ArcGIS Online Application Security

296
2
03-07-2022 06:50 AM
JasonGlidewell
New Contributor III

I am building an ArcGIS Online map and application with the intent of allowing the public to click a polygon and view a pop-up presenting a value calculated using ESRI Arcade.

The polygons are parcel data via REST.  The calculated value is based upon proprietary data.  I am using "FeatureSetByPortalItem" to access the proprietary data, it is not in the map.

I realize the proprietary data must be shared as public, but am wondering if the use of Arcade will prevent the user from getting direct access to the data.  Can a user view the JSON or use other methods to obtain the link to the data?  If so, is there any method to prevent this?

Thank you for any guidance you can provide!

0 Kudos
2 Replies
TonyContreras_Frisco_TX
Occasional Contributor III

I have not tried this, but you might have to just play around and think like a hacker. I use the Chrome and Edge developer tools to look at what service URLs are accessed by the browser, to make sure that nothing sensitive shows up there. If your data is hosted in AGO, I would recommend using Hosted Feature Layer Views to make a view of the service that has all the sensitive information removed, share that with "Everyone" and use it for your operational layer.

Create Hosted Views 

0 Kudos
JasonGlidewell
New Contributor III

So far I have found a public map can be accessed using the ArcGIS Online Assistant.  This will allow anyone with access to the map to also view the JSON, which than has the portal, layerID and itemID.  In short, it can be done.  I'll have to allow my boss to decide how large a risk factor this presents.

Thank you for your input!

0 Kudos