Community

ArcGIS Online Group members can access web map containing layers not shared to the group?

1846
3
02-09-2019 08:56 PM
SH013
by
Occasional Contributor
‎02-09-2019 08:56 PM

Hi there,

I noticed this in ArcGIS Online recently and would like anyone to confirm if this is expected behavior

I recently shared only a web map to a specific private ArcGIS Online group. To avoid confusion, I will call it group A. WIthin this particular web map, there are a series of layers not shared to Group A. The layers are shared with other groups (B, C or D and so on).

I have an ArcGIS Online account that I used to access this web map. This account is only a member of group A and contains the role with editing privileges. When I access the web map using the account, it appears to me that I can see all of the layers?

I was under the impression that the layers in the web map would not be visible since my account is not a member of the other groups that the content layers are shared. Furthermore, I was prompted to update the sharing when I initially shared the web map to group A (Please see attached for reference as it indicates that layers in the web map may not be visible). I chose to cancel the update sharing and stick to only sharing the web map and it turns out that I was still able to see the layers without updating it. This behavior seems to go against the Esri's documentation that in order for users to see layers in a web map, the layers must be shared similarly to the web map.

Some may think that I may have shared these layers as an organization layer. However, it is not the case, we do not share anything to the organization and public. Everything is shared specifically to the private ArcGIS Online groups.

Let me know your thoughts.

Thanks

Preview file
61 KB
0 Kudos
3 Replies
KellyGerrow
by Esri Frequent Contributor
Esri Frequent Contributor
‎02-12-2019 11:46 AM

Hi Sam,

As a best practice we promote sharing web maps, apps and supporting items with the same groups so that users who can access the map can also access the underlying layers. It's generally a confusing User experience when someone opens a map but can't see the layers. For this reason we recommend that if you are sharing with a group to provide access to content (security) all the content is shared with the appropriate people. This is the reason that you are prompted to update the sharing on the layers when they mismatch with the web map. Many of these scenarios are outlined in this blog:

Managing Security and Findability of Items with the ArcGIS Sharing Model 

If you are looking to have different users edit and view a layer from the same source, I would recommend using feature layer views and create two web maps. One map for editing which contains an editable feature layer view and is shared with your view audience. Create another map with a view only feature layer view and share it with your viewing audience. This way editors will be able to edit the data and viewers will be able to see the updated data without having the capability to edit.

If you are able to see the layers and they aren't shared with the specific group that the web map is shared with there may be a few reasons for this. 

1. You own the layers (you will always be able to see layers that you own regardless of sharing settings)

2. You are an administrator or have the administrative privilege to view others items. This also enables you to view organization content that hasn't been shared with you.

3. The layers are shared with another group that you have access to, enabling you to view the layers due to the security of another groups

If you seem to be viewing the layers that you shouldn't have access to and it doesn't fall into one of the above scenarios, get in contact with support as that is not the expected behaviour.

Thanks,

Kelly

SH013
by
Occasional Contributor
‎02-13-2019 04:55 PM

Hi Kelly,

Appreciate the response and the scenarios you have listed out. Unfortunately, I am indeed seeing layers that I should not have access to and it does not fall into one of the above scenarios. The only item shared to the group I am a member of is the web map, not the layers.

If possible, it would be great to see if you could possibly replicate the same issue from someone else.

  1. Create Group A and Group B
  2. Added a 2nd User – with editing feature capability to Group A
  3. Created Group B without any member 
  4. Registered an ArcGIS Server web service as an AGOL item as a none-hosted layer:
  5. Shared the none-hosted (mapping) layers to Group B
  6. Created a web map with non-hosted mapping layer included
  7. Shared map to group A
  8. Logged in as 2nd user account (Second User)
  9. Access second map with ArcGIS Server web layer
  10. Confirm if you can access the layers within the web map as 2nd user account (preferably a user role)

Curious to see if anyone is seeing the same thing.

Thanks

0 Kudos
SH013
by
Occasional Contributor
‎02-14-2019 11:08 AM

So I have done some more testing on my end and the the results are as followed:

When you only share a web map without sharing the layers (hosted, none shared, or with embedded credentials), it will behave as expected according to Esri documentation. The layers will not display correctly if it does not have the same sharing configuration as the web map.

The only one off is when the layers are required to be authenticated against the ArcGIS Server (that is services registered with ArcGIS Online without credentials embedded), it seems to bypass the item sharing level and only rely on the web map sharing level.

I was told by Esri Support that this is expected behaviour (but rather confusing), but I have not been able to find any official wording on this.

Thanks

0 Kudos