We've been testing this method for limiting access to public ArcGIS Online layers and it has worked, but we are finding that the public data is still viewable in our AGOL organization's Gallery Content when we are signed out of ArcGIS Online. In the Organization settings, our Gallery is set up to show only content within a specific "Gallery Content" group, and the public layer, webmap, and web app in question are not shared with this group but still show up in the Gallery as featured content. I'm presuming its because they are all set as public, but the other weird part is that when I'm signed IN to the organization, I do not see the aforementioned public layer, web map, and web app in the Gallery but when I am signed OUT of the organization, all 3 are there. My concerns are twofold:
- it is frustrating that data outside of the specified group appears at all in the Gallery. Just because something is set to public doesn't mean we want it showcased in our Gallery, unless we share it with the group feeding gallery content.
- the data we 'hid' via the instructions provided in the link can still technically be found... even if they can't be accessed-we'd like like the application only to be available to folks with the link specifically, and not folks casually browsing the gallery
Am I missing something? Thanks for any insights!
Solved! Go to Solution.
I should also say that due to the confusing nature of the situation, it was logged as a bug
BUG-000103835 : Administrators are not warned that groups shared as "Organization" or "Private" will show the organization's public content and not the group's content in the Gallery tab when viewing anonymously
I seem to recall a similar thread recently, but I can't seem to find it now. The answer seemed logical once pointed out. I can't remember who answered, but I think it was esri staff. I'll tag KGerrow-esristaff as a start.
Hi Danielle,
The article that you are referring to limits access to the data via the rest endpoint (service layer) and not the item (sharing). When you follow the steps in the article above, only the specified app can send requests and draw the layer as the layer is set up to only interact this the client specified in the referrer url.
Sharing and viewing group content is a different way of controlling accessibility where it controls specifically which users can see what. Items published to ArcGIS Online are stored as an item, that refers to a service, web map, application, etc. When you share that item with a group, organization, public, this controls who can see and interact with the item. If you restrict which apps can access the rest endpoint as mentioned in the article above, this is an additional security restriction in addition to item sharing and does not control the item sharing.
If you are looking to create a gallery where users can only see the application, I would suggest creating two groups for the time being. 1 group for display (only contains the application). Set this up to be the group that is featured in your gallery. Create another group to handle permissions. in this group you will need to have the app, web map and feature layers, and share them with the users that need access.
Here is a helpful links on sharing:
Share items—ArcGIS Online Help | ArcGIS
There is also an idea that we are currently considering for a future release of the software that you should promote if this sounds like functionality that you are looking for:
Thanks Kelly, controlling sharing via groups vs limiting access through the rest endpoint does make sense. The reason we made the data public is because we are serving it to folks that don't have ArcGIS Online at all, however this is also data we don't want shared with everyone which is why we opted for limiting access via the rest endpoint.
I'm still confused as to why these items are showing up in our gallery at all, though, because I haven't shared them with the group feeding Gallery Content because I don't want them to be showcased in the Gallery. The extra weird part is that when I am logged in to our Organization, the public layers in question aren't visible on the Gallery page and I can see just the (correct) layers from my 'Gallery Content' group. But when I access our ArcGIS Online Organization's Gallery page (vdcr.maps.arcgis.com) as a logged out, anonymous person I can see a bunch of data that has been shared publicly, but that are not part of the group I have selected as the one feeding Gallery content. I tried adding the web map, app, and layers to a group that is only visible to the Organization to control what is viewable in the Gallery, but since the data has to be public for our non-ArcGIS Online reviewers that workaround didn't do the trick.
I know that disabling anonymous access to our Org is an option, but I can't go this route until I've talked to other ArcGIS Online Admins from our Org. Just wondering if there's another workaround for this anonymous access to public data via our Gallery. If its not a bug or oversight and is inherently part of ArcGIS Online gallery workflow, I guess its just something for me to be aware of going forward?
Hi Danielle,
That sounds like a bug to me. If the item is not shared with the gallery group that it shouldn't be present in your gallery. Are you the owner of the item? Can other users see the unshared item?
Feel free to send me a private message with the url to your organization and the name of the content that shouldn't be shared to see if I can view the issue as an anonymous user.
-Kelly
Thanks Kelly, I actually started a ticket with ESRI about this last week and the answer is painfully obvious... The gallery content group was originally set to 'organization' privacy. Because of that, instead of showing no content on the gallery tab while logged out (which is what I was expecting), the most viewed items that have a public setting are displayed. The solution was to make the gallery content group public, so it displays only the public content within the group we want to display while still not showing the group's organizational layers to logged out folks. This makes sense but wasn't initially intuitive to me because I was thinking that since I had organizational layers in the group, the groups setting should also be organizational. Thanks for your help!
I should also say that due to the confusing nature of the situation, it was logged as a bug
BUG-000103835 : Administrators are not warned that groups shared as "Organization" or "Private" will show the organization's public content and not the group's content in the Gallery tab when viewing anonymously
Still experiencing the same strange behaviour. I made it work by setting the group to public but only share the content to the organization (and this group, but not publicly).
