data/values to the UI based on the definitionExpression, used while opening the steam/ websocket from the arcgis map UI? On the same ground we want to make passing group_id as a mandatory thing.
I also came across this link
https://enterprise.arcgis.com/en/geoevent/10.3/administer/extending-geoevent-server.htm
However, I wanted to get an opinion from the community. I have limited experience on ArcGis Enterprise & Geoevent server.
Please note that we are not using Arcgis user login for authentication. We have the option of using a reverse proxy ( which is also the authentication provider ) as the geoevent server & arcgis enterprise server will be hosted inside the company firewall but the UI/map application will be internet facing.
There may be an alternative to this. That is to have a VPN connection and use a saml service as the identity provided. I have seen that Arcgis Enterprise can be onboarded with both reverse proxy or a saml provider.
Hey. I've been able to manage user level viewing of data on feature services using Feature Layer Views, but it does require a view for each 'group' in your situation. Since you expect the number of groups to grow into the 1,000s, that approach (even scripted to autmatically manage adding/removing/sharing group feature layer veiws) is probably not going to be easy to manage.
I would take a look at your reverse proxy and/or VPN to see if you could inject the definition expression at that point. So when the user authenticates, the proxy adds the user's group to the forwarded request. Using this approach I don't believe the user could modify the request to get a group they don't belong to. You might want to check the incoming request URL parameters or payload to be sure the user is not trying to add their own definition expression and remove/override any 'group_id=' or 'group_id in ()' settings.