Service Proxy to access your own Content on ArcGIS Online

1486
6
11-29-2015 04:24 PM
Status: Open
SimonJackson
Occasional Contributor III
As an ArcGIS Online admin/developer, I want the ability to configure a service proxy (hosted in ArcGIS Online) that allows access to content owned by me.

0EME0000000kDDj

Currently ArcGIS Online has hosted proxies that I can configure to allow for application authentication to be setup to apps that access premium services.

If I want to allow an app that I have registered with ArcGIS Online to access content that is owned by me but secured, I have to setup and host my own proxy.  This requires me to have access to a web server (with ability to run .NET, Java, PHP code for the proxy)

One Scenario: I have a geoform app that I want to be made public.  They are entering sensitive details so I need to secure the underlying feature service that they are contributing to.  I can make use of application authentication to allow the app to access the secured service without prompting the user to login to ArcGIS Online to access the service.  Downloading Geoform is not a problem and can easily/cheaply host on AWS S3.  S3 is for static files, therefore cannot setup a proxy there.  If hosted proxies allowed for one more additional option to access content owned by same user that registered app, this negates the need for me having to also host my own proxy.   

Multiple scenarios exist with the other templates from ArcGIS Online.  This requirement has come up with a number of users.
 
Tags (2)
6 Comments
LSantos

Same here! I lost all day researching on this. Apparently, the only way out is Enterprise??

I want public users to see my content but my data should not be consumed /downloaded due to sensitivity. I have a student project, makes no sense to pay a huge price for Enterprise.

KhaledHassen

Not sure if you have researched using views in online feature service. You can configure your source service to be private and not shared with anyone. Only the owner of the data, for instance, can read/write/export/etc. the source data.

For the public consumer, you can create a view of the source data. You can hide any column and grant only public access/read capabilities. This is what we recommend to our clients.

Feature service views will see any changes in the source feature service as it happens.

Thanks

Khaled Hassen

Online Feature Service Dev. Lead

SimonJackson

Agreed - Views now make this idea irrelevant.

JeffShaw2

Not irrelevant. Views are great but if you share one publicly it is visible (and editable if configured as such) everywhere, and not just within the intended app (geoform in the case above). By Esri's own admission, numerous AGOL apps/forms have security vulnerabilities as a result. See: A brief document describing security considerations. The recommended "solution" of only allow "Add" only works for some workflows.

There needs to be a way of restricting service access to only the intended app(s). The existing method of securing a service using an account and specifying referrer URLs is not viable given that it uses an individual user account, and the account generally has a password that expires. Using Enterprise with a service account works, but not everyone has Enterprise.

Restricting access to editable services to specific forms would enable use of more sophisticated form logic to control access. Similarly, being able to restrict read-only services to their intended apps would help reduce problems with data misinterpretation and representation (feature generalization, accuracy at various scales, etc) that have resulted in numerous problems for landowners.

KhaledHassen

Pl. let us know if you see any security vulnerabilities. We will work on changing the design/fix to address these concerns or issues. There are many ways to secure a feature service or a view. Being aware of these security measures and how to use them is important to secure your data. View is one way to secure your feature service and you can create as many as needed. You can add Ownership Access Control, different capabilities, adding custom roles for users or adding views or source feature service to a group and secure your group. You can also control if you want to allow data to be extracted or not. 

We are working in the next release or so to allow controlling the security per layer rather than per feature service. This would allow finer control over your service layers. We are continue working on enhancing the security and any help in this initiative will be great for everyone.

Thanks

Khaled

Online Feature Service Dev Lead

LSantos

ArcGIS is an excellent platform, but the security of data should be a priority. Other visualisation platforms already have this feature for publishing data publicly. More and more, people and organisations want to minimise the costs in infrastructure, especially when there is no need for one! Information should reach its audience much faster, and that means a fast and easy deployment as well.