View Layer in Shared Update group gives access to full source data

05-25-2021 06:28 AM
Status: Open
New Contributor III

When you create a View Layer from a Feature Layer in ArcGIS Online you can set a View Definition limiting access to the features, fields and/or area of interest. You can then share the View Layer with another group of users as the original Feature Layer.

Love it, but a problem appears when you share the View Layer in a shared update group: all members of that group can then update the View Definition and view all the original features, fields and/or area of the source Feature Layer, even when this Feature Layer is not shared with the group

Before Partnered Collaborations became available in ArcGIS Online this was only an internal issue (since external accounts cannot be added to 'normal' shared updated groups). But with Partnered collaborations you can now create edit groups that have members of multiple organizations. Now, members from other organizations can update a View Definition of a View Layer and see the full source data, even when the original Feature Layer is not shared with the group! This might well casue a data breach situation. 

The idea: Show a warning when a users shares a View Layer with a group "Caution: group members can update the View Definition of this View Layer and access the full source data" (or something similar).